Identity, Identiers

and Identity Fraud

January 2005

www.cybertrust.com

2005 Cybertrust. All rights reserved. All registered trademarks, trademarks and service marks are property
of Cybertrust, unless otherwise stated. All other marks are property of their respective owners.

Identity, Identiers and Identity Fraud | 2

Table of Contents
Introduction .......................................................................................................................... 3
Identity ................................................................................................................................... 3
Identiers .............................................................................................................................. 3
Identity Fraud ....................................................................................................................... 4
Recommendations for the Individual ................................................................................ 6
Recommendations for Fiduciaries ..................................................................................... 7
Recommendations for Merchants ..................................................................................... 8

2005 Cybertrust. All rights reserved. All registered trademarks, trademarks and service marks are property
of Cybertrust, unless otherwise stated. All other marks are property of their respective owners.

Identity, Identiers and Identity Fraud | 3

Know your customer!

Banking tradition

Introduction
Recently, the press and the public policymakers have begun to speak of Identity Theft
as though it was a novel concept requiring severe new legislation. These laws are likely to
put signicant new burdens on business. While most identity theft problems originate via
plain old snail mail, the discussion these days is all about the Internet. The sponsors of the
legislation point to exponential growth in the problem as justication for these laws.
This paper suggests that the growth actually comes from redening traditional
fraud, not from the growth of the Internet. It begins with a discussion of the concept of
identity and ends with recommendations for individuals, duciaries and merchants to
safeguard themselves.

The size of the variance

is a poor indicator of
the size of the problem.
When entrusted
to process, you are
obligated to safeguard.
Bob Johnston, CISSP

Identity
What do we mean when we speak of identity? One way to look at it is that we are
talking about a combination of body, mind and personality. These three things can each be
independently demonstrated and veried, but they are not separable. It seems clear that
these cannot be stolen in the sense of being converted to someone elses use.
An identity has a number of attributes including character, reputation, credit and rights.
The legal rights include civil rights, the right to own property and the right to enter
into contracts.
Individuals can work, travel, stand for ofce, and vote. They can pass their property to heirs
of their choice. They may marry and adopt. In the village, the bond between the individual
and these attributes was recorded in the collective memory. Nonetheless, to some degree or
another, the attributes are separable from the identity. For example, as recently as a hundred
years ago when public records were limited and credentials were not required for or even
available for travel, it was possible for the individual to walk away from their village and start
over with a new identity.
In the modern world, the bonds between identity and attributes are more tenuous than they
were in the village. On the other hand, they are portable; one can enjoy them while traveling
or take them when moving.These attributes can be recorded in ofcial, permanent, and other
records. They can be tokenized substituted for by a symbol. They can be collateralized
converted into a document, credential or other instrument.They can be vouched for, or even
guaranteed, by a third party. They can be monetized, that is, in cooperation with another
party converted into currency that can be used to buy goods and services.

Identiers
We use labels, i.e., names and other identiers, to refer to the individual or identity and to
record the association between the identity and its attributes. We identify ourselves by our
names and have a preference for them in most relationships. However, most names are
ambiguous: a given name may refer to tens, hundreds, or even thousands of individuals. To
reduce the ambiguity, we use the name in association with other information. For example,
name and address may be more specic as may name and date of birth (DOB). Of course,
name and address may still not distinguish between members of different generations
residing together, and there could be two or more people sharing both a name and a DOB.
However, for all practical purposes, name, date and place of birth (POB) are enough to
uniquely identify a single individual.

2005 Cybertrust. All rights reserved. All registered trademarks, trademarks and service marks are property
of Cybertrust, unless otherwise stated. All other marks are property of their respective owners.

Identity, Identiers and Identity Fraud | 4

In the world of modern information systems, with cheap random-access storage, databases,
directories, displays, and point-and-click data entry, name and address, DOB, and POB should
be adequate for most applications. However, for most of the 20th century, they were not.
Both storage and recording were so expensive that, for the sake of efciency, institutions
created alternate identiers. The most obvious and universal of these is the Social Security
number (SSN), created by the then-new Social Security Administration in the 1930s and
assigned to all workers.
The military began to assign service numbers about the same time. These substitutes for
names reduced ambiguity, keystrokes, storage requirements and errors. In modern times,
these numbers have been combined into a single number, extended to all citizens and
assigned shortly after birth. They are now used by credit bureaus, employers, credit card
companies, banks and others. In spite of all laws prohibiting their use for that purpose,
SSNs are now the identier of choice for many institutions and applications.

Identity Fraud
One Saturday morning at the barbers, I listened to the tale of woe told by the man in
the next chair. It seems that his mailbox was ried. The perpetrators took only credit card
statements and tore the remittance advice from the statement. They then turned it over and
used the form on the back to submit a change of address from my neighbors address to
an accommodation address in northern New Jersey.1 When they began to receive
statements at that address, they called the customer service number and asked the bank
to send them some drafts. When the drafts arrived, they used them to draw down my
neighbors line of credit.
The perpetrators did not change the phone number when they changed the address.
We know that because when the account became delinquent, my neighbor began to get
collection calls. At this time, the police were called in. They immediately recognized the
accommodation address the police had already placed it under surveillance but the
perpetrators had abandoned it.
Notice that it takes quite a bit of information to pull off one of these frauds. In this particular
case, all of the information necessary and, incidentally, the necessary forms, were all
included in a single mailing.
This scam is a simple but common form of identity fraud. A more sophisticated but less
common form is that in which the perpetrators use public and independent sources to learn
enough about a victim to be able to initiate transactions or apply for accounts in their name
but with the perpetrators address. Most of the information required to be able to do this is a
matter of public record; all of it is available from credit reporting agencies for a fee.
Abraham Abdullah duped credit reporting agencies including TRW, Equifax, and Experion
into providing detailed reports on his extremely rich victims (Fortune Magazines list of
the 400 richest people). He then used this information to dupe the victims duciaries into
transferring money to accounts that he controlled. He submitted the transactions by e-mail
or fax. Knowing that the duciaries would want to verify the transactions, he would include
telephone numbers where he could be reached. However, when the duciaries called those
numbers, they reached a voice mailbox answered in the victims name. Often that was
sufcient for them to complete the transaction.

For most of my professional career, I have been trying to get the banks to conrm changes of address to the old address.
Brokerage houses have always done it. I can only conclude that the banks have done an economic analysis and have
concluded that it would not pay.

2005 Cybertrust. All rights reserved. All registered trademarks, trademarks and service marks are property
of Cybertrust, unless otherwise stated. All other marks are property of their respective owners.

Identity, Identiers and Identity Fraud | 5

Names, labels, and other

common identiers are
as follows:
Name
Date and place of birth
Permanent/residential/postal
address
Names of parents/spouse/siblings/
children
Social Security number
Drivers license number
Passport number
Telephone number
E-mail address
Combinations of these to resolve
possible ambiguity

In at least one instance, an ofcer for a duciary used a phone number from their own les
rather than the one in the order to determine that the transaction was not authentic. The
ofcer was alerted by the form of the request (an e-mail), the amount of the transaction ($10
million), the destination (Australia), and the destination account, which had recently been
opened. Abraham Abdullah was arrested when he showed up to take delivery on contraband
equipment intended to help him counterfeit credit cards in the names of his victims.
While the popular press likes to describe these frauds as identity theft, they are really
classic frauds. While it is true that they use personal information to make the transactions
appear to be authentic, they really do not rise to the level of identity theft. The targets in
these frauds did not suffer permanent damage to their name or credit. They did not even
suffer any material nancial loss.The use of identity theft should be reserved for those cases
that really deserve it.
The popular press also likes to associate these frauds with high technology in general and
the Internet in particular. Here, they have a slightly better case, but one may also take note of
how low-tech these frauds really are. It is true that more business is being done electronically
than ever before and less on paper. More fraud is therefore electronic than ever before. To
the extent that electronic transactions are successful, they generate more business. More
business generates more crime.
However, one can make an equally good case that high technology also makes fraud more
difcult. For example, in the paper system, one could only reconcile accounts monthly.
Today, one may reconcile daily if desired. A wire room operator in a Chicago bank colluded
with several outsiders to transfer $70 million to banks in Vienna, Austria. The transfers were
charged to the accounts of three large customers. Because those customers reconciled their
accounts daily, the bank knew about the fraud within hours of close of business. Before
dawn, they had identied and arrested all of the perpetrators and had ofcers in Vienna to
assert their claims to the funds.
While the press focuses on the hazards and vulnerabilities of the networked environment,
most of the moves have been to improve control, not just service. Shortly after Reuters
reported on Abraham Abdullah, I received a call from a colleague in Bermuda. He wanted
to advise his client, a private bank, on accepting electronic payment orders from their bigbalance customers. Specically, he wanted to know about the control that requires electronic
payments be made only to preregistered accounts. It seems that the bank was trying to
accommodate customers that wanted to make large payments to arbitrary parties without
the registration delay.
Abdullah was able to do what he did in large part because duciaries are willing to take some
risk in order to accommodate the wishes and intentions of their most afuent customers. It
is important to recognize that while identity theft can be devastating to the target individual,
in most cases it is the duciary that takes the nancial loss; this is the reason that we use
them. While most of the advice on how to avoid identity theft is aimed at the individual,
it is the duciary that has most of the control. Most of the advice to the consumer is
aimed at protecting their privacy, that is, on keeping condential information that is likely
to be abused.
Consider the recommendations from the Federal Trade Commission at http://www.
consumer.gov/idtheft/risk.htm. They suggest catching identity theft early by annually
checking your credit report. On average, one will note a problem in six months. This seems
late, but it may be the only way to learn of accounts in your name opened by others.

2005 Cybertrust. All rights reserved. All registered trademarks, trademarks and service marks are property
of Cybertrust, unless otherwise stated. All other marks are property of their respective owners.

Identity, Identiers and Identity Fraud | 6

Recommendations for the Individual

Opt for electronic accounts. Despite myths to the contrary, electronic systems are more
secure than paper.
Request electronic statements. As a rule, one simply gets a notice that the statement is
ready and must log on to retrieve the statement in PDF format. It really is harder for a
perpetrator to do this than to rie a physical mailbox.
Have your mail stopped or forwarded when you are away. I recently returned from a
trip to nd a note from the local police informing me that a stranger had been observed
riing the mailboxes in our neighborhood. Fortunately, I had stopped delivery on my
mail before leaving on my trip.
Empty your mailbox every day.
Use a locked mailbox.
Consider the use of a post ofce box or an accommodation address. Federal law to the
contrary notwithstanding, people do rie mailboxes.
Limit your accounts to a number sufciently small enough that you would miss a
statement that did not arrive.
Consider giving your duciaries a secret code-word instead of such public information
as your mothers maiden name.
Put only the last ve digits of your SSN on applications. Remember that the real purpose
of the SSN number on an application is to reduce any ambiguity in name and address
when making an inquiry of credit reporting agencies. (If a duciary does not want to do
business with you on that basis, look seriously at the competition.)
Prefer one-time credit card numbers (e.g., American Express Private Payments) or
store-of-value cards (e.g., Visabuxx, extramoney GiftCard) on the Internet.
Give permanent credit card numbers only to highly reputable merchants with whom
you expect to do business frequently.
Prefer major merchants on the Internet. While only one offer in 40,000 on eBay is
fraudulent, that is still higher than when dealing with major merchants.
Do not keep large balances in your checking account. Do not link accounts or use
overdraft arrangements.
Use escrow agents when making major purchases from strangers on the Internet.
Consider the use of PayPal, Yahoo! PayDirect, or BillPoint.
Reconcile your statements promptly. Prefer online reconciliation so that you reconcile
a few transactions frequently rather than a large number infrequently. This is the most
important and effective control: nothing above will compensate for it.

2005 Cybertrust. All rights reserved. All registered trademarks, trademarks and service marks are property
of Cybertrust, unless otherwise stated. All other marks are property of their respective owners.

Identity, Identiers and Identity Fraud | 7

Recommendations for Fiduciaries

Remember that it is the duciary that takes most of the losses in identity fraud. As a duciary,
you are more likely to be defrauded by an employee than an outsider, by a manager or an
ofcer than by non-management. You are also more likely to be defrauded at application
time than at transaction time, at exception time than at routine transaction time.
Train your people.There are very few identity frauds that do not involve some successful
social engineering.
Only collect necessary customer data.
Protect all the customer data that you collect. Keep in mind that if it is compromised, it
will most likely be used against you.
Prefer the use of secret data to authenticate customers never authenticate a customer
on the basis of a single piece of public data such as a Social Security number.
Use digital signatures for large accounts.
Consider the use of dynamic data elements such as recent transaction data to
authenticate customers or other trading partners over the phone.
Conrm all transactions out of band. Be sure that employees can neither cause nor
prevent such conrmations.
Conrm all changes of address to both the old and the new address before mailing
a statement.
Think of processing name changes in terms of the closing of one account and the
opening of another.
Do not put the entire account number on the statement in the clear. Prefer partials
(e.g., rst four and last four digits), one-time tokens, vouchers, or reference numbers.
Require that the entire account number be written in order to change address data.
Collect e-mail addresses or fax numbers to be used as an alternative to paper for outof-band conrmations of transactions or changes.
Involve a randomly selected ofcer in the most sensitive activity. This activity
should be selected by such measures as amount, the level of trust in the payer and
payee, and how usual or unusual the activity is. The ofcer should be selected at
random by a computer.
Reconcile all variances promptly.

2005 Cybertrust. All rights reserved. All registered trademarks, trademarks and service marks are property
of Cybertrust, unless otherwise stated. All other marks are property of their respective owners.

Identity, Identiers and Identity Fraud | 8

Recommendations for Merchants

There are two issues for merchants. First is being sure that they are doing business with
the person whom they intend to, that is, that they are not the victim of fraud. Second is that
they protect all of the information that they use for the rst, i.e. that they do not contribute
to fraud by others against their own customers.
The classic form of fraud against the merchant is the bad check: the customer pretends to
be someone that they are not or to have funds that they do not. While there are a number
of techniques that the merchant can use to resist bad checks, they all involve cost and none
are foolproof. The modern equivalent of the bad check is the bad credit card number: the
customer uses a valid credit card number that does not belong to him.
Online merchants frequently store customer names and addresses so that return customers
do not have to reenter them. For the same reason, they may store credit card numbers.They
therefore have a special obligation to protect this information from exploitation by others.
Require two credentials, including a valid in-state drivers license, when cashing checks.
Reconcile photo to the customer, signature to that on the check, and name and address.
Record the license number on the check.
Use online check guarantee services to ensure that the drivers license is valid,
that there is no previous fraud associated with it, and to compensate you for any
inevitable losses.
Use online services at the point of sale to verify that credit cards are valid, current, and
within credit limits.
Protect any and all customer-identifying information stored on systems from employees,
other users, and rogue hackers. (Consider the recommendations of SANS, MasterCard,
or Visa for the operation and security of your Web site.)
Where offered, use out-of-band authentication (e.g., Veried by Visa, MasterCard,
or SecureCode) of customer ID. These mechanisms resist fraudulent use of a credit
card number, reduce charge-backs, and may offer a lower rate. Prefer banks that offer
this service.

About Cybertrust
Cybertrust is the global information security specialist, delivering services that secure critical data,
protect identities and help customers demonstrate ongoing compliance. Cybertrust is 100 percent
focused on information security and 100 percent product and vendor neutral. We focus our more
than 15 years of expertise and deep industry intelligence to offer individual, pragmatic solutions
to our customers that align information security risk to organizational risk. Cybertrust is one of the
worlds largest providers of information security and is recognized as the global market leader in
managed security services. Headquartered in Herndon, Virginia, USA with more than 30 ofces
around the globe, Cybertrust has earned the trust of thousands of customers worldwide.

2005 Cybertrust. All rights reserved. All registered trademarks, trademarks and service marks are property
of Cybertrust, unless otherwise stated. All other marks are property of their respective owners.