The focus of a lot of the coverage of this recent string of high-profile ID thefts has been the security of the companies in question, but I think the real fundamental problem of our system is that in order to prove your identity to someone you have to give them enough information that they can impersonate you to a third party. Information like SSN, address, mother's maiden name, driver's license number, etc. is simultaneously proof of identity and "private".

Credit card numbers and checking accounts have basically the same flaw. All a merchant needs to pull money out of your account is the account number and some pretty basic additional information. If you write someone a check for a penny, you've given them enough info to drain the account.

What we really need is a complete overhaul of how we prove identity. Identities should be linked to public-key/private-key pairs so you can prove you are who you say you are by signing a nonce, and thus others won't be able to impersonate you just by hacking a third party. Similarly, monetary transactions should be signed by both the sender and the recipient and include amount, date, memo, etc.. (Seriously, who initially thought that recipient-initiated transactions with no sender involvement wasn't going to be abused?)

Perhaps it's time to finally attack the source of USA's ID theft problem instead of trying to hide the unhideable?

This is a problem mostly limited to USA and just a few other countries. In most places worldwide such an information leak could be used at best for marketing/spam targeting, not for stealing money through ID theft. The differences are mainly in legislation and liability, which then get reflected in policies of credit institutions that make it much less viable and thus much less widespread.

To put it simply, the information that, say, your spouse or mother would know should not be enough to get credit in your name, bill expensive services to you or gain access to your accounts. If some lender gets duped by their negligence to check who you are, then they got defrauded and it should stay as their problem - mostly to motivate them to put actual effort into preventing this.

Some day, people will wake up and realize that all aggregation of data on citizens and consumers–including implicit aggregation, where information is only transiently collected–by governments, data brokers, retailers, or anyone else only makes the inevitable compromise that much more damaging.

Today’s highly connected world has ushered in an era with new hidden risks along with the obvious new opportunities. We’re woefully unprepared for these risks when policymakers don’t even know what an ISP is. Time and time again we see appalling breaches of massive repositories of private information, and time and time again we see our politicians and corporate leaders stick their heads in the sand and ignore the root cause.

What’s needed is a new paradigm, where data aggregation is outlawed, and where decentralization and previously-fantastic cypherpunk ideas for cryptographic identity verification, blinded signatures, provably-anonymous digital cash systems, and the like become standard.

PCI or HIPAA compliance will simply never be enough. Where cryptography can be used to protect individual privacy while providing strong authentication, it must. Where it (yet) cannot, information decentralization is the only way to mitigate the inherent privacy risks. Unfortunately, I worry that a combination of policymakers’ lack of insight, corporate leaders’ pursuit of cost reduction, and “Big Data’s” (or, more aptly, “digital anal rapists’”) penchant for massive warehouses of private information will prevail and ensure the fundamental reforms we need will never see the light of day.

"Ngo’s ID theft business attracted more than 1,300 customers who paid at least $1.9 million between 2007 and Feb. 2013 to look up Social Security numbers, dates of birth, addresses, previous addresses, phone numbers, email addresses and other sensitive data"

"Ngo was arrested last year in Guam by U.S. Secret Service agents after he was lured into visiting the U.S. territory to consummate a business deal with a man he believed could deliver huge volumes of consumers’ personal and financial data for resale."

And now the poor schmuck is being tried in the US for crimes committed on Vietnamese soil.

Not that I would dislike grilling that guy in court, but that is just plain wrong. He did not do anything wrong on US soil so he should not be tried in the US, but Vietnam instead.

Funny how Americans always believe they're the world police.

undefined

I'm not surprised it's Experian. Maybe it wasn't their fault, but only interaction I had with them was: "how do I provide my documents in a secure way?", "here's a pre-paid standard class envelope, just stick a copy of your utility bills, passport, driving licence inside and send it to us".

They're absolutely irresponsible with people's documents and data, at least here in the UK.