Someone recently asked me the following question that I thought was particularly interesting and insightful; “To what extent do identity-based fraud management systems actually contribute to identity theft?”

Have you ever stopped to think about how many online businesses have your name, address, email, phone number, and mother’s maiden name? How many times over the past year have you typed in a credit card number online?

BBC News recently reported on the single largest identity theft case in history. Over 40 million credit card numbers were stolen, along with account information, passwords, and other identity information. While “biggest in history” always makes a good headline, this is just another in a series of large security breaches to put millions of consumers at risk. Outsiders have hacked into databases of banks, retailers, universities, and other organizations. Increasingly sophisticated techniques are being used to get identity information from wireless communications. In other cases insiders have stolen, sold access or even lost identity information. There will be more headlines and even bigger cases to come. You can count on it.

In addition to the big newsworthy events, possibly even more damaging in aggregate are the smaller often low-tech identity theft cases that occur with much greater frequency. When you order something over the phone, consider the unscrupulous order taker that simply writes down your credit card number and identity information on a piece of paper that they take home at the end of the day.

With more and more personal information in more and more places, the reality is that all of us are in at increasing risk of having our identities compromised. Independent of the method or scale of the identity theft, the impact to the individual whose identity has been stolen is the same. And we are all paying the price. Even if you don’t personally experience identity theft, you pay for it in higher prices, service fees, and often frustrating and inconvenient barriers that are only in place because of a few bad guys that ruin it for everyone else.

Most online businesses understand the relative ease at which fraudsters can obtain identity information. As you might expect, many online businesses respond by being more careful. How do they know it’s Bob versus a fraudster claiming to be Bob? Ironically, being more careful often means implementing systems that rely on even more identity information.

It’s a vicious cycle. More information in more places increases the chances it will get into the wrong hands. Overreliance on identity information increases the value of stolen identities. Headlines created by this cycle make consumers even more reluctant to shop online.

So, what can be done? One solution to this problem is to augment identity-based approaches with fraud and abuse management systems that use physical, device-based information independent of identity or financial information.

Device Reputation, which provides historical information about how an individual computer has been used in the past, is a good example. For online merchants, consider the value of knowing that an order is being submitted through a computer associated with stolen credit card use or identity theft at other online merchant sites. If the identity and financial information provided “check out” but the computer is either directly or indirectly associated with fraudulent activity, the stolen identity information has little value. And, there is significant value to consumers, as well. If your identity information is associated with the Internet devices you typically use to access a particular site, it is much more difficult for someone else to claim to be you.

Combining identity-based systems with a device-centric approach significantly raises the bar for fraudsters and will lower both the rate and impact of identity theft. Identity information becomes less valuable as more sites look at identity in combination with device data. This is how we break the viscous cycle.

So, are identity-based fraud management systems part of the problem or part of the solution? They are part of the problem when over-relied upon and used independently. They are part of the solution when they work in concert with other fraud management techniques that don’t rely on identity information.

Solid security systems require multiple layers that work together. A breach of one or even multiple layers doesn’t mean a breach of the overall system. Solid Fraud management solutions should follow the same approach.

This entry was posted on Wednesday, August 20th, 2008 at 12:40 pm and is filed under Financial Services, Online Retail. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.