ALKHOBAR, 9 May 2006 — The Kingdom is sometimes a bit behind in the use of technology. While that may cause frustration, it may also be a good thing if lessons are learned by analyzing the experiences of other nations. Unfortunately, too often that doesn’t happen, and then we are doomed to repeat the mistakes of others. We’ll even know the serious negative consequences of our actions before we even implement the systems, and yet frequently we still travel down the same ill-conceived path as those who went before us.
Take the example of the United States and the use there of the Social Security number. When Social Security numbers were first issued in 1936, the US federal government assured the public that use of the numbers would be limited to Social Security programs. Today, however, the Social Security number is the most frequently used record keeping number in the United States. Banks, hospitals, employers, insurance companies and many others use an individual’s Social Security number for tracking and identification purposes. With Social Security numbers being too accessible in the US, the crime of identity theft has reached epidemic proportions.
Using stolen Social Security numbers coupled with other information, criminals are able to create phony credit card accounts, buy goods on time payments, steal utility services and commit numerous other financial crimes. The identity theft is usually discovered when bills aren’t paid and legal action is taken. The individual whose identity has been compromised is then in serious trouble and proving innocence may be difficult.
Why is this important for Saudi Arabia? Because we are setting ourselves up for the same nasty experience. Most individuals in Saudi Arabia have been assigned national ID numbers or iqama numbers. These numbers were part of a system developed by the government for its own purposes. Unfortunately, these numbers have now been hijacked by businesses for uses outside the governmental system.
Hospitals and clinics routinely take copies of the Saudi national ID or iqama. Banks and credit card companies do the same. Even the phone companies request these documents. Even worse, this sensitive information is handled in a very insecure manner.
Last week, I went to get a prepaid mobile telephone number. As part of the application process, the customer service representative made a photocopy of my Saudi ID card. I hated to allow such a copy to be made but he insisted that it was a required part of the process. The photocopy of the ID was left lying on the counter of the subscription office for a while until eventually it was stapled to my application and the application was stacked, with several others, on top of an unattended desk.
There was nothing to prevent this company representative from making more than one copy of my ID and taking those copies out of the office. I have no clue who this salesman is other than the name he gave me, nor do I have any idea about his background. It is horrifying to think that there is the potential now for my name to be used in the issuance of another mobile phone that could be abandoned without payment or worse, used by a criminal organization. It would be very difficult for me to prove that I had nothing to do with such a phone subscription.
Those who may think I’m overreacting should be aware that statistics show that in the US about half of all identity theft is committed by close friends and relatives who gain access to personal records in the home, office, wallet or pocketbook. If friends and relatives are willing to betray their loved ones, what prevents strangers from doing the same?
People can be silly and help criminals gain access to their personal information. One of my favorite restaurants just put in a box, near the cashier, aiming to collect business cards in exchange for a chance to win a free meal. I noticed people casually dropping their business cards into the box, normally while waiting to sign their credit card receipts. I was desperate to set off an alarm at the cash register.
In Saudi Arabia, credit card payment receipts are printed out with both the complete credit card number and expiration date visible. Additionally, in the Kingdom many people use their business post office box as their personal postal address as well. So by tossing a business card into the restaurant’s prize box, individuals nicely provide all the information necessary for credit card fraud. Does it have to be this way? Of course not!
Recently some of the banks were enabling customers to verify identity by having the customer service representative cycle the phone call into the bank’s phone banking system. This happened last week when I wanted to activate a new credit card. The bank’s customer service representative told me that after the automated prompt I should punch in my ATM card number and PIN to authenticate my identity. I was delighted to oblige. But then, after this procedure was completed and the bank’s customer service representative came back on the line, he asked me to give him my Saudi national ID number as an additional authentication. I was furious!
The Ministry of the Interior should move quickly to severely restrict the use of Saudi national ID numbers and iqama numbers by commercial establishments. Photocopying identification cards and iqamas must be made illegal. Banks, credit card companies and others should be forced to keep all ID numbers in a secure database with extremely limited access. These establishments should issue their own ID numbers and not rely on the government’s numbers for identity verification or they should resort to “smart” or biometric technologies for identity authentication.
The Saudi Arabian Monetary Agency must move immediately to prevent point of sale (POS) machines from printing the full credit card numbers on printed receipts. Such policy is the standard in other nations already. The use of mobile POS terminals would also cut down on credit card fraud as the card would never leave the customer’s hand, so fewer people would have access to the card’s special authentication code.
Identity fraud has already been reported in Saudi Arabia. There have been instances of people applying for telephones and being told that they have been blacklisted for non-payment of phone bills on numbers they never knew they had. Last year local banks began to fight phishing scams and there are increasing incidents of credit card and insurance fraud in the Kingdom. There is no law in Saudi Arabia that forces commercial entities to inform consumers when the personal information entrusted to such organizations has been revealed inappropriately. There are no regulations here detailing the standards for security on databases containing personal identifying information. Recently there have been unconfirmed reports that such databases have been repeatedly compromised.
There is a proverb that reads, “Wise men learn by other men’s mistakes, fools by their own.” With the spread of online services and the automation of systems in Saudi Arabia the environment is ripe for consumer exploitation. Cases involving identity theft in the Kingdom will only increase if decisive action is not taken by the authorities immediately.
* * *
(Comments to: [email protected].)
