Good article, thanks for posting. A good friend of mine maintains that there is no such thing as Identity theft. What we call identity theft is simply bank fraud. However, in a brilliant marketing reframing, the financial industry has made the consumer the victim, instead of the financial institution.
Unlike a Gilliamesque world in which a bad actor assumes your identity, generally a bad guy gains access to your resources, bypassing the protections set in. While the consumer is guilty of this sometimes, the victim harmed is almost always the institution, not the consumer; and yet the consumer is framed as the victim.
In a signature based authentication system, the banks suggest YOU are the victim of identity theft if someone gets your credit card number when it's their authentication system that was 'hacked.'
Similarly, checking account numbers, etc.
Of course there are exceptions, people use bad passwords, they allow others to get their info, etc.
But, I do think this term "identity theft" is often overused.
"bank fraud" is a subset, as not all uses of someone's identity are for banking. Consider tax returns filed with someone's name and identity, with refunds deposited or mailed elsewhere, not discovered until the real person files a "duplicate" return. Likewise credit card fraud.
You could generalize most of those to "financial fraud", though. Although there are some cases of identities being used for non-financial (or not directly financial) purposes.
> In a signature based authentication system, the banks suggest YOU are the victim of identity theft if someone gets your credit card number when it's their authentication system that was 'hacked.'
And yet you're the one who has to go to the trouble and possible expense of dealing with it. Describing you as the victim seems more relevant.
Now, who and what you're the victim of is a different question. When yet another break-in turns up millions of plaintext passwords, we don't just blame those who obtained them illicitly; we also blame the company that stored them in plaintext.
So, I don't think it's reasonable to describe a bank as a victim in "identity theft". On the contrary, I think it's reasonable to describe them as negligent in protecting your account and personal information.
“Identity theft” is a lie. There is no such thing as “identity theft”, it’s all fraud. The term “identity theft” was created to put the burden back on the consumer, away from financial institutions. The actual problem is that the cost of actually verifying identity is higher than financial institutions want to bear. Most of the cost would be in missed loan opportunities. Financial institutions don’t want to bear the cost of verifying identity so they experience fraud (surprise!) and then tell us that somehow we have to protect our identity. It’s insane.
If it was legally required that you appear in a bank with an ID to get a loan or a credit card, imagine what would happen to “identity theft”. There’s nothing wrong with filing electronically, but how about having people come to the post office, with ID and a thumb drive, show ID and sign a log, then file from there?
I'm not sure considering the consumer a victim is merely a marketing ploy.
There are very real, persistent, and hugely negative repercussions suffered by a consumer in identity theft. Destroyed credit, unknown debt tied to their identity, etc.
Most of the consequences are inflicted upon them by the bank. If the banks didn't open fraudulent accounts, they wouldn't put incorrect information on credit reports and there wouldn't be any unknown debt.
> If the banks didn't open fraudulent accounts, they wouldn't put incorrect information on credit reports and there wouldn't be any unknown debt.
Well. Sure. But that's the point. That's why it's called identity theft. Someone has acquired the information about you needed to effectively pretend to be you.
For example, say I convince the police that you committed murder. As a result they arrest you and put you in jail. By your logic, you're not a victim in this scenario because if the police didn't get fooled into arresting you nothing would have happened.
I think almost any reasonable person would agree that you were a victim in the above scenario. Regardless whether a third party bears some level of responsibility or was used as an instrument in that victimization.
Someone has acquired the information about you needed to effectively pretend to be you.
This low bar is set by the banks!
I'm not saying that innocent third parties that the banks and financial system harass are not victims, I'm saying that the central role of the bank in the crime makes it more reasonable to describe it as bank fraud.
The murder analogy sort of breaks down, the dead guy (which I see as analogous to the bank) can't do a whole lot to push the consequences of you murdering him onto me. A bank that opens a fraudulent account can (and in fact, this is the major source of the problems for those that are impersonated).
Totally agree with maxerickson. I remember some years ago there was a discussion whether banks should first check back with the consumer whether he really wants to open the account. Banks were against it because it's too much trouble for them.
The banks could make a simple phone call and ask you whether you really want to open the account. Or send you a letter. that would stop a lot of "identity theft". The only reason they get away with this is because they can make your life hell and unless you can afford a lot of lawyer time there is not much you can do.
I had my identity stolen recently for 3 mobile phones, I was surprised at how well the companies and the police handled it, both totally stressing it was a crime against the company not the individual (UK).
> If you’re not famous, no one cares what you have to say, but if you’re famous, it doesn’t matter what you’re talking about, people pay attention and like you.
This is the most interesting comment in the whole story, in my opinion. I might be taking it entirely out of context, but I wonder if, as our world grows larger and more automated, celebrity becomes a relatively more important form of capital. The growing prosperity and connectedness of the world population creates a new class of consumers to be influenced by celebrity, which is infinitely replicable due to the internet. Meanwhile, typical jobs get robotized whereas social capital is hard to automate away.
Celebrity has always been an object of desire, but it probably feels more attainable these days. There are more niches to fill and easier distribution channels for it. We used to compete for attention in our vicinity, but the internet makes us small and has us pining to be noticed. [/armchair analysis]
A good keyword is "attention economy" if you're interested in further research on the topic--it's an interesting hypothesis about how "information" is no longer the dominant mode of economics. Your post reminds me of this article: http://markmanson.net/attention
Sorry for sounding cynical, but this hacker just hacked his way into the author's brain (social engineering). Of course he likes chicken biryani. I also like chicken biryani! Now tell me what your favorite drink is and I'll tell you what mine is!
Successful/influential people tend to greatly underestimate the lengths that some people will go to just to put thoughts inside their influential brains.
When you let someone else's thoughts get inside your brain, you are giving them power over you. You should only give that power to people you actually trust, not random people who hacked into your account.
I think that's why it's so hard to reach influential people (aside from the fact that they get zillions of emails per day). At least at a subconscious level, they must feel like their brains are constantly under assault by foreign thoughts (often coming from people who are trying to gain something out of it).
The mind is like a sponge, it absorbs everything around it. People believe that they have control over what they believe, but it's not the case. Your environment will decide for you what you believe.
That's why brainwashing works and why there are so many terrorists. Everyone is vulnerable.
Interesting article, but more details on how the attack succeeded would have been worth reading. Was it a problem with password reset in the Harvard email system, i.e. was publicly available information used to answer a verification question in combination with an arbitrary email address? Or was it a social engineering attack, i.e. did the attacker convince somebody at Harvard to initiate a password reset using this information?
From the article "Itz very simple sir… Im hacked your account in 2 min… Im learned ur boi (bio) from internet… and create gmail account like yours then I fill the submit form with my email and Harvard send mail the Password change link.. That it…"
So I don't quite understand that... Trying to piece it together.
Perhaps the Harvard email system will allow you to send a Reset Password link to an arbitrary (?) email address if you correctly identify some "identity verification" questions, and this guy was able to glean the answers to those questions from reading the article author's bio?
That is what I got from On the day it happened, I figured out he got in by taking over my Harvard alumni email and then requesting that a new password from Facebook be sent there.
Gaining control of email accounts is how other accounts are typically captured when multi-factor auth is not enabled, of course. The question is how exactly the attacker got into Thurston's email account at Harvard. The reset instructions read like answering a verification question is all that is needed to change the password without knowing the original password. That would mean two lessons:
1. Harvard should add at least one additional step to this procedure, such as requiring confirmation through a secondary email address.
2. Nobody should ever use publicly available information as answers for password reset "security" questions.
(Both not exactly surprising insights here, of course...)
What still doesn't add up is the part about the attacker "creating gmail account like yours".
This seems like the modern day equivalent of joy riding. I wonder whether this young hacker will clean up his act and later laugh at this conversation with a journalist or if this is the first step on a slippery slope to hardened criminal?
I noticed that as well. Everything was "happening to him". His girlfriend cheated on him. The world just isn't taking him seriously, he's obviously down on his luck and this was just a cry for attention yada yada yada.
Efficiently re-contextualizing each of his actions in an attempt to garner sympathy. It's not a slam dunk but there is a possibility of some psychopathic characteristics here.
For the record, I'd lay odds at 2% ish. If I was on Baratunde Thurston side of the conversation though, I would be operating on that assumption that he is one.
From the stories you read it seems that people who get a thrill out of this often keep going until they wind up in some degree of trouble. The level of trouble varies - one person may be scared to death from a legal letter. It may take some prison time for another. This particular hacker has been rewarded for his behavior by becoming friends with his victim. So I wouldn't expect he has any negative connotations with it so far. Who knows though..?
Facebook was set to use the Harvard email address as the reset emsil address? The lesson here is to be very careful about what kind of email provider you use for a reset address. Clearly the weakest link here is that shitty Harvard email administration.
100 years of British oppression have created a uniquely insane breed of online thugs, why do they all use "Sir" online? Do they actually believe they portray an air of dignity and respect?
I know people blame poverty and stuff but so did Taiwan, Japan, Germany, Korea have all gone through far worse state but you never see the same behavior. People leave their cars with keys or wallet hanging out while passed out drunk in Korea, and miraculously you are belongings and yourself is intact. If you don't believe me just go to Korea or Japan.
"Sir" is a common way of addressing someone "above you" in India.
In general folks in India have a policy of "respecting elders" and "those above you" (teachers, your boss, etc), but this is mostly faux respect in the form of honorifics and not arguing with statements by these people. I don't like this too much (grew up in the States, people earn respect there), but sometimes I do it too in some contexts because it's a social norm.
I don't think this has anything to do with British oppression. Sir is just an honorific applied willy-nilly by Indians both online and offline.
It is willy-nilly IMHO. Over the phone an Indian (or is the custom also common in other countries too?) spoke to me, a peer and I might add a Yankee, with a "sa" at the beginning of half his sentences. During the call I parsed this as "um" or "yep" would be parsed, and after the call I thought maybe it was a "sir" in a non-rhotic accent.
Unlike a Gilliamesque world in which a bad actor assumes your identity, generally a bad guy gains access to your resources, bypassing the protections set in. While the consumer is guilty of this sometimes, the victim harmed is almost always the institution, not the consumer; and yet the consumer is framed as the victim.
In a signature based authentication system, the banks suggest YOU are the victim of identity theft if someone gets your credit card number when it's their authentication system that was 'hacked.'
Similarly, checking account numbers, etc.
Of course there are exceptions, people use bad passwords, they allow others to get their info, etc.
But, I do think this term "identity theft" is often overused.