Real Kato Blog: Security

Amy's wallet was lost or stolen last week, when we were out at a douchey nightclub downtown (we didn't even want to be there, but got roped into it). In the wallet were a driver's license, a credit card, a bank card, and her social security card. Yeah, we know, no one should carry their social security card around with them, but an employer said they needed to see it. (They don't, by the way; the SSN can be verified by employers online.)

Anyway, that got me thinking about the antiquated mechanisms we have for identity security.

Social security numbers are simple nine-digit codes with no temporal or biometric security. By "temporal" I mean that the code never changes, so once it's stolen, it's stolen for good. By "biometric" I mean that the government does not maintain a photo, fingerprints, or any other identifying information along with the number, making it impossible to validate whether it is being used by the right person. And yet Social Security numbers, brought into existence in the 1930s and turned into a de facto national identification number in the 1970s, is the most widely used identification system in the country, particularly in financial transactions.

Using a mother's maiden name as a secret password is even worse. That information is now often publicly available, or discoverable with a minimum amount of effort. A lot of women have their maiden name visible in Facebook, so they can be found by their high school classmates. Moreover, a lot of women these days don't even change their names when they get married.

Your signature? Not only is it slightly different every time you sign it, but most of the time no one even bothers to verify it. It takes a minimum amount of effort or education to forge a signature, but only an experienced expert can detect a forgery. It should be the other way around: forgeries should be difficult to perform and easy to spot.

Credit card numbers aren't much better. They're sixteen-digit codes that any unscrupulous sales clerk or Internet retailer could steal. There's the 3-digit verification code on the back, but that is also easily stolen. Thankfully credit card companies have processes for dealing with stolen numbers (numbers can be quickly invalidated and new cards can be issued, and the cardholder is not responsible for fraudulent purposes), but you'd think that they'd be motivated to come up with a better solution.

We live in an age of ubiquitous technology and advanced research into security and cryptography, so why can't we solve these problems? We already have algorithms like PGP for cryptographically secure signatures; we just need to incorporate these things into our everyday lives. For example, you could have a device (or iPhone app, even) that generates an electronic signature for you, coded to the particular document you're signing and the time and date. That signature could be electronically validated against an ultra-secure government database that holds the private encryption keys. The device would be tamper-resistant and could also incorporate a PIN for some protection against physical theft.

If you lose the device, the worry is that someone could hack it and use it to generate forged electronic signatures on your behalf. To counter that, each past signature generated would be stored in a database, so someone couldn't revise history and claim you signed something that you didn't. Also, you'd need a secure way of changing your key. It might involve going into a government office and having them validate your identity biometrically (using fingerprints, photos, and retinal scans); or, allowing a set of trusted friends to simultaneously log in to validate you; or, using a backup device that you lock away in your house or safety deposit box.

What if the government database got hacked? Well, it would be a fairly simple matter for the government to reissue any compromised keys; it'd just require the user to synchronize their device and download a new key. (This should be a very rare occurrence, and users would have to be educated on not falling for phishing attacks that try to get them to download a bogus key.) The past-signature database would not be of much value as far as identity theft, but it would need to be backed up and protected from having fraudulent entries added to it. I'd probably suggest that the database be decentralized so that one breach wouldn't affect every person in the country. And, the people overseeing and maintaining the database systems should get national security clearance.

I'm sure there are holes in this approach and that a clever hacker, over time, would find those holes. But this would still be a massive upgrade over our current system, which involves having our social security number stored in hundreds of insecure databases and printed on hundreds of pieces of paper, practically begging to be stolen. If we took all the money we currently spent chasing identity theft and credit fraud and poured it into this system, I'd bet we'd be able to implement it with money to spare.

Now, someone go do it.

Permalink