Risk, Efficient Accidents, and Identity Theft
If it is efficient to prevent the accident, economic analysis of law leads us to ask, a la Carroll Towing and the Hand Formula, "Who is the least-cost preventer of the accident?"
If it is not efficient to prevent the accident, we ask, "Who is the least-cost insurer?" If I choose to do nothing to reduce the risk, then I might or might not choose or be able to buy insurance against the loss.
There is a possible application of these concepts to computer identity theft as described in the Washington Post [reg. req'd]. The article describes the problems of identity theft and some of the measures that large firms like AOL and E-Trade are taking to reduce the risk of identity theft. The focus of the article is the RSA token:
These devices are attempts to reduce the risk of identity theft. But you know what? I would hate them. I hate having to remember different passwords (or more like trying to remember where I've hidden them], and having to type in even more would be very annoying.
Both are inviting their users to try out a different way to log in to their sites. In addition to typing a user name and password, they can obtain a key-chain-sized token with a tiny screen that displays a new six-digit number every minute.
That number acts as an extra, one-time password by matching up with an identical number generated at the same time by a computer at AOL or E-Trade's offices.
The Stamford, Conn., research firm Gartner conducted a survey and found that devices like the RSA token are unpopular with consumers -- even the ones who say they want more security options.Added to the inconveniences of using the token, my pockets are already too full of geeky things -- I do not want to have to carry yet another thing that allegedly fits on my keychain -- it is plenty full already.
... Avivah Litan, a fraud analyst at Gartner, ... said a login token could help more if users have to enter its six-digit number whenever they conduct a high-value transaction, just to make sure that their accounts are not hijacked.
But then again, that might be the sort of added complexity that would make the prospect of using these things even less appealing.
So if that is the state of the art, I would prefer to say that using the RSA token would be inefficient for me, given my expectation of the risks, the costs, and the benefits. But one reason I make this assessment is that I do not use AOL, I do not use E-Trade, and I know from past experience that my credit card company has several very good checks in place, should someone try to use my credit card number.
Also, there is a bit of moral hazard at work. For me, the risk of identity theft is at least partially insured. And that insurance has affected my assessment about whether it would be efficient for me to take additional steps to prevent identity theft.