Monday, April 16, 2012

Who are you?

On March 30th, 2012 (or sometime close to then, nobody knows the exact date), a server breach occurred within the Utah Department of Health.  It was reported that personal information for 25,000 people was exposed, including names, addresses, birth dates, and social security numbers.  This figure was later increased to over 250,000 people.  If you follow this sort of news at all, you’ll know that this is just one in a long string of similar breaches.  It happens to all sorts of organizations, public and private, government and corporate.

These data breaches are a serious problem.  This information is all that is needed to open financial accounts, such as credit cards.  When this happens, a person’s credit record can be destroyed.  Fixing the problem can take years or decades.  Some people never recover.  There is very little recourse for a person claiming that an account was opened without their knowledge or consent.  The Utah Department of Health is offering a year’s worth of free credit monitoring to all affected individuals to limit the damage, which is better than nothing, but not much.

Organizations that treat this type of data carelessly need to be held accountable.  We need to highlight these cases in the media, and discover who was negligent, and why.  Lessons need to be learned, and civil and criminal charges need to be issued where appropriate.

And yet…

At the end of the day, this type of breach is not the real problem.  It’s just a symptom.  The real issue is that we allow to people to be held accountable for accounts opened using nothing more than their name, address, birth date and social security number.  While all of this information may be tricky to assemble, none of it is actually secret.  All of it is in the public domain, somewhere.  Before all records were computerized, the cost of pulling together a comprehensive data profile for somebody was considerable, and often required the services of a private investigator, who would physically visit town halls and other archives.  It’s only a matter of time before all this data is available freely on the Internet, with automated data agents able to pull it together with no human involvement.

What happens then?

There are some areas of security, such as choosing better passwords, that are relatively easy to address.  But before you can validate somebody’s access, you first need to identify that person.  How do you do so, in a way that only one person in the entire world can successfully pass the test?

It used to be that most transactions and account applications were done face to face.  In a small town, the people involved had probably known each other all their lives.  Therefore, identity was a combination of hair color, facial and body structure, accent and speech patterns, and thousands of other minor factors.  While it was possible to engage in fraud by mimicking another person, it wasn’t common, and carried a high degree of risk for the perpetrator.  It's too easy to be caught when you have to show up in person.

As the economy grew and national (and then global) banks and stores took over, the system of personal recognition broke down.  We evolved a new system, which is based on security through obscurity.  A bank would ask all sorts of questions that were difficult for another person to know.  It would then spend time and effort to validate that this data was correct.  It was certainly easier to commit fraud than it had been when everybody knew everybody else, but was still enough of a challenge that losses were manageable.

We are now approaching the tipping point, when information will flow so freely that we will need to develop a completely new approach to identifying people.  How can we achieve this?

There are generally three ways to identify somebody:
  • Something you know
  • Something you have
  • Something you are
Our current system is based on something you know.  People know their own Social Security numbers, addresses, mother’s maiden names, and so forth.  If we’re going to keep this solution, then we need to ensure that people know something that is not, and never will be, public knowledge.  In short, everybody will need a “secret” Social Security Number, or other identifying text string, which would be issued when they are born.  Their parents would store it in a secret place, and have them commit it to memory as soon as they were old enough.

I doubt this will work.  In order to effectively validate this secret, somebody else will need to look it up.  Even if you use a fully encrypted process, sooner or later, the secret is going to get out, and we’ll be right back to Social Security numbers.

Something you have is generally some type of possession which can be uniquely identified, such as an RSA token.  Unfortunately, tokens are easily lost – people will constantly be having to ask for new ones.  And if the token is the principle way of identifying somebody, how do you figure out that the right person is asking for the replacement token?

Something you are represents physical characteristics, such as finger prints, retina patterns, or bone structure.  Since we’ve ruled out something you have and something you know, we’re probably going to have to go with this one.  And yet, this is a very tricky and problematic option.  The first solution that everybody immediately thinks of are finger prints.  They are unique to a person, and have successfully solved countless crimes by criminals who fail to take the basic precaution of wearing gloves.  It’s easy to find their fingerprints covering everything they touched.

That’s the problem with fingerprints.

We leave them everywhere.  Finding somebody’s fingerprints is a trivial exercise – just pick up any object they’ve handled.  And once you have their prints, they’re pretty easy to replicate.  All you need is a pair of extremely thin latex gloves, encoded with another person’s prints, and voila!  You are now that person.

Retina patterns are a little better, but still problematic.  With today’s technology, you don’t leave your retina patterns lying around everywhere.  But what about with tomorrow’s technology?  How long before a high quality camera can take a picture of somebody from 5 or 10 feet away, and see enough detail to capture all the necessary details in their eyes?  Heck, all you need to do is to put your own camera onto something that looks like an ATM, and ask them to have a retina scan to make a deposit.  (This is already done for skimming a person's ATM card.)  What you do with that information is a trickier challenge, but it doesn’t seem impossible for somebody to invent a set of contact lenses in the near future that can match another person’s retinal patterns.  And once that happens, here’s the real problem with retinal patterns and finger prints – you can’t change them.  You’re stuck for life, so as soon as anybody figures out what yours are and invents the technology to duplicate them, you’ve now lost your identity permanently.

DNA scanning is possible, I suppose.  But frankly, I simply don’t want to spend much of my time time envisioning a world where you’re asked to spit into the handy receptacle to prove your identity every time you wish to make a purchase.  So we’ll leave it at that.

That leaves facial and body recognition.  This seems to have some promise.  Unlike when humans recognize faces, computers are not fooled by wigs or extra glasses.  Facial recognition software works by looking for structural features such as the contours of the eye sockets, shape of the cheek bones, and length of the jaw line.  Weaknesses in the facial recognition systems tend to result from poor lighting or bad angles, which can be reduced or eliminated when the subject wishes to be identified to complete a transaction.  Add measurements of bone structures to the mix just for safety, and you’ve probably got a fairly robust system.
But remember, the purpose is to identify somebody, not just validate them.  Which means that every time you want to really demonstrate your identity, you need to be measured – we don’t want people simply showing a photograph to fool facial recognition software.  Which means that first of all, your measurements have to be recorded in a secure, encrypted database somewhere – probably initially when you are born, and then updated every year until you reach maturity.    Then, to demonstrate you are the same person who belongs to these measurements, you need to subject yourself to detailed scanning that can confirm that you are a real live person who has facial and body features that match those on record.  Only then can anybody safely assume that you are who you say you are.

Of course, this doesn’t prevent identity theft, it just brings it down to a manageable level.  You still have the problem of an impostor taking your turn when you go to be measured.  Or a hacker breaking into the database to update the records recording who you are.  And of course, you’re always in danger from your evil identical twin.

In the meantime, call up the Utah Department of Health and give them an earful about losing their data.  We may never be able to go back to the days when are personal information was relatively obscure and private.  But I miss them already.

No comments:

Post a Comment