Identity Meltdown
Kim Cameron remixes some recent press coverage of the declining trust in e-commerce, a trend he calls identity meltdown.
I first became interested in this topic in 1992, when I found it possible to transfer all of my money from one state to another with some very superficial identity checks performed by the destination bank (and no verification at the source). When I demanded that the bank close this obvious security hole, or else indemnify me (after transferring my money of course), I was shocked to find that they had no intention of protecting me from fraud, and did not consider it their responsibility if their shoddy identity checks resulted in fraud to me.
I’ve blogged about this trend several times over the past five years, and while technological solutions are promising, these technological solutions shouldn’t even be necessary. Here is my skeleton argument:
- If the banks demanded much better identification before opening bank accounts or lines of credit, many of these attacks would be stopped dead. As it is, the banks have no incentive to do this, because they are not held responsible for the theft.
- If congress were to pass a law requiring that banks be held responsible for shoddy identification practices (as they would be held responsible for other security breaches), they would have a financial incentive to stop trusting poor tokens of identity.
- This situation is unlikely to change. While I think it is possible to stop identity theft by holding responsible the financial institutions, there is another way. The groundswell of people crying out for a solution to identity fraud can be used to justify legislation of more systemic changes such as national ID. National ID is desirable to groups such as FBI, homeland security, and of course financial institutions. Solving the problem by penalizing financial institutions would leave lawmakers with little political leverage to push national ID.