Browse Prior Art Database

Method for Detecting and Preventing Identity Theft

IP.com Disclosure Number: IPCOM000015145D
Original Publication Date: 2001-Sep-26
Included in the Prior Art Database: 2003-Jun-20
Document File: 3 page(s) / 32K

Publishing Venue

IBM

Abstract

"Identity theft" is considered as one of the major economic security threats in everyday life: criminals impersonate an individual and acquire, e.g., credit cards issued on the individual's name. Even if the individual does not need to cover the financial damage, he or she usually suffers from a damaged credit history. Similar situations occur when criminals acquire other credentials on wrong names, e.g., health insurance cards or drivers licenses. From a technical point of view, "identity theft" is due to insufficiently secure user authentication. Authenticating a user by asking for essentially publicly available information like social security numbers, street addresses, mothers' maiden names, etc., does not provide sufficient identification.

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 51% of the total text.

Page 1 of 3

Method for Detecting and Preventing Identity Theft

  "Identity theft" is considered as one of the major economic
security threats in everyday life: criminals impersonate an
individual and acquire, e.g., credit cards issued on the
individual's name. Even if the individual does not need to cover
the financial damage, he or she usually suffers from a damaged
credit history. Similar situations occur when criminals acquire
other credentials on wrong names, e.g., health insurance cards or
drivers licenses. From a technical point of view, "identity theft"
is due to insufficiently secure user authentication. Authenticating
a user by asking for essentially publicly available information
like social security numbers, street addresses, mothers' maiden
names, etc., does not provide sufficient identification.

The present idea suggests a verification mechanism to avoid
identity theft: It involves a client C, an organization O
(e.g. a credit card issuing bank) that wants to verify the
identity of C, and a verification agency A (e.g. a credit
rating agency) as shown in the figure.

If C wants to participate in the service he or she registers
with A: C identifies itself to A using any of a number of
established, reliable identification mechanisms (e.g., as for
secure registration according to current signature laws), and
agrees with C on one or more "verification channels." Such a
channel could be a telephone number, email address, real
address, and so on. For more sophisticated users it could also
specify a public key pkC of a digital signature scheme
(implying that requests from C should be considered valid only
if digitally signed with the corresponding secret key).
Essentially, the idea is to reuse this initial, strong user
authentication for all subsequent requests by C that require
user authentication.

This has the advantage, that C is informed about a request and
has to give an approval to the request before this is
fulfilled.

Also organizations O have to register with agency A. The fact
whether O has registered or not is publicly advertized.

If anybody wants to a acquire a credential for C from O,
organization O contacts A and retrieves the agreed
verification channels. Via all those channels O tries to
contact C and asks for approval of the request to issue that
credential. Only if all...