Identity theft is when someone pretends to be a different person in order to commit a crime, generally by using personal information of the victim and/or a little bit of social engineering.
I guess that by this definition I was not really a victim of identity theft since I was the one impersonating myself. Here's the whole story:
The city of Paris recently launched a service of bike loans called Vélib'. I call them loans rather than rentals because for a mere 30€ for one year, you get the right to borrow a bike for free as often as you want. When the service launched I obviously got a subscription because I love bikes (I haven't been able to use it much because of the traveling, but that's another story) and associated it with my underground pass because both RFID systems are compatible.
A few weeks ago I got a new underground card because the old one expired. Even though both the underground and Vélib' use the same tags, they do not share databases and the new tag I received was therefore not associated to my Vélib' subscription. I knew that updating the information was very simple, I just didn't know how much. And this is where my identity auto-theft comes in.
Today I was walking around Paris with a friend who told me that all I had to do was call Vélib' and give them my new tag number. I was a little skeptical, since I didn't think I had a way to authenticate myself to the service. I was extremely naive, though. We called Vélib' and, literally, all I had to do was give them my full name and the number of the new tag and it was activated immediately. This pretty much means that anybody with a valid tag that knows my full name could very well steal my subscription at any time simply by calling a telephone number! I'm still having a hard time believing it...
The situation is actually quite paradoxical since I really do appreciate the simplicity of the whole process, but you'd have to be an alien no to know that there are very few places on Earth where such trust can actually take place. And let me tell you that Paris is definitively not amongst them.
When professionals talk about security, there's three terms that make up their basic vocabulary and which can never be mistaken: identification, authentication and authorization. In cases where security is a concern (and given the potential damages that could come from Vélib' subscription theft, I guess this is one of them) understanding these terms properly, and especially the difference between the first two is vital.
Vélib' is not the first (and will definitively not be the last) to assume that identification is enough to perform an important transaction. Take credit cards for example. For a long time, and it's still the case in many places, a credit card transaction consisted of swiping a piece of plastic on a machine and then signing a slip that nobody really cared about. I guess the signature was supposed to serve as authentication, but I'm willing to bet that there's a huge amount of X's and other drawings that were used instead of signatures and the credit cards still got charged. Today more and more credit card companies and banks use microchips on their cards in order to be able to authenticate the bearer thanks to a PIN, which is a lot more secure. It just so happens that I also have a PIN associated to my Vélib' account...
I do not know how much Vélib' and the RATP (the company that runs the underground and provides the RFID tag that I'm using for both) share information. There's always the possibility that the person who answered the phone was able to check the name associated to my tag and only then perform the change. But I seriously doubt this.
Photo credit: JenWaller