Method for Detecting and Preventing Identity Theft
Original Publication Date: 2001-Sep-26
Included in the Prior Art Database: 2003-Jun-20
"Identity theft" is considered as one of the major economic security threats in everyday life: criminals impersonate an individual and acquire, e.g., credit cards issued on the individual's name. Even if the individual does not need to cover the financial damage, he or she usually suffers from a damaged credit history. Similar situations occur when criminals acquire other credentials on wrong names, e.g., health insurance cards or drivers licenses. From a technical point of view, "identity theft" is due to insufficiently secure user authentication. Authenticating a user by asking for essentially publicly available information like social security numbers, street addresses, mothers' maiden names, etc., does not provide sufficient identification. The present idea suggests a verification mechanism to avoid identity theft: It involves a client C, an organization O (e.g. a credit card issuing bank) that wants to verify the identity of C, and a verification agency A (e.g. a credit rating agency) as shown in the figure. If C wants to participate in the service he or she registers with A: C identifies itself to A using any of a number of established, reliable identification mechanisms (e.g., as for secure registration according to current signature laws), and agrees with C on one or more "verification channels." Such a channel could be a telephone number, email address, real address, and so on. For more sophisticated users it could also specify a public key pkC of a digital signature scheme (implying that requests from C should be considered valid only if digitally signed with the corresponding secret key). Essentially, the idea is to reuse this initial, strong user authentication for all subsequent requests by C that require user authentication. This has the advantage, that C is informed about a request and has to give an approval to the request before this is fulfilled.