Ending identity theft

Identity theft is an age-old problem, but blockchain technology is now emerging as a modern-day solution.

thumbnail

What is identity theft

Encyclopedia Britannica defines identity theft as the use of an individual’s personally identifying information by someone else (often a stranger) without that individual’s permission or knowledge. This form of impersonation is often used to commit fraud, generally resulting in financial harm to the individual and financial gain to the impersonator.

This is a rather apt definition. The theft of someone’s personal information to be used in a fraudulent, deceptive, or in any other malicious manner) is a very serious issue indeed, one that can lead to great financial loss or even graver consequences.

Here are a few statistics to highlight the severity of the identity theft issue:

  • In 2018 for example, the Federal Trade Commission (FTC) collected reports about negative customer experiences in the marketplace. The agency received 444,602 reports of identity theft. This figure represented about 15% of the 3m reports compiled by the agency throughout that year.

  • 2019 was also a bad time for identity theft issues, as financial losses due to identity fraud climbed to almost $17bn.

  • And things got even worse in 2020, as the FTC received a total of 4.7m reports, with identity theft taking the number one spot.

A brief history of identity theft

The arrival of the internet, mobile technology, and the omnipresence and predominance of social media in our lives took the problem of identity-related fraud to entire new levels. There have been some pretty high-profile scandals involving identity theft over the past two decades, but stealing someone’s identity by impersonation or any other means is a centuries old issue.

Here’s a brief recounting of how identity theft has changed along with the times:

19th century America

Nowadays, most people would associate identity theft with credit card fraud or online romance scams. But if you asked any American citizen living in the United States of the 1800s, their responses would be radically different. In those days, those with the right to vote (white people only) would congregate in the nearest courthouse, swear on a Bible before a judge that they were who they said they were and that they had not already voted, and in they went. In due course, the court’s clerk would go through the list of attendees, and everyone would call out the name of the candidate they wanted to vote for. This system, known as viva voce, was the law in most American states during the early 19th century (Kentucky maintained this system as late as 1891). Viva voce, which would usually be held amidst a carnival atmosphere, was hardly a solid voting framework, so while people would be asked to swear their identity on a Bible, the possibility for fraud was obvious, and election results were often dubious.

Paper ballots began appearing around this time, but early ‘ballots’ were often scraps of paper with someone’s name scrawled on it. The ballots were not standardized or validated in any way before they were cast into the box, which would give rise to the practice of ‘ballot stuffing’ (that is, writing a name in hundreds or thousands of paper scraps to give a chosen political candidate an unfair advantage.)

Frank Abagnale, the many faces of identity theft

Conmen, impersonators, and traveling salesmen have been a feature of real life since society came into existence. There have been many well-known cons, but perhaps one of the best known is the case of Frank Abagnale, an American con man and impostor who refined his craft to such a degree that the US Government would eventually hire him as a security consultant to combat fraud. Abagnale, whose exploits entered the mainstream thanks to the biographical 2002 film Catch me if you can, starring Leonardo DiCaprio and Tom Hanks, is known to have assumed at least eight different identities throughout his career. These identities included an airline pilot, a lawyer, and a physician. He was eventually caught but served less than five years in prison before starting work for the government.

Identity theft in the digital era

While Abagnale’s criminal life was somewhat glamourized by Hollywood (and, to be fair, he did change his ways and turn his life around, going as far as writing five books, including Real U Guide to Identity Theft), the very real problem of stealing someone’s identity for personal gain can have devastating consequences. Abagnale’s crimes, while non-violent in nature, did cause severe financial loss to many organizations and agencies.

The advent of the digital era gave fraudsters a ready-made platform for this type of activity. Armed with the relative anonymity granted by the internet, instances of identity theft increased exponentially. Soon, the issue became a global problem.

Today, identity theft can take many forms: From medical identity theft (the obtention of medical services or prescription drugs under a false identity, for example), social media identity theft (using someone else’s pictures to create social media accounts -‘catfishing’-), to social insurance theft (using stolen or fake social security numbers for financial gain), child identity theft, etc.

So what’s the modern solution to a centuries-old problem

While the procedures and techniques to carry out the theft have evolved from the earlier ballot stuffing or Abagnale’s cheque forging to the more sophisticated hacks of the modern era, the core problem is identical: To steal someone’s identity for fraudulent purposes.

Looking closely at any of these past instances of identity issues, something obvious immediately emerges: The targets of these cons were centralized frameworks. The court’s clerk, for example. Only one person to fool into thinking that the individual voting is who they say they are, or that they haven’t voted before. Or the ballot box, for example. One simple box that can easily be carried around, concealed, and manipulated. Or Abagnale fooling banking clerks. In all of these cases, a single point of failure exists. Breach this point, and the theft is inevitable.

Decentralization is an obvious strategy to counter this problem. Distribute the ballots across, say, 100 boxes, and the offenders’ tampering efforts would become 100 times more difficult. The analogy of the court clerk is a good one to illustrate the decentralization theory. If only one clerk is in charge of the candidate list, they’d be easy to bribe, threaten, or manipulate. But if 1,000, or 10,000 clerks were in control of the candidate list… This is a perfect analogy for how blockchain works. In a blockchain network, hundreds, maybe thousands of nodes (‘clerks’) hold an identical list of records, and every node is watching. The idea of manipulating thousands of nodes soon becomes moot.

But this decentralization comes with its own set of problems. How is identity verified by so many nodes? How are a person’s credentials transported, and shared? This is where Self-sovereign identity comes in.

Self-sovereign Identity

The principle of Self-sovereign Identity (SSI) refers to an individual’s ability and entitlement to have and retain control over their identity and credentials, without being forced to use a centralized, third-party authority as an intermediary acting as a ‘gatekeeper’ of the individual’s identity credentials. This model offers individuals a way to securely store their identity data via unique identifiers and selective disclosure of personally identifiable information (PII). SSI places the individual, rather than the organization, at the center of the identity framework.

It is important to understand that sovereignty in this context means that the individual is in control of managing their identity, rather than issuing it. The SSI model proposes that the individual retains control over their identity assets and credentials (passports, academic certifications, diplomas, etc.) The crucial distinction between traditional identity models and SSI is that when the sovereign individual presents any of these credentials to a third party, the third party does not need to query the issuer to verify them or prove ownership, as this proof is provided by the blockchain that contains those credentials.

SSI represents the new paradigm for any user-centric identity management solution, and any such solution must consider the user to be central to the administration and management of identity. Furthermore, any SSI solution must be interoperable with other systems across multiple locations (always with the user’s explicit consent), and enable true control of that digital identity. SSI must also be transportable: it cannot be locked down (centralized) to any one entity, locale, or geographical location. This paradigm shift results in an identity framework that is structurally formed to work from the individual’s perspective, rather than that from a centralized organization’s perspective.

How does SSI help to resolve the identity theft issues

Wide scale fraud often relies on the fact that the targeted information is centralized in a single database, server, or any other data storage facility. Because of this single point of failure, if the facility is breached, bad actors can instantly gain access to thousands, even millions of records.

The SSI principle is based on a distributed ledger model, which means that the prized data is no longer stored in one single, vulnerable location. Instead, the information is distributed across hundreds, or perhaps thousands of nodes. Hackers would be faced with the monumental task of infiltrating every single node to access the data, which would be costly, time consuming, and ultimately yield paltry results. In other words, the incentive for the hacker is no longer there.

Besides, businesses can do API calls to a user’s encrypted data vault, and only access what is required. All information is transmitted using secure and trusted peer-to-peer messaging channels, so the authenticity and integrity of the data can always be checked by verifying digital signatures.

Alata PRISM is here to end identity theft

Atala PRISM offers high-end SSI solutions to enterprises and their customers. This identity management model empowers end-users to own their identity and have complete control over how their personal data is used and accessed. Data is shared with other individuals or organizations over secure and private peer-to-peer communication channels.

What does this mean for enterprises? Firstly, it reduces greatly the cost that identity handling and theft incurs. Nowadays, businesses are forced to become identity providers and security experts. Background verification agencies charge increasingly higher fees to verify documentation with the issuing authorities. With Atala PRISM’s hacker-proof security and privacy, enterprises can quickly and easily reduce such operational expenses and put an end to fraudulent behaviour around fake identification.

Secondly, the verified digital identity and credentials solution offered by Atala PRISM eliminates long forms and the need for countless passwords. It makes life easier by enabling single-click access to products and services thus streamlining customer experience and elevating it to the benefit of everyone.

To learn more about Atala PRISM and discover the opportunity decentralized identity can offer your business, contact us at business.development@iohk.io.