Banner Logo
The Real Kato
About Me
Frozen Lunches
Daring Fireball
Secret Agent Josephine

Most Recent

2024 May
2012 February
2012 January
2011 November
2011 October
2011 September
2011 August
2011 July
2011 June
2011 May
2011 March
2011 February
2011 January

All Categories 


Recent Comments
On College Football 2022: Week 6 Recap and Week 7 Pre...
Ken said:
Yeah, we've both had our share of hope and disappointment in this game. Let's just hope for a good b...
On College Football 2022: Week 6 Recap and Week 7 Pre...
Dan* said:
I'm not sure how I feel about this game. On one hand, I feel pretty optimistic that we have the tale...
On College Football 2022: Week 1 Preview
Dan* said:
Glad to see you'll be back writing football again, Ken! Congrats on the easy win today. You didn't ...
On College Football 2021: Week 10 Recap and Week 11 P...
Ken said:
Yeah, sorry one of our teams had to lose. I've come to appreciate Penn State as a classy and sympath...
On College Football 2021: Week 10 Recap and Week 11 P...
Dan* said:
Hey Ken, congratulations on the win yesterday! Some really odd choices by our coaching staff in that...

<< Previous: Apple Watch: 2012 Pr... | Next: Shame >>

Sunday, 2012 February 5 - 3:46 pm
Amy's wallet was lost or stolen last week, when we were out at a douchey nightclub downtown (we didn't even want to be there, but got roped into it). In the wallet were a driver's license, a credit card, a bank card, and her social security card. Yeah, we know, no one should carry their social security card around with them, but an employer said they needed to see it. (They don't, by the way; the SSN can be verified by employers online.)

Anyway, that got me thinking about the antiquated mechanisms we have for identity security.

Social security numbers are simple nine-digit codes with no temporal or biometric security. By "temporal" I mean that the code never changes, so once it's stolen, it's stolen for good. By "biometric" I mean that the government does not maintain a photo, fingerprints, or any other identifying information along with the number, making it impossible to validate whether it is being used by the right person. And yet Social Security numbers, brought into existence in the 1930s and turned into a de facto national identification number in the 1970s, is the most widely used identification system in the country, particularly in financial transactions.

Using a mother's maiden name as a secret password is even worse. That information is now often publicly available, or discoverable with a minimum amount of effort. A lot of women have their maiden name visible in Facebook, so they can be found by their high school classmates. Moreover, a lot of women these days don't even change their names when they get married.

Your signature? Not only is it slightly different every time you sign it, but most of the time no one even bothers to verify it. It takes a minimum amount of effort or education to forge a signature, but only an experienced expert can detect a forgery. It should be the other way around: forgeries should be difficult to perform and easy to spot.

Credit card numbers aren't much better. They're sixteen-digit codes that any unscrupulous sales clerk or Internet retailer could steal. There's the 3-digit verification code on the back, but that is also easily stolen. Thankfully credit card companies have processes for dealing with stolen numbers (numbers can be quickly invalidated and new cards can be issued, and the cardholder is not responsible for fraudulent purposes), but you'd think that they'd be motivated to come up with a better solution.

We live in an age of ubiquitous technology and advanced research into security and cryptography, so why can't we solve these problems? We already have algorithms like PGP for cryptographically secure signatures; we just need to incorporate these things into our everyday lives. For example, you could have a device (or iPhone app, even) that generates an electronic signature for you, coded to the particular document you're signing and the time and date. That signature could be electronically validated against an ultra-secure government database that holds the private encryption keys. The device would be tamper-resistant and could also incorporate a PIN for some protection against physical theft.

If you lose the device, the worry is that someone could hack it and use it to generate forged electronic signatures on your behalf. To counter that, each past signature generated would be stored in a database, so someone couldn't revise history and claim you signed something that you didn't. Also, you'd need a secure way of changing your key. It might involve going into a government office and having them validate your identity biometrically (using fingerprints, photos, and retinal scans); or, allowing a set of trusted friends to simultaneously log in to validate you; or, using a backup device that you lock away in your house or safety deposit box.

What if the government database got hacked? Well, it would be a fairly simple matter for the government to reissue any compromised keys; it'd just require the user to synchronize their device and download a new key. (This should be a very rare occurrence, and users would have to be educated on not falling for phishing attacks that try to get them to download a bogus key.) The past-signature database would not be of much value as far as identity theft, but it would need to be backed up and protected from having fraudulent entries added to it. I'd probably suggest that the database be decentralized so that one breach wouldn't affect every person in the country. And, the people overseeing and maintaining the database systems should get national security clearance.

I'm sure there are holes in this approach and that a clever hacker, over time, would find those holes. But this would still be a massive upgrade over our current system, which involves having our social security number stored in hundreds of insecure databases and printed on hundreds of pieces of paper, practically begging to be stolen. If we took all the money we currently spent chasing identity theft and credit fraud and poured it into this system, I'd bet we'd be able to implement it with money to spare.

Now, someone go do it.
Permalink   Bookmark and Share
Posted by Ken in: commentarytechwatch


There are no comments on this article.

Comments are closed for this post.

Search This Site
Powered by FreeFind