The U of Texas is studying it.
Identity theft is a cradle-to-grave problem that costs U.S. businesses $50 billion and affects at least 10 million consumers each year.
At least 1 million children’s identities are stolen over the course of a year — often misused by their parents, said Stephen Coggeshall, chief technology officer at ID Analytics. Adults are victimized, online and offline. Companies are compromised when unwitting employees use their company log-ins and passwords surfing the Internet.
Even death offers no respite: One study by Coggeshall showed that the identities of 800,000 dead Americans are being used for illegal purposes.
The Center for Identity at the University of Texas on Monday convened a two-day conference to discuss the scope of the problem and what can be done.
Peter Tippett, who helped create the first anti-virus software, is now with Verizon, which compiles the annual Data Breach Investigative Report.
“We do more computer crime cases than all other companies combined,” Tippett said.
Criminal organizations in the United States, Russia and Brazil are targeting consumers and businesses, Tippett said. He cited a Federal Trade Commission study for the $50 billion a year cost to businesses and the 10 million affected consumers.
Tippett said that 82 percent “of all data stolen by anybody on the planet was stolen because of your password.”
In a world where 123456 remains the most popular password, Tippett said making passwords longer and changing them more often isn’t the answer, with so much hacking and malware.
“If bad guys see what you type, it doesn’t matter how strong your password is,” Tippett said.
He likened the problem with passwords to seat belts in cars. He said seat belts were only 50 percent effective in saving lives, but making them stronger was not the answer. Adding air bags made cars safer.
A second identifying factor needs to be added to the passwords, Tippett said.
Two-factor authentication has a lot going for it, but it’s also another point of failure. One common way of delivering this without having to provide some kind of gadget that contains a personal certificate is to arrange to send an authorization code via text or voice to your phone, which is a great idea as long as you’re never without your phone. I suppose it or something like it is inevitable, though, so there’s no point complaining about it.
One thing this story doesn’t touch on is that a significant factor in identity theft isn’t just careless people with easily-cracked passwords, it’s also the many corporate and government entities that have all your data and which have become lucrative targets for evildoers, or in some cases have screwed up and let supposedly secure data out into the public, as Texas Comptroller Susan Combs did last year. Seems to me there needs to be greater incentive for the keepers of these databases to prevent their theft. One model I often hear discussed is to put the financial onus for this data loss on the entity that loses it and not the individuals who are affected by it. It’s the model we use for credit cards and ATMs, where your liability is limited and the financial institution bears the risk. Those transactions are pretty darned safe nowadays because of that. That takes legislation, which is clearly a tougher row to hoe than convincing millions of people to use better passwords. As the man said, there’s only so much benefit to be gained by strengthening passwords. The back end needs to be shored up as well.