This article can also be found in the Premium Editorial Download "Information Security magazine: Five crucial virtualization do's and don'ts."
Download it now to read this article plus other related content.
Today's financial system makes identity theft inevitable by relying on none-too-secret identifiers.|
Preliterate societies often fear that knowing somebody's real name imparts supernatural power over that person. To protect themselves from evil magicians, people in such societies share their true name only with family and close friends. Ironically, in today's financial system, if you know somebody's name, you have the power to take out financial transactions in their name. We've created a primitive system that makes identity theft inevitable.
Social Security, credit card and bank account numbers are just identifiers--names--without which you wouldn't know where to send the bill. Perversely, we treat these names like passwords. We make a very ill-advised assumption that if you know one of these identifiers, then it must be your personal identifier. Unlike passwords, they aren't secret, so how can they not be stolen?
Credit card issuers keep adding little information tags to the cards to make them more difficult to abuse, but these are just variations on a flawed theme. A decade ago, anybody could download a simple application to generate bogus credit card numbers that could easily be used to rack up charges to nonexistent accounts. Once that was foiled, criminals started stealing card numbers instead of making them from scratch. The
| counter to that was ensuring the expiration date was correct, and when waiters started pilfering that off the magnetic strip, a three-digit code was printed onto the back of the card. The core flaw remains unchanged; if the information needed to verify a transaction is the same information used to initiate one, then that information will always be accessible in the clear and will always be a target for theft. The credit card system is a dike with more holes every day, and the Payment Card Industry Data Security Standard only provides a limited number of fingers. It's a losing battle.
However, identity theft is not just about stealing existing credit card numbers; it's also about creating new credit accounts in someone else's name, or gaining unauthorized access to someone's bank accounts. The growing number of large-scale thefts of personal information makes it clear that cybercriminals have a huge incentive to overcome whatever data protection mechanisms we put into place.
Do we really want to force more and more innocent people into defending themselves from aggressive bill collectors? If not, we're going to have to adopt multiple new layers of defense. If account numbers are exploitable because we treat them like secrets, then we can use asymmetric encryption to verify that someone initiated a purchase, without having to actually share his identifier (such new mechanisms are especially needed for Internet transactions). Process and laws also will need to change. If credit is being inappropriately granted on the basis of weak personal ID, then we need stronger standards for personal identification. Is it just a coincidence that the countries where consumers wait longer for credit approval have lower rates of credit fraud? U.S. and U.K. regulations put the burden on individuals to prove they didn't borrow money, instead of forcing lenders to prove that they did. This gives credit issuers an economic motivation to make bad loans.
Strengthening data protection laws and payment card security standards are Band-Aids that don't address the core problems of poor authentication, primitive transaction validation protocols and perverse economic incentives. It's clear that posturing politicians and corporate executives are not going to solve the information security problem of cyber wizards stealing and abusing our "good names." Maybe it's time for security professionals to step up and show 'em how it's done.
This was first published in June 2008