FTC tech chief's phone hijacked, identity stolen, but who is to blame?
Hardly a week goes by when we do not hear of a major data breach or the leak of company user data online, and as this information spreads, so does the risk of identity theft.
However, sometimes it is just sheer cheek and bold behavior by fraudsters which can lead to your identity being stolen or your credit and bank accounts becoming compromised -- as the US Federal Trade Commission (FTC)'s chief technologist Lorrie Cranor just found out.
On Tuesday, the FTC's technology specialist admitted in a blog post that she is one of the latest in a long list of individuals who have had their information, business relatonships and identity used against them.
In this case, a few weeks ago someone sauntered into a mobile phone store, claimed to be Cranor, and asked to upgrade her mobile phones. The unknown fraudster then walked out with two brand new iPhones courtesy of Cranor, while the FTC executive was left with her old phone, her number cut off and a hefty phone bill to boot.
When Cranor's smartphone stopped working mid-call, she called the carrier who informed her that the upgrade change had resulted in the old SIM cards being deactivated. In order to fix the problem, the executive was told to take her device in-store.
That is when the fraud was exposed. However, what happened next is of particular interest. Cranor said:
"The representative agreed to remove the charges, but blamed the theft on me. When I asked how the store authenticated the thief, he told me that employees of stores owned by the mobile carrier would have asked for the account holder's photo ID and the last four digits of their social security number, but if the theft occurred at another retailer, that might not have happened."
After ramping up the security on her online account, Cranor went to the FTC's identitytheft.gov, the fraud was reported and the executive discovered that the thief had used a fake ID with Cranor's name.
Despite acquiring the phones, they were not made use of -- which suggests they were sold for a quick profit.
FTC records show that in January 2016, there were 2,658 reported incidents of fraud and identity theft. This is roughly 6.3 percent of all identity theft cases reported to the agency in that month, and while this appears a small percentage, can not only ruin people's credit and damage their finances, but carriers pick up the bill.
As cybercrime and fraud rates ramp up, some governments are looking at ways to mitigate the damage. In the UK, for example, a new bill proposed by the Bank of England and the UK's GCHQ intelligence agency would see victims picking up the tab in fraud cases.
Under the new legislation, individuals and companies with "lax online security" may not only have to swallow the loss of their cash -- but may see themselves completely excluded from banking altogether.
While this would reduce the amount of refunds that banks and firms may have to issue to customers who have had their identities stolen or bank accounts compromised, the difficulty lies not just with how you assess an individual's security -- but where, and how, the fraud took place.
This is not always possible, and if a carrier, for example, accepts fraudulent ID, does the blame lie with them or the victim?
The UK's Metropolitan police chief Sir Bernard Hogan-Howe says that refunding fraud payments is akin to a "reward for bad behavior," but the problem with this is that you are assuming the fraud has taken place due to poor online security alone.
In a world full of NFC chip readers, ATM skimmers, point-of-sale (PoS) malware, fake IDs, vulnerable networks and a shortage of skilled cybersecurity specialists to pick up the slack, telling a victim to deal with their own mistakes is wrong.
Yes, we do need to take personal security as a whole more seriously, but no matter how careful you are, you can still become a victim through little or no fault of your own.
If the FTC's technology leader cannot protect herself from fraud, what hope do the rest of us have?