President Bush will soon get recommendations from the Federal Trade Commission (FTC) on ways to curtail identity theft by improving authentication methods. The idea is to make consumer information less valuable to thieves by making it more difficult for them to use it to open accounts, get loans, use credit cards, and otherwise get money in the victim’s name.
In reporting to the president, the FTC is fulfilling one mandate from the Identity Theft Task Force that Bush established in May 2006. The task force itself issued a report in April 2007. Now, a year after that, the president will get another report with yet more recommendations from the FTC.
This deliberative pace gives every stakeholder plenty of time to have input, and it gives decision makers time to assess competing concerns, such as privacy and security. But it also stands in sharp contrast to the speed with which technology use and abuse evolve in the real world.
We tend to think so long about which solution might work that the criminals have a workaround by the time we act. Take two-factor authentication. Regulators finally issued guidance in mid-2005, giving banks until late 2006 to move to this approach. It is still touted as a possible solution, but as tech guru Bruce Schneier wrote when the rule came out, “It solves the security problems we had ten years ago, not the security problems we have today.”
And while U.S. banks continue to move in that direction, George Crabb of the U.S. Postal Service said at an FTC workshop on authentication last year that the theme of a recent U.K. banking crime meeting he attended was “two-factor authentication is not going to work.”
Many banks also still rely on customers calling from their own phone as a means of authentication. We’ve all received credit cards that must be activated from the home. Seems reasonable. But it’s useless. Criminals using voice over Internet (VoIP) technology can make it appear that they are calling from the customer’s phone. A recent spate of attacks on credit union accounts took advantage of that ploy.
Clearly, there is a serious lack of agility on the part of both government and business that helps to explain why, with all the measures that institutions have adopted, fraud and identity theft have not abated.
In the 1980s and 1990s, businesses learned to be more nimble with regard to manufacturing and practices like just-in-time inventory. Now they need to become as nimble with security solutions.
Consumers, for our part, should do the reverse—accept a slower pace, at least with regard to certain financial transaction approvals. Do you really need to be able to borrow $100,000 instantly with the click of a mouse? If you insist that banks dispense your money with such speed, don’t be surprised when a cyberthief gets to it first.