Point/Counterpoint: Personal Information Fraud

Point: Marcus Ranum / Counterpoint: Bruce Schneier

Like most of you that read this, I’m pretty tuned in to computer security news. Between the constant litany of “twenty million home addresses and Social Security numbers lost on laptop” and the letter I got from the Veterans Administration last month, I thought it was time to do some math. By totaling up all of the recent reports of exposed personal information, I have calculated scientifically that there are 15 Americans whose information has not yet been exposed. I wonder who they are.

More to the point, I wonder why we're still trying to do things the same old way, when the same old way is obviously not working very well. Security practitioners will tell you “passwords are bad technique” until we're purple in the face, but the financial and medical industry and the government have decided to rely on 9-digit passwords (your SSN) and 16-digit passwords (your credit card number) as the master-keys for virtually everything. What we're seeing is abundant proof of the stupidity of that idea. There’s an easy fix, of course: just publish it all.

The single best way to bring about change in this aspect of the system is to remove the value of that particular piece of information by giving it up. Remember, for all intents and purposes, it already has been given up. In order to improve the situation, we need to get past the denial. Want to see it get fixed really fast? Let's publish it all!

What are some realistic options? Well, it’d be pretty simple for credit card companies to improve their identity verification before they extend credit. They would have to, because otherwise they’d lose a ton of money. Maybe we’d start to see things like change-of-address requiring proof of address, or E-commerce sites that only ship to an address on file. The last time my credit card number was stolen (online) an upscale designer website cheerfully shipped $4,000 worth of watches and shoes to a Mr. Asd Jkf in Toronto, Canada. That’s absurd!

Now, how difficult would it be for me to go load up my shopping cart at a site and, if the shipping address is other than my billing address, send me over to some site where I can “unlock” the transaction with my payment company? That’s pretty much how buying stuff on eBay works, today; with PayPal, it’s not that inconvenient. It's certainly less inconvenient than having your credit card stolen.

The current situation regarding personal information mirrors the state of computer security as a whole. For the last decade or so, everyone has let their guard down, and gotten sloppy and stupid in the face of all the new whizz-bang connectivity. Rather than building a decent infrastructure, and thinking about how to address the problem systematically, business and government have stuck their head firmly in the sand and kept trying to patch up the status quo over, and over, until it’s just a mass of duct tape, spit, and baling wire.

How about a simple fix? Why can’t my Visa card service include a list of 100 30-digit numbers, generated randomly, with each statement? Send them to my registered address and let me use those numbers as one-time codes to authenticate transactions like changing my registered address, or unlocking charges where the card is not present and there's a shipping address other than mine?

The most obvious answers of all involve two-factor authentication and authorization management. You know, two simple ideas from the dawn of computer security? Identifying people using something you know plus something you have obsoletes phishing scams, and allowing the user to make a simple decision such as “make me come to my branch office in person in order to change my billing address” or “I will not apply for credit by mail.”

Worrying about protecting personal information is locking the barn door after the horse has left the county. The problem is that we shouldn’t be relying on trivial personal information as an authentication token to begin with. There are plenty of pieces of personal information that are worth protecting, but my mother’s maiden name is not one of them!