Consumers Warned About New Form Of Identity Theft (Yahoo! News)
I’ve known about identity theft for years, ever since my student ID was stolen in college. I found out it because a credit card company called me up to ask for my date of birth. I asked why, and found out that someone had applied for a card in my name but with their address (not sure if they used my actual phone #, but it was on the same campus). It screwed me up for a good ten years.
My wife also had something like that happen recently. Apparently, it’s common for thieves to just make up a credit card number at random and bill for things like new phones. The phone companies don’t care that the names and addresses don’t match and try to bill the real person unless you fight them. It took her four months to clear that up and the thieves didn’t even have her correct SSN or name.
Now there this news story (above) about people getting medical treatment using your SSN, meaning you now have to fight to clear the bill and medical records of any incorrect information. Let’s ignore the fact that it wouldn’t be a problem if we had universal health care and focus in on the identity issue. What can we do?
The fact is, Congress has debated, but failed to act on this issue for quite some time. They’ve passed laws extending the protection for Mickey Mouse’s identity, with big penalties there. But for real people, not so much. They can’t even pass a law preventing companies from using your SSN as your internal ID–the best you can do is refuse, in many cases, assuming you know to do so.
SSNs are bad, in part, because they’re easy to pick at random — nine digits, which means a billion combinations and 260 million living Americans (plus as many recently deceased) — means roughly half of the numbers will be used at any given time. So people propose biometric solutions instead, fingerprint, iris imaging, etc.. So then, if I go to a bank and use their scanner, I may be a bit safer, assuming it can’t be spoofed, for example, in the way that Saabs notoriously had only six unique ignition keys and just about any Saab owner could drive any other car. The danger is that a fake fingerprint can stand in for a real one.
But what if I want to bank at home? It gets even worse. Once people have their own home versions of the biometric verification, the home device must compute a code using some part of your body and send it over the Internet to be verified. A hacker need only capture this code and then there’s no need for your body. In other words, if that code (or its "hash"–essentially, a way of checking the validity of a code without sending the whole thing) is stored in your file, it’s just as good as your SSN at representing you. The only difference is that it’s harder to guess. There are solutions to that, of course, such as having the bank generate a random number that must be re-incorporated back into your hash to be considered valid for that session. But I have no confidence that banks, who still use a 4-digit pin to prove your ATM card is yours, will do much more than the bare minimum until they hit major losses.
We really need just two things. First, Congress must pass a law that states, once and for all, that you are the exclusive owner of your personal information, your identity, which has real value as both property, time and energy required to correct a theft, and for any new expenses you’d suffer, like increased interest rates from a lowered credit rating. Any company wishing to use it may borrow it, with your permission, but otherwise, it’s hands off. This would cut down on marketing lists as a side-effect, as companies would owe you a cut from selling your info. But the main point is that it would be a crime to merely copy or possess your information without permission, let alone use it for fraud. If your identity is stolen, you must be notified, and since it is your property, the company should be liable for the resulting loss. Currently, only California does the notification and no one holds companies liable for such negligence. That’s the only way to ensure compliance, unfortunately.
The second thing we’d need is to abandon basic codes, like SSN or even longer biometric hashes. Whatever the code, if I have to give it out over the phone or Internet and if it always stays the same, then it’s vulnerable to being stolen and reused without my knowledge. It turns out, cryptography has a solution — a kind of unique, and essentially unbreakable code called a One Time Pad. It’s time we start using that for identity.
How does it work? It’s pretty simple to explain, actually. A device like a typical SecureDigital or Flash card (currently the size of a postage stamp) can easily store a billion bits of random data–that’s your key. Your bank, for example, has an identical copy of that key on file. To communicate with them securely, your Internet browser need only use a piece of that key to encrypt all transmissions and the bank need only use their copy to decrypt, and vice versa. The less of your key is reused (ideally none), the more secure it is. When you run out of random bits on your card, you recharge both copies with new random data and keep going. And if anyone does manage to copy your pad, you’d know it immediately the next time you try to log on. For a comparison, your wireless router uses a 64 or 128 bit key (not exactly the same kind of key, but similar enough for our purposes) for standard WEP and it changes relative infrequently. It’s relatively easy to hack and you’d probably never know.
The One Time Pad is as secure as it gets, ignoring the fact that this SD card can physically be lost or stolen. So a further step (only after the basic ID codes are secure) is to couple it with a biometric sensor, say, built into the SD card reader, which dynamically encodes and decodes the key with your biometric hash and vice-versa. Now you’re suddenly extremely secure. Someone would need your biometric hash and your physical key, meaning, in effect, they’d need you. And that’s hard to come by without your knowledge. It’s also secure in the open, meaning that even if someone knows the algorithm and snoops on you, you’re still safe. Right now, for example, credit card codes use a "secret" verification algorithm, which means that once people know the algorithm, they can guess any valid credit card number, no matter how many digits it is–not smart.
Ideally, each company you do business with would have its own own distinct Pad (or at least its own distinct key on your SD card) so none of those keys needs to be shared with more than one entity. And for simply verifying your identity, a network logon or a doctor’s office equipped with the complimentary key system could use, say, 256 bits (8 bytes) at a time in place of a password or personal ID code, meaning you could verify literally millions of times before needing to recharge the SD card with a new random key.
Of course, nothing is perfect. I wrote a speculative fiction story about a future in which these practices are common. But there’s always a way around, namely, the weakness of human beings and physical coercion. That element will probably never change. But we can still use technology and bit of legislation to solve everything else, starting now.