Monday, 8 March 2010

How to commit identity theft

Bob Walder of Gartner recounts, from Gartner's Identity and Access Management (IAM) Summit, the true story of Bennett Arron who was the victim of identity theft:

"It all started with a mail-shot from a home shopping catalogue company to an old address, which allowed the unscrupulous person now residing at that address to place an order and open an account with the home shopping company. That credit account allowed him to acquire a mobile phone or two. From there it was not too difficult to open bank accounts and obtain credit cards – all in Bennett Arron’s name.

The end result was Arron, who had already given notice on rented accommodation to buy a house, failed to acquire a mortgage, couldn’t rent another property, couldn’t get a line of credit, burned through savings and ended up penniless and living with parents with his pregnant wife. It took him two years to clear his name, by which time property prices had tripled and he could no longer afford to buy a house anyway!"

Arron appeared in a documentary for Channel 4 where at a local shopping mall he social engineered 18 (out of 20) people to give him their personal details, credit card numbers etc, by pretending to be someone advising on the dangers of identity theft!

He also proved how easy identity theft can be, using the example of politician Kenneth Clarke. Walder reported that:

"Arron applied for a duplicate birth certificate in Clarke’s name, and within 3 days it arrived. Using that, he applied for a duplicate driving license from the UK Drivers & Vehicle Licensing Authority (DVLA), which took just a couple of weeks to arrive. As part of this process, the DVLA requested photographs for the license which had to be authenticated on the reverse with a statement from a trusted, non-family member that this was a true likeness of Kenneth Clarke. This Arron completed himself using a false name. Something of a root trust issue, here, I think….

Naturally, with a birth certificate and driving license Arron could have gone on to open various accounts, building up to bank accounts and credit cards. Scary stuff. One good thing came from this – it is now no longer acceptable to use a birth certificate as the sole means of ID when applying for a UK driving license. Wonder if they have plugged that photo certification loophole too?"

It's real life examples like these that bring home how our society has a very long way to go yet in protecting citizens against identity theft. A root trust issue, indeed. As I mentioned in my suggested Data Dozen of identity management for privacy, proper verification of the base information has to be the foundation.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.