Solving Identity Theft


Consumers Warned About New Form Of Identity Theft (Yahoo! News)

I’ve known about identity theft for years, ever since my student ID was stolen in college. I found out it because a credit card company called me up to ask for my date of birth. I asked why, and found out that someone had applied for a card in my name but with their address (not sure if they used my actual phone #, but it was on the same campus). It screwed me up for a good ten years.

My wife also had something like that happen recently. Apparently, it’s common for thieves to just make up a credit card number at random and bill for things like new phones. The phone companies don’t care that the names and addresses don’t match and try to bill the real person unless you fight them. It took her four months to clear that up and the thieves didn’t even have her correct SSN or name.

Now there this news story (above) about people getting medical treatment using your SSN, meaning you now have to fight to clear the bill and medical records of any incorrect information. Let’s ignore the fact that it wouldn’t be a problem if we had universal health care and focus in on the identity issue. What can we do?

The fact is, Congress has debated, but failed to act on this issue for quite some time. They’ve passed laws extending the protection for Mickey Mouse’s identity, with big penalties there. But for real people, not so much. They can’t even pass a law preventing companies from using your SSN as your internal ID–the best you can do is refuse, in many cases, assuming you know to do so.

SSNs are bad, in part, because they’re easy to pick at random — nine digits, which means a billion combinations and 260 million living Americans (plus as many recently deceased) — means roughly half of the numbers will be used at any given time. So people propose biometric solutions instead, fingerprint, iris imaging, etc.. So then, if I go to a bank and use their scanner, I may be a bit safer, assuming it can’t be spoofed, for example, in the way that Saabs notoriously had only six unique ignition keys and just about any Saab owner could drive any other car. The danger is that a fake fingerprint can stand in for a real one.

But what if I want to bank at home? It gets even worse. Once people have their own home versions of the biometric verification, the home device must compute a code using some part of your body and send it over the Internet to be verified. A hacker need only capture this code and then there’s no need for your body. In other words, if that code (or its "hash"–essentially, a way of checking the validity of a code without sending the whole thing) is stored in your file, it’s just as good as your SSN at representing you. The only difference is that it’s harder to guess. There are solutions to that, of course, such as having the bank generate a random number that must be re-incorporated back into your hash to be considered valid for that session. But I have no confidence that banks, who still use a 4-digit pin to prove your ATM card is yours, will do much more than the bare minimum until they hit major losses.

The Solution

We really need just two things. First, Congress must pass a law that states, once and for all, that you are the exclusive owner of your personal information, your identity, which has real value as both property, time and energy required to correct a theft, and for any new expenses you’d suffer, like increased interest rates from a lowered credit rating. Any company wishing to use it may borrow it, with your permission, but otherwise, it’s hands off. This would cut down on marketing lists as a side-effect, as companies would owe you a cut from selling your info. But the main point is that it would be a crime to merely copy or possess your information without permission, let alone use it for fraud. If your identity is stolen, you must be notified, and since it is your property, the company should be liable for the resulting loss. Currently, only California does the notification and no one holds companies liable for such negligence. That’s the only way to ensure compliance, unfortunately.

The second thing we’d need is to abandon basic codes, like SSN or even longer biometric hashes. Whatever the code, if I have to give it out over the phone or Internet and if it always stays the same, then it’s vulnerable to being stolen and reused without my knowledge. It turns out, cryptography has a solution — a kind of unique, and essentially unbreakable code called a One Time Pad. It’s time we start using that for identity.

How does it work? It’s pretty simple to explain, actually. A device like a typical SecureDigital or Flash card (currently the size of a postage stamp) can easily store a billion bits of random data–that’s your key. Your bank, for example, has an identical copy of that key on file. To communicate with them securely, your Internet browser need only use a piece of that key to encrypt all transmissions and the bank need only use their copy to decrypt, and vice versa. The less of your key is reused (ideally none), the more secure it is. When you run out of random bits on your card, you recharge both copies with new random data and keep going. And if anyone does manage to copy your pad, you’d know it immediately the next time you try to log on. For a comparison, your wireless router uses a 64 or 128 bit key (not exactly the same kind of key, but similar enough for our purposes) for standard WEP and it changes relative infrequently. It’s relatively easy to hack and you’d probably never know.

The One Time Pad is as secure as it gets, ignoring the fact that this SD card can physically be lost or stolen. So a further step (only after the basic ID codes are secure) is to couple it with a biometric sensor, say, built into the SD card reader, which dynamically encodes and decodes the key with your biometric hash and vice-versa. Now you’re suddenly extremely secure. Someone would need your biometric hash and your physical key, meaning, in effect, they’d need you. And that’s hard to come by without your knowledge. It’s also secure in the open, meaning that even if someone knows the algorithm and snoops on you, you’re still safe. Right now, for example, credit card codes use a "secret" verification algorithm, which means that once people know the algorithm, they can guess any valid credit card number, no matter how many digits it is–not smart.

Ideally, each company you do business with would have its own own distinct Pad (or at least its own distinct key on your SD card) so none of those keys needs to be shared with more than one entity. And for simply verifying your identity, a network logon or a doctor’s office equipped with the complimentary key system could use, say, 256 bits (8 bytes) at a time in place of a password or personal ID code, meaning you could verify literally millions of times before needing to recharge the SD card with a new random key.

Of course, nothing is perfect. I wrote a speculative fiction story about a future in which these practices are common. But there’s always a way around, namely, the weakness of human beings and physical coercion. That element will probably never change. But we can still use technology and bit of legislation to solve everything else, starting now.

  1. #1 by Brett on June 10, 2006 - 12:23 pm

    Generally a good generic article. Some of the deeper technical items needs some work and better definition. Seems like you are blurring hashes, wep (which is horrendously awful) and encryption. Also, seems like you blur one-time password with one time pad. I’m going to blog on Digg (^digg) as well as starting a thread on my blog (website). Cheers

  2. #2 by avi on June 10, 2006 - 12:27 pm

    Thanks. I’m trying to keep it simple. But better definitions can’t hurt. I am blurring one-time password and pad–I’m asserting that the pad could serve as verification, not just encryption of session, and with biometrics, would obviate the need for a secret password. Barring biometrics, the pad plus password might be best.

  3. #3 by Brett on June 11, 2006 - 3:35 pm

    As I stated on ITDefPat in response to this, the rule of law should come first: one should have copyright ones’s own identity. This identity would be licenced to which ever entity we allow – employer, bank, etc. for the specific purpose. Thios inverts that common statement at the receiver (e.g. bank) that they will use the information however they state. Rather than their promise, we grant licence, thus if they violate, we prosecute. It might take some kind of key/hash to track which instance of one’s identity was violated, but that is probably trivial.

  4. #4 by Ira on June 12, 2006 - 4:11 pm

    Avi, perhaps we have found an area where we can wholeheartedly agree? The need for “Positive ID”!

    I’ll accept your assumption that your idea of a “one-time pad” security verification system can be incorporated into a small package along with a biometric sensor or two (and an active RFID chip for good measure). The device would be carried in your wallet or slip into your cell phone.

    Initially, each bank would issue their own Positive ID (“PID”) credit card. However, in response to consumer needs, a Universal PID (“UPID”) would be made available. The random data and biometrics and algorithms for each bank would be stored in a separate partition on the UPID and would be independently accessed and updated only by that specific bank. You would approve all additions and updates.

    As the UPID gained popularity, other organizations such as the Motor Vehicle Department, hospitals, Social Security, and so on, would each claim their partition on the UPID, with your approval. The UPID would become a very convenient universal credit card and drivers license and highway toll Speedpass and passport and medical ID that would be the equivalent of having a dozen or more PIDs at a time.

    The UPID would recognize the RFID transponder at the “Speedpass” toll booth, the RFID at the library, the bookstore, the supermarket, and so on.

    By that time all consuer products will have their own RFID chip in them. Every can of soda, every book, and so on will have its own RFID number! You could walk into any store, pick up what you need, and walk out. The green light at the exit would signify that your UPID was valid and that all the items have been billed to your designated credit card. (If you wanted a printed receipt you could punch a handy terminal to get one.)

    If you chose to leave your UPID on all the time, you will leave a record of your purchases and all your comings and goings. However, this record would not all be on a single “Google brain” computer (as you describe in your “Identity Theft” story).

    Various parts would be on the computers of different banks, supermarkets, libraries, and other organizations. Each partition would know you by a different ID number and much of the data would not be directly associated with your name.

    (This is similar to the dozens of video records you currently leave every day on the video cameras of banks and supermarkets as you go about your daily routines. It would be more private than the dozens of credit card and cell phone call records that you you leave every day. These include your name and location at the time of the transaction.)

    If you lost your UPID you would have a spare hidden in your house or car or at a friend’s place. Or, you could go to a bank, prove your identity via DNA, and get a replacement.

    In addition to the obvious consumer convenience:

    1) A lost UPID, without your biometric, would be of no value to a thief. However, if he or she left it on, it would be a great way to track the thief.

    2) If you turned up missing, your spouse or trusted friend would release an authorization with your account numbers. All applicable computer records would be searched for a given time period to determine where you were when your UPID stopped working. If your UPID was still on, it would specify your most recent location. That would be a great way to locate and possibly rescue you, or at least provide a clue as to who did you in and where.

    3) If you were falsely accused of a crime, you could authorize release of the location records to prove you were elsewhere.

    4) If someone was rightfuly suspected of a crime, the authorities, with a court order, could get access to his or her UPID records near the time of the crime to help get other clues and prove their case.

    5) Your laptops and PCs would have an interface compatible with your UPID. That would allow you to PID-stamp your emails and website entries such that recipients and surfers would be assured it was really you who posted them. (You could set the posting to be “anonymous”, and that would protect your privacy, but also alert the recipients to the possibility of fraud.)

    6) Once nearly everyone has a UPID, and most of us leave it on all the time (as I do my cellphone), anyone who walks by without an active UPID will be marked as a “stranger”. This will restore something like the “Small Town” security situation where “everyone knows everyone else”. When I was a kid in 1940’s Brooklyn, I could walk into the grocery on our street, buy what my mom told me to get, and ask the grocer to “mark it down”. Mom would stop by every couple days and pay the bill. When we lived in rural upstate NY in the 1970’s, the guy at the General Store would leave the store unattended on the “honor system” when he had errands to run. No cards, just Positive ID in action!

    How about it Avi? Are you ready to sign up for Unversal Positive ID?

  5. #5 by avi on June 12, 2006 - 5:45 pm

    Ira, your vision of a global surveilance society is pretty scary actually. The point of securing one’s identity is not to assist the government or law enforcement or marketers in tracking us and our purchases, nor is it to make those purchases easier (how hard is it now?). The purpose is to prevent crimes against your privacy and your identity, some of which are actually enabled by the poor laws we have. Those laws are culmination of special (not common) interests interfering in public policy: banks, credit card vendors, overzealous law enforcement requiring such things as breakable encryption and SSN tracking in the first place. They’re hardly the people I’d want writing new rules for us.

    To the extent that a one time pad can facilitate a secure transaction with your bank, even in an insecure environment like a mall or supermarket, it can be used as a debit card. Credit cards require the vendor to store your information as a "man in the middle" and as such should go away. But debit with a truly secure "pin" equivalent would be fine. Tracking RFIDs is a mistake though, at least until we have laws stating that you own all of your personal information (including purchases) and no company can collect, store, and sell it without your express permission. Law enforcement should need more than your permission. They should require a court order, and even then, I should be able to set the policy as to the length and type of data retention these companies use for my personal information.

  6. #6 by Ira on June 12, 2006 - 9:59 pm

    Avi – Thanks for your prompt and thoughtful reply. It appears we each have a very different view of the future.

    IMHO, the “genie” is already “out of the bottle”. Mixing metaphors, “all the king’s horses and all the king’s men” can’t “put the toothpaste back in the tube again”.

    So-called “privacy” is a lost cause. In our western society, unless a person is a hermit, or homeless – or a thief using your identity – he or she leaves dozens of computer records of his or her location and activities every day. Every email and posting to your website is recorded by your ISP. Every call by your phone company. Every credit card purchase. You image appears on the video monitoring the ATM terminal. Even if you pay cash, your video is recorded at the supermarket or library or bookstore or subway or bus trip, etc.

    The overwhelming majority of our fellow citizens see nothing wrong with that. They would oppose your law about personal ownership of all personal data if they were told that it would impact access to modern technology or increase costs.

    That’s the reason the recently revealed NSA monitoring of phone number transactions was greeted by a giant “ho hum” by the public. Leading Democrats gave the NSA a pass on it because opposition has no political traction. I suspect most international and many national phone calls and emails are being “gisted” by computers for “key words” that may indicate illegal activities. I suspect that this information is processed by NSA computers. When a suspect pattern exceeds a set threshold, the recorded calls or email text is reviewed by a human agent. Then, if the information warrants, he or she seeks a court order for further investigation. If and when this comes out in the press, we will hear another big “ho hum”.

    I think we are already in the “global surveillance society”. We already have all the negative aspects of surveillance. I think it is time we accept that and try to exploit some of the positive aspects for our convenience and greater personal security.

    You have a vision of an ideal world where an ideal government makes ideal laws for the benefit of an ideal population. Realistically, that is not the world we live in. Government will always favor those with money and special interests. Big corporations, big labor, big government. It will be that way until all citizens, including politicians, turn into saints, or, more likely, we incinerate ourselves with nuclear weapons or are done in by some natural or terrorist biological agent.

    Of course, I respect your right to have another opinion. Good luck!

  7. #7 by avi on June 12, 2006 - 11:21 pm

    Ira, We have a free society only because we decided long ago that it was better than the alternatives. It remains free only to the extent that people like me or you fight to keep it so.

    The "ho hum" you refer to was actually quite a loud uproar, muted only by this administration’s lies and right wing propoganda that claims the same people who deceived us about WMD and these very programs could be trusted to do the right thing with their invented new powers. Those powers are outside the law and as such can’t be used in normal legal proceedings. If they are good at all, they are only good for furthering other extra-legal activities. The fact that Democrats haven’t stopped this is a function of their numbers, not the people’s will.

    There is nothing idealistic about wanting a free society. It is the only way to survive long-term. History shows that no matter how benign the first dictator is, he will soon be followed by a despot. Any rights you willingly give up for the sake of convenience or perceived security now will only come back to haunt your children and grandchildren living under oppression. So choose wisely. It is up to me and you, as long as our society is still democratic.

  8. #8 by Yogesh Raja on November 22, 2006 - 1:54 pm

    Virtually all fraud crimes are preventable if banks make signature and PIN number systems reliable by implementing ID KEY system.

    Fraudsters have proved to us that fake documents have made signature system unreliable while skimmers and pin-hole cameras have made PIN number system unreliable. Is it not obvious that unless banks implement ID KEY system which will make both these systems banks make us use reliable, fraud crimes will continue grow?

    ID KEY system will

    *Make signature system reliable by activating printer at point of transaction to print ID sticker (small sticker with person’s photo and name printed on it) which when applied and countersigned on document will personalise signature. In Identity fraud fraudsters have option to misuse victim’s personal details but not their unique appearance (true identity or visible biometric).

    Current signature system is like passports without photos and that is why it is so difficult to deter and prosecute fraudsters.

    * Use invisible Card Key Code personalised to specific cards to activate ATM transaction. This will make it meaningless for fraudsters to skim cards and pick PIN numbers. For extra safety Card Key Code will change to a new value after every transaction.

    ID KEY system will eliminate the need for us to protect our personal details and even PIN numbers from fraudsters.

(will not be published)