This is just a quick post inspired by some comments that I’ve seen recently on Twitter following some mega-breaches.

The term ‘Identity Theft’ implies, and its usage accepts, that the person whose identity is being stolen is the victim. They’re almost always not.

You could pretend to be me all you like. But it won’t get you very far with the real people in my life: my wife won’t let you into the house after you’ve finished work; my clients won’t let you on-site to actually do any work; my childrens’ school won’t let you collect my children; my friends (probably) won’t play you at squash; my Mum won’t cook you a Sunday dinner.

But what about the people who aren’t really in my life. You know, like ‘corporations’ and things like that. Yeah, you’ll probably be able to dupe them.

A bank might let you take out a credit card in my name. But hey, if it wasn’t me, that’s just Credit Card Fraud, right?

A pay-day lender might give you a 7000% APR loan in my name, I guess. Credit Fraud.

The government might let you claim benefits in my name. Benefit Fraud.

You might apply for a mortgage in my name. Mortgage Fraud.

Do you see where I’m going with this?

You might decide to hold up a Post Office and say your name is ‘Leigh’. Robbery.

You might murder someone. Murder.

In none of the above theoretical cases was I involved; I wasn’t the perpetrator and I wasn’t the victim.

And yet, by recasting (some) of these activities as ‘Identity Fraud’ I somehow become the one responsible for it having happened and the one who is the victim. The only way I get to be victim is if one of these organisations is duped and then they can’t or won’t address their mistakes or shortfalls and therefore they choose to pass the buck to me.

But I guess the lesson for me is that I should have patched my servers, reduced my attack surface, not used default credentials on web-facing databases full of defraud-able identities, and I probably should purchase Identity Theft Insurance just to be safe.

edit: Someone linked this which is excellent!