How fraud works & correlating it

How identify based fraud occurs / works & correlating it  - A primer for those who don't understand.  Especially those crafting laws the rest of us have to live with on the matter. 

Imagine being able to cancel your utility services or pick up your prescriptions merely by using something as simple and accessible as your date of birth or mothers maiden name.   This is known as knowledge-based authentication (KBA).

In the last couple decades I have noticed when you go to the pharmacy, doctor, dentist they will ask multiple times (and in the earshot presence of others), what your date of birth is.  

For what it's worth, I do believe there is a stored copy of your photo ID when you go to the pharmacy so asking your date of birth is not the only security mechanism, as I believe they are using multi-factor authentication (MFA)..  (However the storage of the drivers license info is also problematic in terms of a data breach.)  

But the more recent practice is reminiscent of decades ago how institutions seeking to confirm your identity would ask what your mothers maiden name was.  Clearly both pieces of data are easily accessible and trying to suppress that information is futile and ineffective.

When it became apparent the mothers maiden name question was problematic, institutions shifted to establishing unique security questions.  (What was your first pet's name, etc).  

This is how fraud occurs, from bad security practices of organizations that need to verify your identity for routine business.  

Regulators need to penalize or disincentivize KBA.   This is a far better regulation strategy than trying to suppress information.

NIST guidelines explicitly state that KBA or "out-of-wallet" questions should not be used for high-assurance identity verification or sensitive systems because the data is too easily guessed, bought on the dark web, or scraped from public records.


Correlating Fraud to Records Access

While there is no evidence of genealogical access contributing to fraud, there has also been no good attempt to correlate records access to that.

As of 2017 the Electronic Verification of Vital Events (EVVE)  has been implemented.  It's a real-time digital system developed by NAPHSIS that allows DMVs to instantly check official birth and death records. It enables state agencies to securely validate a customer's legal presence, age, and citizenship against authenticated government databases.

It presently doesn’t have any way for the individual to take control and monitor their own identity affairs.  This is something I think should change and be given thought.   A living person should be able to tell who (police, insurance co, genealogists, etc)  is requesting to see their date of birth or marriage records or running their drivers license number.  Once this works like how you can monitor your own credit report, we might be able to actually have some hard data on the origins of fraud rather than pure speculation and crafting blanket approach remedies.

Another thing that should become standard is a credit freeze (aka security freeze). Freezing your credit is the single most effective tool you have to protect yourself from identity theft.  The minor inconvenience of having to "thaw" it when you want to buy a car or open a card is an incredibly small price to pay for total peace of mind.

Most people only learn about credit freezes after they become a victim of identity theft or when a massive corporate data breach makes the evening news. The credit bureaus themselves don't exactly advertise this feature heavily because freezing your credit limits their ability to sell your data to marketers for pre-approved credit offers.

No comments:

Post a Comment