veryard projects - innovation for demanding change

Security and Identity

veryard projects > security > identity
we offer identity material links

management briefings

independent advice on tools and methods

What does it mean to ...
share user identity information between applications and organizations
exchange user identities


identity exploits

identities exploited


identity differentiation

notion finder



identity &

veryard projects - innovation for demanding change

Identity Exploits

veryard projects > security > identity > exploits

Theft Interference Loan Swap Assembly Invasion Erosion

Identity Theft

Someone intentionally uses my identity without my knowledge or consent.  There are three common motives. In some cases, I may have some level of protection against identity theft.  If someone forges my signature, or steals my credit card, my liability is limited and some other part of the system absorbs any financial loss.  Banks typically dislike this - not just because it represents a cost for them, but also because they argue that it introduces a form of moral hazard, since I may try to repudiate transactions that are rightfully mine.

Identity Interference

Someone accidentally uses my identity.  In other words, someone is mistaken for me - perhaps as the result of some system error - and perhaps gains some advantage from the mistake.  This often happens when two people, companies or websites have similar names.

Identity Loan (non-transferable)

Someone borrows my identity to obtain something that I am entitled to.   I do not necessarily suffer from this, and so may consent to it, under four conditions. For example, someone borrows my season ticket, on a day when I don't need it.  I trust him not to lose it, not to behave in such a way that it is confiscated by the authorities, and to give it back before I need it again. In this case, the intended purpose of the loan is to cheat the service provider, since the season ticket is supposedly non-transferable.

Identity loan (transferable)

On the other hand, if someone borrows my car or my library ticket, there may be no intention to cheat anybody.  It becomes my responsibility to ensure the library books are returned, and the speeding fines are paid and properly attributed.

There are of course still hazards in this - for borrower, lender, service provider and third parties.

Identity swap

All sorts of interesting opportunities arise when two people swap identities.

Identity assembly

Piecing together an identity using fragments from different sources.  This is a concern for two reasons: the assembled identity may be inaccurate or misleading; and its assembly may represent an invasion of privacy or confidentiality.
> See also inference control

Identity invasion / erosion

An act or transaction that exploits and degrades some aspect of my identity.  For example, abuse of my email address by spammers, which degrades the value of my email address, and may have an indirect effect on my own professional reputation.

veryard projects - innovation for demanding change

Identities Exploited

veryard projects > security > identity > exploited

Person Corporation Vehicle Website

Personal Identity

Most of the discussion of identity theft relates to people. We spend our lives identifying ourselves (or being identified) for various purposes.

Corporate Identity

Companies are regularly impersonated or spoofed.  For example, I can be phoned or emailed by someone who pretends to represent my bank, and asks me to "confirm" my credit card details.  (This is known as phishing.)  I often get email that turns out not to be from the company it appears to be from, and tries to lure me to various dodgy websites.
more Finance industry view of security

Vehicle Identity

Many schemes identify vehicle by registration plates, perhaps with a database check against the model and colour. False number plates can result in the wrong person receiving penalties and charges for speeding, parking or congestion. This can be regarded as another form of identity theft - someone has stolen the identity of my car.

veryard projects - innovation for demanding change


veryard projects > security > identity > impersonation

Pretending to be someone else. Sometimes this is done with malicious or fraudulent intent, either against the person whose identity is used or against a third party. (For example, if you use your friend's season ticket, you and she may be jointly defrauding the company issuing the season ticket.)

Sometimes impersonation may be relatively innocent or harmless. Authors frequently use pennames, especially if they want to write novels in more than one genre without confusing the reading public. I may use a false name when I register on a website, in an attempt to preserve my own privacy and to avoid further increasing the amount of spam I receive. And I always lie, on principle, when I'm asked for my mother's maiden name.

Sometimes impersonation may be contained within a context that somehow makes it okay. A London journalist wrote a regular column, which purported to be the diary of a well-known British politician. The politician sued, on the grounds that some readers might not recognize that it was a spoof. The debate was not about the content or legitimacy of the spoof itself, but how the spoof was framed - where and how it was published. (If it had been in a satire magazine, everyone would have known that it was a spoof, and the politician would have shrugged it off.)
more Biometric Impersonation
Wizard Impersonation (Polyjuice Potion)

veryard projects - innovation for demanding change

Identity Differentiation

veryard projects > security > identity > differentiation

It is not unusual for decisions of trust to make a distinction between different identities of the same person. Let's say I have a friend called John. JOHN-SOBER and JOHN-DRUNK are two different identities, with recognizably different patterns of behaviour and risk. I am happy to lend my car keys to JOHN-SOBER, but not to JOHN-DRUNK.

If a person has a gun to his head, or his children are held hostage, his behaviour is likely to be uncharacteristic. ("You are not yourself today.") Signatures and voice patterns change under stressful conditions, including duress and torture. If this uncharacteristic behaviour is detected at a security checkpoint, then it might be appropriate to hinder a person's entry, until the identity difference is resolved.

This is about a difference in identity, not just a difference in behaviour. I am not refusing John my car keys because of his slurred speech; I am refusing them because he is drunk  It may be his slurred speech that alerts me to the fact that he is drunk; but if he convinces me that his slurred speech on this occasion is a result of a visit to the dentist, I may let him have the car keys. Conversely, if he learns to speak normally even when drunk, I shall just have to find a different way to determine when he is drunk and when sober.
more Identity and Difference
Signature as Token of Identity
Context-Dependent Trust - Can we trust Professor Lupin?
Differentiated Security

veryard projects - innovation for demanding change

Identity and Security - More Material

veryard projects > security > identity > material

cbdi forum See article published by CBDi Forum, September 2002 [abstract]. Full article available to subscribers.
more Identity and Difference
Signature as Token of Identity
veryard projects - innovation for demanding change

[home page]

[contact us]

This page last updated on July 4th, 2004
Copyright © 2002-4 Veryard Projects Ltd
in asssociation with 
antelope projects
CBDi Forum