Title: VULNERABILITIES IN THE INFRASTRUCTURE

Vulnerabilities in the infrastructure

With regard to identity theft, the United States continues to dominate the debate through its extensive experience with the crime. Particular vulnerabilities within its infrastructure certainly provide perpetrators with sufficient tools and ammunition to continue committing the crime. While certain vulnerabilities clearly rest within the domain of one of the relevant parties, businesses, government agencies or consumers, others are a result of multiple parties.  

6.4.1    Public Sector: Social Security Number

The main vulnerability within the infrastructure is the use and availability of the Social Security Number in the United States. The Social Security Number is used as the main identifier for individuals, both citizens and permanent residents, within the United States. The number, which originally was only supposed to be used for Social Security purposes, has been used in various sectors as a result of historical expansion. The main problem currently is the high level of usage and availability of the number. When individuals present the number at either a public or a private sector institution, the institution accepts this number as a means of identification which is clearly a weakness because the number is so publicly available that anyone can have access to it. So the combination of high value and easy access creates significant problems within the United States when it comes to identity theft through the illegitimate use of someone’s Social Security Number. As Linnhoff and Langenderfer recognize, “[a]rmed with an SSN, a would-be identity thief needs very little additional information to effectively steal an individual’s identity and wreak havoc.”

6.4.2    Private Sector: Verification

In addition to weaknesses or vulnerabilities which are result of government introduced initiatives, the private sector also indirectly facilitates the occurence of identity theft. With regard to financial service providers, for example, significant problems have occured. Mainly verification is a large issue, especially when it comes to new applications for credit cards or loans. As Frank W. Abagnale notes, “[i]n today’s hotly competitive financial marketplace, speed is of the essence. Thieves love fast credit approval, because haste is the enemy of accuracy. Credit card issuers, for their part, can be very sloppy in doling out cards, failing to match Social Security numbers and dates of birth and otherwise failing to take basic precautions in their eagerness to get cards in circulation.” Abagnale, among others, recognizes how many credit card companies claim their screening process is ‘tight’ and bullet proof, but that certain (media) stories have proven quite the opposite.

One of the more famous stories to prove the rather inaccurate verification mechanisms of credit card companies is the story of Clifford, a dog who managed to apply for a credit card. Clifford’s owner, Steve Borba, opened up an email account using his dog’s name. As time passed, he received a pre-approved credit card application in his email inbox. For Clifford’s social security number, Borba used 9 zeros and he explicitly wrote on the application that Clifford was indeed a dog. Despite this comment and the seemingly impossible social security number, Clifford received his credit card three weeks later.

Financial service providers carry a tremendous responsibility with regard to the prevention of identity theft, because they ultimately form the most crucial link between the perpetrators, the financial benefits, and the victims. Through inadequate verification mechanisms and aggressive marketing methods, they certainly help perpetrators along. Convenient yet highly insecure methods of online banking and credit card account checking also provide an opening for perpetrators. As Howard cleverly remarks, “[i]f financial institutions took reasonable precautions, they could curtail some of the identity fraud that occurs in the opening of bank accounts and the extension of credit. However, financial institutions currently lack incentives to adequately check an individual’s identity before opening a bank account or extending credit. In a competitive market, these institutions fear that a more rigorous screening process might scare consumers away to competitors who do not take such measures.” An important point to make here is how the ways financial service providers use to verify the identity of a prospective client can either contribute to or prevent the occurrence of identity theft. Through effective verification, where financial service providers manage to distinguish perpetrators from legitimate clients, they can still prevent an act of identity theft, despite the fact that the perpetrator may already have the necessary personal information to commit such an act. The vulnerability in the online services area, on the other hand, poses a potential and significant threat for account take over, as a result of successful phishing operations and spy ware installations which begin as a consumer vulnerability but lead into a business vulnerability when perpetrators use personal information to drain accounts.