| Theft |
Interference |
Loan |
Swap |
Assembly |
Invasion |
Erosion |
Identity Theft
Someone intentionally uses my identity without my knowledge or consent.
There are three common motives.
-
To steal something that belongs to me, or to load an obligation onto me.
(As when someone uses my credit card without my permission.)
-
To leverage some intangible asset that I have - including my credit record
or reputation or role. (As when someone impersonates an airline pilot
to gain access to the flight deck.)
-
To exploit my anonymity. (As when a blacklisted gambler uses a non-gambler's
identity - or rather lack of identity - to get back into the casino.)
In some cases, I may have some level of protection against identity theft.
If someone forges my signature, or steals my credit card, my liability
is limited and some other part of the system absorbs any financial loss.
Banks typically dislike this - not just because it represents a cost for
them, but also because they argue that it introduces a form of moral hazard,
since I may try to repudiate transactions that are rightfully mine.
Identity Interference
Someone accidentally uses my identity. In other words, someone is
mistaken for me - perhaps as the result of some system error - and perhaps
gains some advantage from the mistake. This often happens when two
people, companies or websites have similar names.
Identity Loan (non-transferable)
Someone borrows my identity to obtain something that I am entitled to.
I do not necessarily suffer from this, and so may consent to it, under
four conditions.
-
I have surplus entitlement, and the loan doesn't interfere with my enjoyment.
-
I trust the borrower to respect my identity, and to return it promptly.
-
I expect the borrower to meet any obligations incurred as a result of the
loan.
-
I am not concerned about any moral or legal risk.
For example, someone borrows my season ticket, on a day when I don't need
it. I trust him not to lose it, not to behave in such a way that
it is confiscated by the authorities, and to give it back before I need
it again. In this case, the intended purpose of the loan is to cheat the
service provider, since the season ticket is supposedly non-transferable.
Identity loan (transferable)
On the other hand, if someone borrows my car or my library ticket, there
may be no intention to cheat anybody. It becomes my responsibility
to ensure the library books are returned, and the speeding fines are paid
and properly attributed.
There are of course still hazards in this - for borrower, lender, service
provider and third parties.
Identity swap
All sorts of interesting opportunities arise when two people swap identities.
-
Peter Prince commits a traffic offence, and Paul Pauper loses his driving
licence.
-
Peter Prince stays in a luxury hotel with his mistress, and it is charged
to Paul Pauper's account.
-
As a result of a healthy cashflow through Paul Pauper's account, Paul Pauper
is now regarded as an excellent credit risk by the banks.
-
Paul Pauper exploits his credit status to buy shares in Prince Enterprises
Inc.
Identity assembly
Piecing together an identity using fragments from different sources.
This is a concern for two reasons: the assembled identity may be inaccurate
or misleading; and its assembly may represent an invasion of privacy
or confidentiality.
Identity invasion / erosion
An act or transaction that exploits and degrades some aspect of my identity.
For example, abuse of my email address by spammers, which degrades the
value of my email address, and may have an indirect effect on my own professional
reputation.
| Person |
Corporation |
Vehicle |
Website |
|
|
|
Personal Identity
Most of the discussion of identity theft relates to people. We spend our
lives identifying ourselves (or being identified) for various purposes.
Corporate Identity
Companies are regularly impersonated or spoofed. For example, I can
be phoned or emailed by someone who pretends to represent my bank, and
asks me to "confirm" my credit card details. (This is known as phishing.)
I often get email that turns out not to be from the company it appears
to be from, and tries to lure me to various dodgy websites.
Vehicle Identity
Many schemes identify vehicle by registration plates, perhaps with a database
check against the model and colour. False number plates can result in the
wrong person receiving penalties and charges for speeding, parking or congestion.
This can be regarded as another form of identity theft - someone has stolen
the identity of my car.
Pretending to be someone else.
-
Passing oneself off as another person, without that person's knowledge
or consent. For example, stealing and using a credit card. Or using
the identity of a person who died in childhood - a well-known trick for
getting a false passport.
-
Borrowing a friend's identity, with her consent. For example, using her
season ticket.
-
Creating a fictional identity. Pretending to be someone else when you answer
the phone, and then saying you're not in.
-
Creating a fictional identity that inadvertently coincides with a real
person.
Sometimes this is done with malicious or fraudulent intent, either against
the person whose identity is used or against a third party. (For example,
if you use your friend's season ticket, you and she may be jointly defrauding
the company issuing the season ticket.)
Sometimes impersonation may be relatively innocent or harmless. Authors
frequently use pennames, especially if they want to write novels in more
than one genre without confusing the reading public. I may use a false
name when I register on a website, in an attempt to preserve my own privacy
and to avoid further increasing the amount of spam I receive. And I always
lie, on principle, when I'm asked for my mother's
maiden name.
Sometimes impersonation may be contained within a context that somehow
makes it okay. A London journalist wrote a regular column, which purported
to be the diary of a well-known British politician. The politician sued,
on the grounds that some readers might not recognize that it was a spoof.
The debate was not about the content or legitimacy of the spoof itself,
but how the spoof was framed - where and how it was published. (If it had
been in a satire magazine, everyone would have known that it was a spoof,
and the politician would have shrugged it off.)
It is not unusual for decisions of trust to make a distinction
between different identities of the same person. Let's say I have a friend
called John. JOHN-SOBER and JOHN-DRUNK are two different identities, with
recognizably different patterns of behaviour and risk. I am happy to lend
my car keys to JOHN-SOBER, but not to JOHN-DRUNK.
If a person has a gun to his head, or his children are held hostage,
his behaviour is likely to be uncharacteristic. ("You are not yourself
today.") Signatures and voice patterns change under stressful conditions,
including duress and torture. If this uncharacteristic behaviour is detected
at a security checkpoint, then it might be appropriate to hinder a person's
entry, until the identity difference is resolved.
This is about a difference in identity, not just a difference in behaviour.
I am not refusing John my car keys because of his slurred speech; I am
refusing them because he is drunk It may be his slurred speech that
alerts me to the fact that he is drunk; but if he convinces me that his
slurred speech on this occasion is a result of a visit to the dentist,
I may let him have the car keys. Conversely, if he learns to speak normally
even when drunk, I shall just have to find a different way to determine
when he is drunk and when sober.
| [top]
[home page]
[contact us] |
This page last updated on July 4th, 2004
Copyright © 2002-4 Veryard Projects Ltd
http://www.veryard.com/security/identity.htm
|
|
in asssociation with
|
