Sneaky ID Thieves Sidestep Security Technology

New security technology such as smart ID cards or biometric safeguards won't stop identity thieves, a British criminology researcher said Monday at a science conference in Dublin.

"Many people depend on technology to beat identity theft, but fraudsters evolve their strategies to keep up with changes in security technology," said Emily Finch, of the University of East Anglia in a lecture before the British Association for the Advancement of Science.

After interviewing convicted identity thieves and observing practices around cash registers, Finch was convinced that today's ID thieves have adapted their techniques to account for PINs (Personal Identification Number) required on debit and credit cards.

Previously, she said, identity thieves would first get a hold of the card number, then forge a signature. Now, however, the criminals are working the process backwards: obtaining the more-difficult-to-obtain PIN first, then getting the card account number.

"With 'chip and pin,' you can find the PIN first if you look when people punch it in," Finch said in her talk. "Since chip and pin came in, sales staff have been told to look away when customers enter their PINs. The human element has been taken out of the transaction, and it’s easy for fraudsters to take advantage of that."As the salesperson averts his eyes, a thief can easily get an unnoticed over-the-shoulder look at the sequence punched into the verification pad.

Even when they have the card only, fraudsters can easily convince the clerk to revert back to the old, PIN-less system, added Finch. "Even if they have stolen a card first, criminals pretend to have forgotten their PIN when they punch in an incorrect sequence. The helpful sales assistant will then swipe the card for them" using the old system, but neglect to check the card's signature against the one scrawled on the charge slip.

In the end, people put too much trust in technology to solve identity theft crimes, posited Finch, and the greater the attempts to fix someone's identity with technology -- such as biometrics -- the more reliance put on the initial application of the card being reliable.

Smart identity cards, for instance, depend on other forms of identity -- such as on birth certificates, passports and driver's licenses which can easily be obtained in someone else's name.

"But you can’t change a bunch of insecure pieces of information into one secure one,’ Finch said. "If you do, you run the risk that someone else will get in first and register as you. Once your identity has been registered, you cannot register in that same identity, in other words, as you."0