I have tried unsuccessfully to get a Costco American Express card for the last two weeks because it gets at least 3% cash back on gas purchases, plus we intend to start shifting more of our buying to Costco (they don't take Visa). The moving process has caused them American Express to see two addresses, and they're skiddish about sending the card without some sort of verification of the home address. Doesn't matter that I gave them all of the information in the first place, doesn't matter that in a subsequent call I answered every security question without incident.
They need to prove that I actually live there, so they want a utility bill or someone else like a doctor or lawyer to verify that address. Sounds like a pretty decent system for stopping identity theft, doesn't it? Wrong. Let me explain why.
One of the basic security principles in infosec is the chain of trust. American Express doesn't trust me, so it goes to someone who can ostensibly vouch for me. The problem is, this relationship is too fluid to establish a reliable chain of trust. What is to stop an identity thief from setting something up that seems to come from a licensed lawyer, accountant or doctor verifying that address? Nothing, and that's because American Express doesn't already trust the source that is attempting to verify my credentials. It's blind trust which is really no trust at all. One of the reasons that digital certificates work is that we trust signers like Verisign to not just be some fly-by-night operation that will give the thumbs up to any Tom, Dick and Harry that casually slips it some greenbacks under the table.
So, while it is a speed bump for an identity thief, it really only offers protection from casual identity thieves.
They need to prove that I actually live there, so they want a utility bill or someone else like a doctor or lawyer to verify that address. Sounds like a pretty decent system for stopping identity theft, doesn't it? Wrong. Let me explain why.
One of the basic security principles in infosec is the chain of trust. American Express doesn't trust me, so it goes to someone who can ostensibly vouch for me. The problem is, this relationship is too fluid to establish a reliable chain of trust. What is to stop an identity thief from setting something up that seems to come from a licensed lawyer, accountant or doctor verifying that address? Nothing, and that's because American Express doesn't already trust the source that is attempting to verify my credentials. It's blind trust which is really no trust at all. One of the reasons that digital certificates work is that we trust signers like Verisign to not just be some fly-by-night operation that will give the thumbs up to any Tom, Dick and Harry that casually slips it some greenbacks under the table.
So, while it is a speed bump for an identity thief, it really only offers protection from casual identity thieves.
Related Entries:
- Google's Android is not off to a good start
- Answering the questions about what a "Civilian National Security Force" might look like
- Windows now getting beaten up because of 3rd party apps
- Taking one for The One
- Script Kiddies
- The Audacity of Script Kiddies
- The Border Search Accountability Act of 2008: a good start, but not enough
- Social networking for spies?
- Massachusetts is not doing a very good job of covering its ass
- Random links
I agree.
Most security measures in place with companies today are a joke for anyone who is serious about taking advantage of someone's account. It's all done to give the customer a sense of security but really, how often do people call a utilities company trying to wreck someone's account?? I can understand credit card companies wanting to be careful but their measures are fairly easy to counter (as you pointed out) if you want to commit fraud.
As far as I'm concerned, it's all part of this paranoid post-9/11 culture which has been foisted upon us in the last 7 years. And it's a joke.
It would be easier to deal with if people realized just how paranoid we have become since 9-11. I think 9-11 really did a number on a lot of people because it showed how limited our sense of security really is in practice. Of course, it's also a great reason why we should read and take seriously the passages in the Bible which say that our lives are in our hands, and that we should not act as though we have control over when we die (not to say that we should be negligent).