ID Analytics has released a report that suggests ID theft from credit cards needs to be re-evaluated in terms of actual risk to consumers. Reuters picked up the report in today’s news and suggests that the report shows “where thieves access social security numbers and other sensitive information on consumers they have deliberately targeted — only about 1 in 1,000 victims had their identities stolen.” Reuters goes on to say:

After six months of study, comparing compromised information against credit applications, ID Analytics said it discovered something counterintuitive: The smaller the breach, the greater the likelihood the information was subsequently used by fraudsters to hijack the identity of victims.

“If you’re in a breach of 100, 200 or 250 names, there’s a pretty high probability that you’re identity is going to be used,” said Mike Cook, ID Analytics’ co-founder.

“The reason for that is if you look at how long it takes a fraudster to use an identity, they can roughly use 100 to 250 in a year. But as the size of the breach grows, it drops off pretty drastically.”

I do not think that is counter-intuitive at all. Small breaches are likely to be easily explained as directed attacks, as opposed to the more complicated investigation of a story that a box of tapes that have been misplaced. The Ford Motor Credit breach is an example of a massive breach that is both highly directed and that can continue giving consumers grief for many years after their data is stolen. So it is plausable that every “loss” will in fact be discovered to be a succesful attack or “breach” after the fact.

That being said, it is hard not to notice that Reuters claims first that “ID Analytics said it discovered that identity thieves have a hard time using a stolen credit cards to hijack the identity of cardholders because the cards are usually quickly canceled” and then they go on to conclude with a rather contradictory statement from the ID Analytics co-founder:

“As far as notifications, we think there are certain instances where businesses might want to notify consumers and certain instances where they might not to inform them,” said Cook. “For instance, if they lose data, and they don’t know where it is, we think too many notices may not be a good thing. They should probably monitor that and spend dollars on consumers who are actually harmed, rather than spending dollars on 10 million consumers” most of whom won’t be affected.

Where does the certainty come from? If you have lost the data, then presumably you have lost control of its use in the future. Who should be allowed to decide when it is safe to give up on an investigation and declare a “loss” as opposed to a “breach”? In addition, if notification and cancelling card numbers has made ID theft less easy, then why should you not notify all consumers when you have lost their data to ensure the maxium reduction of risk? Monitor to detect and catch a criminal I can understand, but I don’t follow the logic of “notification reduces risk when IDs are stolen, but you might not need to notify”. This reminds me of the theory that if trace amounts of a substance kills less than one in 1,000 customers than large companies might find it more profitable to just pay off the families who suffer rather than prevent the harm.

Perhaps the lack of clarity is because Reuters did not mention the “significant finding”, which can be found at the start of the report from ID Analytics:

A significant finding from the research is that different breaches pose different degrees of risk. In the research, ID Analytics distinguishes between “identity-levelâ€? breaches, where names and Social Security numbers were stolen and “account-levelâ€? breaches, where only account numbers—sometimes associated with names—were stolen. ID Analytics also discovered that the degree of risk varies based on the nature of the data breach, for example, whether the breach was the result of a deliberate hacking into a database or a seemingly unintentional loss of data, such as tapes or disks being lost in transit. […] Another key finding indicates that in certain targeted data breaches, notices may have a deterrent effect. In one large-scale identity-level breach, thieves slowed their use of the data to commit identity theft after public notification. The research also showed how the criminals who stole the data in the breaches used identity data manipulation, or “tumbling” to avoid detection and to prolong the scam.

Precisely. That makes perfect sense to me, as everyone wants a spectrum of risk to review not a black-or-white approach. And yet we should not forget that a vast majority of companies that house ID information still look at breaches from a “cup is half full” perspective and might not be in a suitable (expert) position to make intelligent decisions about the risks. Look at CardSystems, for example. The question is not whether people are trying to classify more levels of risk, but what is the quality of the data and their analysis — how qualified are today’s executives to make information security risk decisions on behalf of hundreds of thousands of consumers (assuming larger breaches will now automatically be determined to be lower risk)? Moreover, if you publicize reports that says huge breaches are lower risk and therefore exempt from breach disclosure, it seems obvious that clever criminals will simply shift to using huge breaches, no? That makes economic sense as well since a huge breach can be diversified to many criminals who will be able to commit ID theft more efficiently. They do not call it a black market for nothing, eh?

A SanDiego newspaper article from 2003 mentions that ID Analytics is a startup with “Citibank, Dell Financial Services, Sprint, Diners Club, Discover Financial Services and First North American National Bank as clients”. The company definitely seems to be a reputable source on the subject (“30 employees, including seven Ph.D.s”) with a timely business strategy that, according to the newspaper, almost could be an extension of the Payment Card Industry itself:

“I’m convinced they have a good product,” said Beth Givens of the Privacy Rights Clearinghouse in San Diego. “It’s just a shame that the financial industry didn’t take steps to fix these problems themselves.”

Givens contends that “credit issuers should have been spending more time on each credit application all along. And by more time, I mean, by two minutes.”

Hansen grimaced a bit when the gist of Givens’ criticism was recited.

He acknowledged that a financial institution might process as many as 10,000 credit applications an hour. But he says the industry also contends with a variety of challenges, including regulatory requirements to process each credit application within 30 days.

“What we’re trying to do is bring a technology solution to bear within the context of an automatic processing environment,” Hansen said.

In other news, Visa is asking assessors to re-certify, due to recent changes to the PCI data security standards, to the tune of over tens of thousands of dollars in training fees. That is a hefty chunk of money, even for veterans of PCI security, and believe it or not the standards are expected to change again in January 2006. Contrast this money-maker with the fact that Visa is giving away compliance scans for free outside the US and that the amount of credit card fraud has dropped dramatically over the past ten years due mainly to additional card verification measures (from billions of dollars to the low hundreds of millions). Fascinating stuff and a very exciting time to be in information security.

Dec 12, 2005 Update: Written Testimony from ID Analytics that was submitted on Nov 9th, 2005 to the Subcommittee on Financial Institutions and Consumer Credit (Hearing on H.R. 3997, the “Financial Data Protection Act of 2005”) can be found here:

However, misuse rates could continue to increase drastically over time if the vibrant black market for “identitiesâ€? remains unimpeded. … By selling any amount of the remaining identities (those not able to be used because of the ‘feasible limit’), fraud rings could maximize the proceeds from their efforts and exact a far greater degree of harm to consumers, industry and government over time.