T. Kenji Sugahara wrote:
> Brian: ID theft is a big issue for me, and I think the state has to
> take an active role in preventing it by increasing penalties for it
> and making it more difficult for thieves to obtain the information
> necessary to undertake their crimes.
That is a losing battle. You will never succeed in stopping identity
theft that way.
The core problem in ID theft is confusion between identifiers and
authenticators:
* Identifiers: a unique encoding of your "name", specifying who you
are. "John Smith" is not unique, but "John Smith, born on July 12,
1966, Seattle WA" nearly is. Social security numbers are unique
identifiers, as are zip+4 codes, and IPv6 addresses.
* Authenticators: proof that you are who you say you are, e.g.
secret passwords, biometrics (if done well :) etc.
ID theft works because a very large number of organizations (banks,
credit bureaus, etc.) treat Social Security numbers as authenticators
instead of identifiers. "Hello, I'd like to renew my driver's license.
Here's my name, DOB, address, and social security number." Poof:
driver's license, and from there you can do all maner of evil ID theft
things.
An obvious solution to ID theft is to implement national strong
authenticators. But that is rife with problems: civil liberties issues,
the fact that it is technically infeasible to do it right, etc. just
ensure that it will reproduce the ID theft problem in a different form.
What WILL work to prevent ID is legislation that prohibits banks &
credit bureaus from using pathetically weak authenticators. Dr. Crispy's
proposed law to largely eliminate ID theft:
* No financial institution or government agency may use a social
security number, any attribute that is a matter of public record,
or any attribute that is easily obtainable about another person
(such as DOB, address, or mother's maiden name) as an
authenticator. Authenticators must be *secret*, known only to the
person and to the issuing organization at the time of issue.
That will do the trick.
Sadly, I don't think the State has the jurisdiction to implement such a
law; it'll probably have to be Federal. It will also likely be a long
time coming, because while it will save the hapless victims of ID theft
vast fortunes, it will cost the financial institutions big $, and their
lobbiests will prevent any such thing from happening.
Crispin
--
Crispin Cowan, Ph.D.
Chief Scientist, WireX http://wirex.com/~crispin/
Security Hardened Linux Distribution: http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html
This archive was generated by hypermail 2b30 : Thu Sep 26 2002 - 19:12:11 PDT