The Root of Identity Theft
22 Apr 2008Dear Americans.
It looks like you somehow neglected even the basic security best practice in your business lives. You are using SSN and mother's maiden names as (presumably secret) authentication credentials. You are using it for credit applications, opening bank accounts and all sorts of other activities that can affect your financial situation and/or reputation.
When you are creating a free e-mail or social network account, would you put SSN or mother's maiden name as a password? You would not! Why? Because it is so trivial to find these information out for anyone with a bit of motivation to do so. Yet your companies use these publicly available data to authenticate customers. And you still wonder that identity theft is flourishing?
Your very own Whitfield Diffie made it clear: "A secret that cannot be readily changed should be regarded as a vulnerability". Can readily you change your SSN or mother's maiden name?
You still fight against any kind of authentication mechanism that might make your life easier. Is password the best security mechanism you can imagine? I do not know of any bank in Slovakia that does not have two-factor authentication for Internet banking access. I do not know of any organization here that would give you any sensitive personal data while you present only a name and SSN. You cannot get a loan of any substantial value in Slovakia without showing up personally and presenting a valid ID card. I think that having an ID card protecting my money and reputation is a feature, not a loss of any of my liberties. Yes, the theft is still possible, as the authentication credentials or ID card can be stolen and modified or forged entirely. But that's not an easy process and the theft is therefore quite limited.
You still talk about the lack of privacy and the rise of identity theft but you are failing to introduce any effective legislation. We have the EU directive on personal data protection, which regulates the collection and especially the use of personal information. The directive is far from perfect, but even in its current form is better than what you have - almost nothing. On the other hand you make what you can to make identity theft easier: you allow anyone to get a credit report of anyone other (by paying some small amount of money), you make the databases containing personal data public. You even have (legal) business built on the concept of harvesting that data for anyone to easily use (if he can pay for it).
The technology will not solve these problems. No amount of OpenID, CardSpace, SAML or any other marketing brochures and presentations can solve the problems in society and in legislation. Please correct the problem at its root and do not try to cover it by technology.