“Identity fraud” again

August 8th, 2006 at 13:59 UTC by Ross Anderson

The National Consumer Council has published a report on “identity fraud” which is rather regrettable.

Identity fraud is not fraud, from the consumer’s viewpoint. If someone pretends to be me, borrows 10K from the Derbyshire Building Society and vanishes, it’s the building society that’s the victim, not me. If Experian then says I’m a loan defaulter when I’m not, that’s libel. Suing for libel may be expensive, but the Information Commissioner has announced his willingness to issue enforcement notices against the credit agencies in such circumstances. The NCC should have advertised this fact and encouraged people to go to him.

“Identity fraud” is an objectionable concept, an attempt by the banks to dump some liability. The Home Office egg them on because they think that rebadging credit-card fraud as “identity fraud” will help sell identity cards. But it’s a bad show when consumer organisations collude with an attempt to make consumers the victims of bankers’ and credit reference agencies’ negligence.

Entry filed under: Banking security, Legal issues, News coverage, Security economics

5 comments Add your own

  • 1. Nicholas Bohm  |  August 9th, 2006 at 11:25 UTC

    The main victim of an impersonation attack is, as Ross says, the person on whom the impersonation is practised and who acts on the false belief that it induces.

    The person who is impersonated may become a victim too – it must undoubtedly be a very great nuisance to have to “repair” a damaged credit status, for example. But it is important to appreciate who has victimised the consumer: it is the bank or credit reference agency that spreads the impersonator’s falsehood that makes a victim of the consumer.

    The banks need good protection against impersonators; their customers need better protection against the banks and the credit reference agencies.

  • 2. giafly  |  August 11th, 2006 at 09:52 UTC

    I’m not so sure. Here IMHO is an equivalent example.

    Suppose someone logs on to Websites, impersonating me, and posts idiotic and outrageous opinions in my name. Setting aside the question of how one could tell – as in the bank case, my reputation is damaged, taking time and expense to correct.

    I don’t see how the Websites are the victims, except minimally because they are put to some slight expense in investigating and reversing the damage. And I don’t think they are the ones victimising me, providing they broadcast the falsehoods in good faith.

    To be even more specific, if I impersonated the previous poster in this way, would this Website be the victim, not him?

  • 3. Matt Palmer  |  August 18th, 2006 at 09:26 UTC

    @giafly

    It’s not an equivalent example though. In your example, the website loses nothing if your reputation is hurt by an impersonator, and it is the impersonator who directly and intentionally (I assume) damages your reputation. The impersonator is actually attacking you, not the website.

    In the bank example, the bank loses money to the impersonator. The impersonator doesn’t really attack you at all – they just use your identity to get at the Bank’s resources. You lose a good credit score if the banks and credit agencies don’t correct the problem, making you the victim of the Bank.

  • 4. Philip Malan  |  December 6th, 2006 at 14:17 UTC

    Everywhere you look these days people are warning you about identitiy theft, online fraud etc. Check your credit report, subscribe to our service and we will notify you when you have a problem. All of these are reactive. The damage has been done.

    How about a proactive approach? How about giving control back to the user to manage their data. iamdentity is a UK based company specialising in online identity management and data security. With their service users can have a single online identity that can be used across the Internet.

    It’s not only safe and convenient but also practical. If you move, you only need to update your details in one place. Whenever you log into an iamdentity enabled website, your details are automatically updated. You can even control the distribution of your data.

    That makes more sense than sitting around and waiting for you to become a victim.

    Have a look at http://www.iamdentity.com and decide for yourself.

  • 5. louise  |  June 20th, 2007 at 09:42 UTC

    i left england to live in france january 4th 2002 i have just recieved a letters 5 years on saying i have a dorothy perkins account which was opened after i left the country . the debt collectors are insisting i opened the account and want full payment immediatley.when i contacyted the agency they totally refused to believe me so where do i go now. this is really worrying what else is out there in my name.

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe to the comments via RSS Feed


Calendar

August 2006
M T W T F S S
« Jul   Sep »
 123456
78910111213
14151617181920
21222324252627
28293031