« Use a fake domain name get 10 years | Main | Notes to self »

July 27, 2005

Who should pay for your identity theft protection?

Bruce Schneier writes:
Wells Fargo is profiting because its customers are afraid of identity theft:

The San Francisco bank, in conjunction with marketing behemoth Trilegiant, is offering a new service called Wells Fargo Select Identity Theft Protection. [here--EKR] For $12.99 a month, this includes daily monitoring of one's credit files and assistance in dealing with cases of fraud.
It's reprehensible that Wells Fargo doesn't offer this service for free.

Actually, that's not true. It's smart business for Wells Fargo to charge for this service. It's reprehensible that the regulatory landscape is such that Wells Fargo does not feel it's in its best interest to offer this service for free. Wells Fargo is a for-profit enterprise, and they react to the realities of the market. We need those realities to better serve the people.

I've been doing some thinking about what kind of regulatory regime would make sense. The following are some preliminary, partly thought out notes on the topic.

To a first order, there are four kinds of identity theft to be concerned with here:

  1. Where your information is stolen from another vendor and used to defraud you at another vendor and WF isn't involved at all.
  2. Your information is stolen from some other vendor and used to defraud you at WF (e.g., to open a new WF account or suck money out of yours), but WF is following their normal (admittedly, inadequate) authentication procedures.
  3. Where your information is stolen from WF and used to defraud you at WF.
  4. Where your information is stolen from WF and used to defraud you at another vendor.

As far as I can tell, Select Identity Theft is designed to help you deal with all of these (note: I'm not offering an opinion about how well it actually works.)

It seems pretty clear that WF isn't at fault in case (1).

It's arguable that they're not at fault in case (2) either. After all, WF uses the same identity information to authenticate you as everyone else, so if someone steals that information from (say) BoFA, then you're pretty much hosed. This is especially true if you don't have any accounts with WF the attacker is opening a new one since WF has a pretty limited repertoire of ways to authenticate you at that point. Now, it's arguable that WF should do a better job of confirming that it's really me who wants a credit card, but it's hard to see how this could be ameliorated by offering me a free anti-identity-theft service if we don't have any prior relationship. How would they even provide such a service?1

Now, in cases (3) and (4), WF could certainly offer me this service for free. But what regulatory incentives would cause them to want to? It seems to me that there are four basic regulatory responses (aside from simply mandating this service be offered):

  1. When a vendor/institution is responsible for letting your data leak they get punished.
  2. When a vendor/institution is responsible for letting your data leak they are liable for your costs--or at least their punishment scales with your losses.
  3. When a vendor/institution is defrauded by identity theft (i.e., someone who got the data somewhere else) they get punished.
  4. When a vendor/institution is defrauded by identity theft (i.e., someone who got the data somewhere else) they can't come after you for the money.

The current regulatory regime is some approximate combination of (1) and (4). But neither of these offers WF any incentive to offer this kind of global anti-fraud program, which is focused on compromise containment for their customers (i.e., cases (3) and (4)). Similarly, rule (3) doesn't offer WF any incentives, except in case (4). They certainly wish that other financial institutions would offer anti-fraud programs, but offering their own anti-fraud program wouldn't help because it's not their current customers that are being defrauded but new customers (and offering an anti-fraud program to the fraudsters doesn't make much sense.)

That leaves us with rule (2), which I'm guessing is the kind of thing that Bruce is thinking of. In this case, WF certainly does have an incentive to contain compromise of their customer's data, and so some incentive to offer you this service. However, it's hard to get the incentive level right. In general only a fraction of an institution's customers will have their information compromised, so the advantage to WF of giving free protection to any customer in case he might be compromised in the future is fairly small. That's not a big deal if what you're offering is insurance, since most of the cost of that is the payoff. However, if there's a substantial cost to just running the program even if your users don't have their data compromised, then the situation is a little different and it's unlikely to be efficient for the institution to offer free protection.

A related problem is that it's hard to determine responsibility. Since there's so much data leakage going on, there's a real chance that my data will be leaked multiple times. If that happens and then I'm the victim of fraud, who pays off? The obvious thing to do here is to split the penalty between all of the institutions who let your data leak, rather than trying to figure out which leak was responsible--something that likely requires too much investigation. Even this sort of penalty requires a fair amount of effort to impose, since we need to match up leaks with victims.

Of course, this sort of splitting has an obvious collective action problem: say it costs $10/month in aggregate to provide this kind of service for a customer. Even if it's worth $10/month in fines to the financial institutions in aggregate, once it's split over the number of institutions I have accounts with, it may not be worth it for any individual institution to pay for protection. On the other hand, if we make each institution bear the full cost, we get an inefficiently large amount of protection. By contrast, if I'm contracting for this service myself, I know how much it's worth and there's no collective action problem. I'm not sure that there's a regulatory regime that produces an equally efficient allocation of effort of this type.

Note that this argument doesn't apply as much to the provision of system security for my data, as opposed to monitoring after its stolen, since only the institutions can secure my data. Moreover, we can get past the collective action problems by fining the institutions the expected value of the loss, without worrying about the impact of compromise containment measures.

1. Note that WF could make it harder for me to open a second account once I have a first one, e.g., by having some private authenticator. That would probably be useful.

Posted by ekr at July 27, 2005 10:59 PM | Filed under:

Comments

Observation: Whenever I go into my bank and want to open up a new checking/savings/CD (I have a habit of taking any reimbursement check over a fixed amount and opening a 9 month CD rather than putting it back in my checking account), the guy asks for my driver's liscence.

But I have YET to have such an ID examined when getting a credit card.

So case 2 might very well be Wells Fargo's fault, depending on what steps they actually took to verify identity.

Posted by: Nicholas Weaver at July 28, 2005 7:06 AM

Agreed--but an anti identity theft service offered by WF to existing customers doesn't do anything to solve that problem, because in general the person being defrauded doesn't have any relationship with WF at all. They bank somewhere else and it's the attacker getting an account with WF. (See footnote 1 for the edge case where the victim already has a WF account).

Posted by: EKR at July 28, 2005 7:11 AM

I don't want to been seen as a raving lunitic, but I think it is mainly the credit card and loan institutions at fault. How many pre-approved credit card and loan applications do you recieve in one week? What procedures do they have in place to insure the actions are by the intended person? While out of the countr, I've had my bank issue new credit cards to my parents with only a phone call. It doesn't take much of a social engineer.

Are these institutions looking out for our best interest? Minor improvements in their policies/procedures would eliminate many cons. Saving us, the people who truly pay for all the fraudlent tranactions, tons of money... savings in creidt card transaction fees (seen as mark-ups by the vendors) and application/membership fees.

If the bad guys can't get the credit cards, or the loans, maybe they would revert to more traditional forms of theft that could be tracked and eventually law officials could catch the buggers.

Posted by: Teh Treag at July 28, 2005 11:25 AM

Yes, Schneier favors alternative #2. He has discussed how this alternative works very well for credit card fraud; bankis have the incentive to detectit with the $50 loss limit.
- Precision Blogger

Posted by: Preceision blogger at July 28, 2005 11:54 AM

I think a combination of alternatives #3 and #4 is the best choice. The credit card companies and others who let someone take out credit in your name without enough checking are making a business decision about what level of risk of fraud to take, vs. how much extra business they can get by making that easy. But they have an incentive to make it too easy to carry out fraud, because much of the cost of fraud lands on the people in whose names credit is granted falsely, and the merchants who end up also getting defrauded.

If the grantors of credit had to pay for the costs of the other victims of identity theft, it seems like they'd be in a great position to decide what additional verification steps were worth the cost. And until someone is granted credit in my name, one way or another, most of the pain and payoff of identity theft doesn't happen.

--John

Posted by: John Kelsey at July 29, 2005 10:09 AM