Who should pay for your identity theft protection?

| Comments (5) | TrackBacks (58) |
Bruce Schneier writes:
Wells Fargo is profiting because its customers are afraid of identity theft:

The San Francisco bank, in conjunction with marketing behemoth Trilegiant, is offering a new service called Wells Fargo Select Identity Theft Protection. [here--EKR] For $12.99 a month, this includes daily monitoring of one's credit files and assistance in dealing with cases of fraud.
It's reprehensible that Wells Fargo doesn't offer this service for free.

Actually, that's not true. It's smart business for Wells Fargo to charge for this service. It's reprehensible that the regulatory landscape is such that Wells Fargo does not feel it's in its best interest to offer this service for free. Wells Fargo is a for-profit enterprise, and they react to the realities of the market. We need those realities to better serve the people.

I've been doing some thinking about what kind of regulatory regime would make sense. The following are some preliminary, partly thought out notes on the topic.

To a first order, there are four kinds of identity theft to be concerned with here:

  1. Where your information is stolen from another vendor and used to defraud you at another vendor and WF isn't involved at all.
  2. Your information is stolen from some other vendor and used to defraud you at WF (e.g., to open a new WF account or suck money out of yours), but WF is following their normal (admittedly, inadequate) authentication procedures.
  3. Where your information is stolen from WF and used to defraud you at WF.
  4. Where your information is stolen from WF and used to defraud you at another vendor.

As far as I can tell, Select Identity Theft is designed to help you deal with all of these (note: I'm not offering an opinion about how well it actually works.)

It seems pretty clear that WF isn't at fault in case (1).

It's arguable that they're not at fault in case (2) either. After all, WF uses the same identity information to authenticate you as everyone else, so if someone steals that information from (say) BoFA, then you're pretty much hosed. This is especially true if you don't have any accounts with WF the attacker is opening a new one since WF has a pretty limited repertoire of ways to authenticate you at that point. Now, it's arguable that WF should do a better job of confirming that it's really me who wants a credit card, but it's hard to see how this could be ameliorated by offering me a free anti-identity-theft service if we don't have any prior relationship. How would they even provide such a service?1

Now, in cases (3) and (4), WF could certainly offer me this service for free. But what regulatory incentives would cause them to want to? It seems to me that there are four basic regulatory responses (aside from simply mandating this service be offered):

  1. When a vendor/institution is responsible for letting your data leak they get punished.
  2. When a vendor/institution is responsible for letting your data leak they are liable for your costs--or at least their punishment scales with your losses.
  3. When a vendor/institution is defrauded by identity theft (i.e., someone who got the data somewhere else) they get punished.
  4. When a vendor/institution is defrauded by identity theft (i.e., someone who got the data somewhere else) they can't come after you for the money.

The current regulatory regime is some approximate combination of (1) and (4). But neither of these offers WF any incentive to offer this kind of global anti-fraud program, which is focused on compromise containment for their customers (i.e., cases (3) and (4)). Similarly, rule (3) doesn't offer WF any incentives, except in case (4). They certainly wish that other financial institutions would offer anti-fraud programs, but offering their own anti-fraud program wouldn't help because it's not their current customers that are being defrauded but new customers (and offering an anti-fraud program to the fraudsters doesn't make much sense.)

That leaves us with rule (2), which I'm guessing is the kind of thing that Bruce is thinking of. In this case, WF certainly does have an incentive to contain compromise of their customer's data, and so some incentive to offer you this service. However, it's hard to get the incentive level right. In general only a fraction of an institution's customers will have their information compromised, so the advantage to WF of giving free protection to any customer in case he might be compromised in the future is fairly small. That's not a big deal if what you're offering is insurance, since most of the cost of that is the payoff. However, if there's a substantial cost to just running the program even if your users don't have their data compromised, then the situation is a little different and it's unlikely to be efficient for the institution to offer free protection.

A related problem is that it's hard to determine responsibility. Since there's so much data leakage going on, there's a real chance that my data will be leaked multiple times. If that happens and then I'm the victim of fraud, who pays off? The obvious thing to do here is to split the penalty between all of the institutions who let your data leak, rather than trying to figure out which leak was responsible--something that likely requires too much investigation. Even this sort of penalty requires a fair amount of effort to impose, since we need to match up leaks with victims.

Of course, this sort of splitting has an obvious collective action problem: say it costs $10/month in aggregate to provide this kind of service for a customer. Even if it's worth $10/month in fines to the financial institutions in aggregate, once it's split over the number of institutions I have accounts with, it may not be worth it for any individual institution to pay for protection. On the other hand, if we make each institution bear the full cost, we get an inefficiently large amount of protection. By contrast, if I'm contracting for this service myself, I know how much it's worth and there's no collective action problem. I'm not sure that there's a regulatory regime that produces an equally efficient allocation of effort of this type.

Note that this argument doesn't apply as much to the provision of system security for my data, as opposed to monitoring after its stolen, since only the institutions can secure my data. Moreover, we can get past the collective action problems by fining the institutions the expected value of the loss, without worrying about the impact of compromise containment measures.

1. Note that WF could make it harder for me to open a second account once I have a first one, e.g., by having some private authenticator. That would probably be useful.

58 TrackBacks

Listed below are links to blogs that reference this entry: Who should pay for your identity theft protection?.

TrackBack URL for this entry: http://www.educatedguesswork.org/cgi-bin/mt/mt-tb.cgi/351

airfare deal from airfare deal on July 31, 2005 11:57 AM

airfare deal Read More

Kudos to McCarran International Airport (Las Vegas) for having free wifi. And congrats to my fellow Defcon attendees for stealing the cookie that authenticates me to this blog off that wireless net. Tech Policy points to Bill West at... Read More

investigation from investigation on August 2, 2005 7:34 AM

investigation Read More

case law from case law on August 2, 2005 8:14 AM

case law Read More

credit repair from credit repair on August 3, 2005 6:04 AM

credit repair Read More

credit card application from credit card application on August 5, 2005 1:56 PM

credit card application Read More

auto loan from auto loan on August 5, 2005 2:02 PM

auto loan Read More

no limit holdem tip from no limit holdem tip on August 5, 2005 10:33 PM

no limit holdem tip Read More

fair debt collection act from fair debt collection act on August 6, 2005 12:50 PM

fair debt collection act Read More

poker card from poker card on August 7, 2005 12:06 AM

poker card Read More

debt consolidation lender from debt consolidation lender on August 10, 2005 12:07 PM

debt consolidation lender Read More

debt free Read More

auto loan Read More

debt consolidation from debt consolidation on August 15, 2005 7:51 AM

debt consolidation Read More

debt relief Read More

car insurance rate from car insurance rate on August 16, 2005 6:26 AM

car insurance rate Read More

debt consolidation services from debt consolidation services on August 16, 2005 9:45 AM

debt consolidation services Read More

I like your site! Read More

http://e-loan.1pr.us/ Read More

online dating louisville from online dating louisville on September 5, 2005 3:02 AM

online dating louisville Read More

That is really cool Read More

debt relief consolidation Read More

adaware Read More

home equity loan from home equity loan on October 4, 2005 9:52 AM

home equity loan Read More

Cheap Generic Celebrex from Cheap Generic Celebrex on October 17, 2005 3:24 AM

Bad IDEA! Read More

Cheap Generic Viagra from Cheap Generic Viagra on October 17, 2005 6:04 AM

Gaza killing raises fears on stability after pull-out Read More

Cheap Generic Wellbutrin from Cheap Generic Wellbutrin on October 17, 2005 6:54 AM

That is really cool! Read More

Cheap Generic Levitra from Cheap Generic Levitra on October 17, 2005 7:03 AM

Have fun Read More

texas hold em poker from texas hold em poker on October 19, 2005 9:32 PM

Kenya's poverty 'not a surprise' Read More

internet texas holdem poker from internet texas holdem poker on October 19, 2005 10:52 PM

Great IDEA Read More

That is really cool! Read More

Powell regrets ‘mess’ of Iraq Read More

Mom daughter pussy pics Fathers and sons having sex pics Horse sexy picture Horny farm animals Read More

free texas holdem strip poker from free texas holdem strip poker on November 19, 2005 12:04 PM

Please visit some information dedicated to texas holdem cheat Read More

Free nurse violent rape Anal pain galleries clips Drunk boys pics Pakistani girl sexy video Read More

Japan schoolgirls sex from Download movie sex gay free on December 18, 2005 8:16 AM

Teacher video porno Free pictures of naked older japanese women Free mom and son fucking clip 70s cartoons ima... Read More

Asian porndk from Middle school girls fucking pics on December 20, 2005 10:48 AM

Free teen anime Free and passwords and cracked Dad and son gallery gay Bt download Read More

Free movie clip porn french Free sex movies incest stories Pandora hentai art Free incest sex stories with pics Read More

las vegas casinos from las vegas casinos on December 31, 2005 7:38 PM

highwaymen culpa Peru courtly blackjack online http://www.vquality.com/blackjack-online.html Read More

granting blueberry cousin floated scurried preparing.eases coax ejects lipitor http://lipitor.talented-doctor.com/ Read More

ryan air Read More

Young teen porn pics from Beach amatuer pics on January 7, 2006 2:18 PM

Japan game porn Snuff filmsfree hardcore Free japanese hentai download Uniform in... Read More

Home Equity Loans from Home Equity Loans on February 1, 2006 6:54 PM

Home Equity Loans Read More

fretfully thickest allies fails abided biblical excavations foxwood casino http://foxwood-casino.4hs8.com/86eaec0d.php Read More

aerator concordant starboard fiction!rebuild balled fitful capacitance home loans http://www.sml338.org/ Read More

5 Comments

Observation: Whenever I go into my bank and want to open up a new checking/savings/CD (I have a habit of taking any reimbursement check over a fixed amount and opening a 9 month CD rather than putting it back in my checking account), the guy asks for my driver's liscence.

But I have YET to have such an ID examined when getting a credit card.

So case 2 might very well be Wells Fargo's fault, depending on what steps they actually took to verify identity.

Agreed--but an anti identity theft service offered by WF to existing customers doesn't do anything to solve that problem, because in general the person being defrauded doesn't have any relationship with WF at all. They bank somewhere else and it's the attacker getting an account with WF. (See footnote 1 for the edge case where the victim already has a WF account).

I don't want to been seen as a raving lunitic, but I think it is mainly the credit card and loan institutions at fault. How many pre-approved credit card and loan applications do you recieve in one week? What procedures do they have in place to insure the actions are by the intended person? While out of the countr, I've had my bank issue new credit cards to my parents with only a phone call. It doesn't take much of a social engineer.

Are these institutions looking out for our best interest? Minor improvements in their policies/procedures would eliminate many cons. Saving us, the people who truly pay for all the fraudlent tranactions, tons of money... savings in creidt card transaction fees (seen as mark-ups by the vendors) and application/membership fees.

If the bad guys can't get the credit cards, or the loans, maybe they would revert to more traditional forms of theft that could be tracked and eventually law officials could catch the buggers.

Yes, Schneier favors alternative #2. He has discussed how this alternative works very well for credit card fraud; bankis have the incentive to detectit with the $50 loss limit.
- Precision Blogger

I think a combination of alternatives #3 and #4 is the best choice. The credit card companies and others who let someone take out credit in your name without enough checking are making a business decision about what level of risk of fraud to take, vs. how much extra business they can get by making that easy. But they have an incentive to make it too easy to carry out fraud, because much of the cost of fraud lands on the people in whose names credit is granted falsely, and the merchants who end up also getting defrauded.

If the grantors of credit had to pay for the costs of the other victims of identity theft, it seems like they'd be in a great position to decide what additional verification steps were worth the cost. And until someone is granted credit in my name, one way or another, most of the pain and payoff of identity theft doesn't happen.

--John

Leave a comment