UK politicians are calling for the creation of an identity theft "czar" to lead the fight against the growing form of crime. The Parliamentary All Party Group on Identity Fraud said the role is needed to co-ordinate work by the government, police, and private sector. The committee of MPs also want police to appoint dedicated …
One stop shop
I suppose this is another 'ID cards are good for you' push by our delightful Government.
The possibility that ID cards will turn out to be a one-stop ID theft bonanza seems to have escaped their notice.
Far from being a barrier to ID theft, they will provide a single point of attack.
Its an SSO system for your entire life. Like any SSO (single sign-on) system, once it has become compromised everything it protects is compromised.
Imagine someone committing a fraud using a UK ID card in your name? Imagine trying to prove it wasn't you to a jury convinced of their infallibility?
Personally the idea of these cards frightens me more than ID theft, terrorism, or anything else these damn things are supposed to combat.
Identity theft is not theft
It's a blanket term that the identity card people came up with to help define a BIG problem they could sell their BIG EXPENSIVE ID cards as the solution to. When someone steals from your bank account they're not stealing your identity, they're stealing your money.
1. Credit card fraud, the solution is for credit card companies to spend proper money on tokens & smart cards and stop making excuses or offloading the liability onto merchants.
2. Bank id fraud. UK & US problem, rest of Europe uses challenge-response tokens and challenge-response cards and it is not a problem for those banks. UK banks don't see to want to spend the money because they have free banking. Fixing this does not fix 1, because they do not share the same ID and it would be unwise to make them share the same ID.
3. Government stuff, like claiming social security on false ID, that's an ID card problem. Fixing this doesn't fix 1 & 2 since they're really unrelated except for the vague term.
4. Stuff thrown in to exaggerate the problem, e.g. fake names on email spam used to pad out the number of people who are victims of attempted 'identity theft'. SPF should be mandatory.
5. Phishing, if they fixed 1,2,3, what would the attacker phish for?
Since the problem has different solutions in different cases, and since most of the problem is caused by banks and credit card companies trying to avoid spending money while looking like they're doing something, the fix is to not go along with the hype and to remind them that it's their job to ensure their users are the ones logging in, and that their credit card owners are the ones spending on the credit cards, and that UK Gov fixes the birth-certificate/death-certificate loophole.
Appointing a co-ordinator for separate problems, only gives them an excuse not to fix the problem until a 'common' solution can be found.
But what happens if Richard Brunstrom (shudder!) gets the job.....?
I've got my coat, call me a ferry
(I'm leaving the UK)
another pointless knee jerk from out well informed government
Because we all know that adding the term 'Czar' to anyone's title makes them some kind of expert.
If we had better privacy and clearer privacy laws then ID theft would be harder.....perhaps they should look a the big picture for a change and see what a great place the erosion of privacy has made UK.
A significant chunk of the alleged £1.7b cost of ID fraud is benefit fraud, but that won't be solved by an ID card as the people *are* who they say they are. It's their circumstances that they are lying about.
And most of the credit card fraud is Card Not Present anyway so how the hell is anyone going to check the ID card?
At least Joe Public seems to be wising up - check out the comments on the BBC's article
Responsibilities of the job
Responsibilities of the job will include:-
1) Artificially inflating ID fraud numbers by including all card holder not present fraud and various internet scams.
2) Selling the governments ID card scheme, despite having no answer on how it can tackle card holder not present fraud and various internet scams.
3) Making the case for further erosion of privacy by wholesale data sharing with in government and to unaccountable private firms with abysmal security records.
No previous experience of fraud prevention, civil liberties or data security required.
Bringing the problem into the light
The majority of our population do not think about the problems associated with ID cards or the potential of safe banking if money was spent - BECAUSE THEY HAVEN'T BEEN TOLD ABOUT THEM!
I can only hope that if a Tsar is appointed, the issue is shown to be the problem that it is, the public is informed and demands action.
As far as credit card fraud is concerned - have a look at the article on GrIDsure, also in this wonderful Register of ours. It takes a lot of the expense out of the equation.
Every time the government annoints a retired copper, third-rank civil servant, or quangocrat as czar or czarina for this that and the other, there is a fuck-up followed by a bust-up. The efforts and pontifications of MPs are little better.
The solution (for all revolutionary-minded vultures) is in the Rolling Stones' line from 'Sympathy For The Devil'...
"I killed the czar and his ministers / Anastasia screamed in vain"
Let's have some blood on the carpets of Westminster.
Or at least some commonsense proposals that eschew the word 'czar'..
Breakdown of figures
The £1.7bn figure keeps being mentioned, but the figures don't stand up to scrutiny. The full breakdown is at http://www.identitytheft.org.uk/ID%20fraud%20table.pdf and the biggest "losses" (nearly £1.5bn) are from stolen credit cards, money laundering, carousel fraud and "telecoms" fraud. The next biggest (about £120m) are from identity checking for the passport and immigration services. From the justifications in the ID fraud table it's pretty obvious that a lot of the figures were cooked up to make the problem sound worse than it is for the ID card/database scheme (http://www.theregister.co.uk/2006/02/03/clumsy_id_card_study/).
ID theft has always struck me as being a type of fraud where the victim is blamed for not being careful enough. There was an interesting article on El Reg a few years ago at http://www.theregister.co.uk/2005/10/21/phantoms_and_rogues/ about phantom withdrawals from cash machines. These days phantom withdrawals would probably be dismissed as "identity theft" and the victim told to stop making a fuss. I think the only effective way to stop ID theft would be to make the banks and govt departments liable for the fraud unless they can prove gross negligence.
The £1.7bn ID fraud figure is itself a fraud
Some more data to back up the point made by the previous poster:
In July 2002 the Cabinet Office published a study saying ID fraud costs the country £1.3 billion per year. In February 2006 the Home Office revised this figure upwards to £1.7 billion. Ministers have quoted these figures repeatedly to justify the huge cost of their National Identity Scheme. However, they don't stand up to independent scrutiny. For instance:
* The 2002 report shows £370 million of identity fraud reported by APACS, the bank clearing service for plastic cards and cheques, but APACS itself says the real figure was only £20.6 million – about 6% of the government's claim.
* The Cabinet Office says identity fraud cost the insurance industry £250 million in 2002, but in June 2005 the Association of British Insurers told reporter Andrew Gilligan "I'm not sure where that figure comes from. It's not from us. ... Insurance fraud tends to be people claiming in their real names for false losses. ID fraud is not a particularly big problem in the insurance sector".
* The 2002 and 2006 reports both include £215 million for Missing Trader Intra-Community" (MTIC) fraud, also known as Carousel Fraud, where goods are bought and sold by fictitious companies in different countries in the EU, with VAT which was never actually paid "claimed back" from EU governments. However, a spokesman for HM Revenue & Customs told Andrew Gilligan "We wouldn't normally describe MTIC fraud as ID fraud".
Once these and other dubious "costs" of identity fraud have been excluded, the true cost of identity fraud to the UK has been estimated at £150 million in 2002, or about 12% of the government's figure.
 Cabinet Office, "Identity Fraud: A Study", July 2002, Annex B, page 73, http://www.identitycards.gov.uk/downloads/id_fraud-report.pdf
 Home Office, "Updated estimate of the cost of identity fraud to the UK economy", 2 February 2006, http://www.identitytheft.org.uk/ID%20fraud%20table.pdf
 Riten Gohil, APACS, "Information, Identity Theft and the Internet", November 2004, page 5, http://www.ecb.int/events/pdf/conferences/epayments2004/041110_eConf_Gohil.pdf
 Andrew Gilligan, "Revealed: how Blair is playing the fear card", Evening Standard, 20 June 2005, http://www.spy.org.uk/spyblog/2005/06/evening_standard_andrew_gillig.html