Shostack + Friends Blog Archive

 

ID Theft Risk Scores?

A bunch of widely read people are blogging about “MyIDscore.com Offers Free ID Theft Risk Score.” That’s Brian Krebs at the Washington Post. See also Jim Harper, “My ID Score.”

First, there’s little explanation of how it’s working.

I got a 240 when I didn’t give them my SSN, and my score dropped to 40 when I submitted my SSN. [Editor’s note: Huh? Giving out your SSN lowers your risk of ID theft? That seems an odd message.]

Everybody talks about identity fraud, but nobody does anything about it. This does something about it – specifically, it will help stop the worrying on the part of people who don’t need to. And it will give people who should worry a few things to do to get their situation under control. The more that can be done to demystify identity fraud, the better – and the less likely there will be unwise legislation and regulation that ultimately harm the interests of consumers.

In “What is My ID Score?” [link to https://www.myidscore.com/GetScore.jsps no longer works] there’s some explanation:

My ID Score is a statistical score that’s based on technology currently used by leading communications, financial services, retail companies, healthcare providers, government agencies, and consumers to assess your risk of identity theft. These companies use ID Analytics’ scoring technology to ensure that fraudsters do not apply for goods and services in an innocent consumer’s name

So I think this is not really your ID theft risk, but the perception that their software has. To put it another way, it’s the trouble someone is likely to experience when they try to open a new account in the name you’re giving MyIdScore.com

When you put someone’s information in, they ask you a bunch of questions about them, like “which of these phone numbers have you used?” It’s not clear how well that works when the attackers can access the same databases through their breaches.

(This didn’t post when I wrote it, so its old news, new analysis.)

One comment on "ID Theft Risk Scores?"

  • Chris says:

    It would be really nice if the non-marketing side of ID Analytics said something about their methods.
    If they have, I haven’t picked up on it, and I’ve been listening for 3 or 4 years now.
    Given that anyone — even me — can assign a score to something, how do we assess whether the score is meaningful?

Comments are closed.