On March 30th, 2012 (or sometime close to then,
nobody knows the exact date), a server breach occurred within the Utah Department of Health. It was reported that personal
information for 25,000 people was exposed, including names, addresses, birth
dates, and social security numbers.
This figure was later increased to over 250,000 people. If you follow this sort of news at all,
you’ll know that this is just one in a long string of similar breaches. It happens to all sorts of organizations,
public and private, government and corporate.
These data breaches are a serious problem. This information is all that is needed to
open financial accounts, such as credit cards.
When this happens, a person’s credit record can be destroyed. Fixing the problem can take years or
decades. Some people never recover. There is very little recourse for a person
claiming that an account was opened without their knowledge or consent. The Utah Department of Health is offering a
year’s worth of free credit monitoring to all affected individuals to limit the
damage, which is better than nothing, but not much.
Organizations that treat this type of data carelessly need
to be held accountable. We need to
highlight these cases in the media, and discover who was negligent, and
why. Lessons need to be learned, and
civil and criminal charges need to be issued where appropriate.
And yet…
At the end of the day, this type of breach is not the real
problem. It’s just a symptom. The real issue is that
we allow to people to be held accountable for accounts opened using nothing
more than their name, address, birth date and social security number. While all of this information may be tricky
to assemble, none of it is actually secret.
All of it is in the public domain, somewhere. Before all records were computerized, the
cost of pulling together a comprehensive data profile for somebody was
considerable, and often required the services of a private investigator, who
would physically visit town halls and other archives. It’s only a matter of time before all this
data is available freely on the Internet, with automated data agents able to pull it together with no human involvement.
What happens then?
There are some areas of security, such as choosing better
passwords, that are relatively easy to address.
But before you can validate somebody’s access, you first need to
identify that person. How do you do so,
in a way that only one person in the entire world can successfully pass the
test?
It used to be that most transactions and account
applications were done face to face. In
a small town, the people involved had probably known each other all their
lives. Therefore, identity was a combination
of hair color, facial and body structure, accent and speech patterns, and
thousands of other minor factors. While
it was possible to engage in fraud by mimicking another person, it wasn’t common, and carried a high degree of risk for
the perpetrator. It's too easy to be caught when you have to show up in person.
As the economy grew and national (and then global) banks and
stores took over, the system of personal recognition broke down.
We evolved a new system, which is based on security
through obscurity. A bank would ask all sorts of questions that were difficult for another person to know. It would then spend time and effort to validate that this data was correct. It was certainly easier to commit fraud than it had been when everybody knew everybody else, but was still
enough of a challenge that losses were manageable.
We are now approaching the tipping point, when information
will flow so freely that we will need to develop a completely new approach
to identifying people. How
can we achieve this?
There are generally three ways to identify somebody:
- Something you know
- Something you have
- Something you are
Our current system is based on something you know. People know their
own Social Security numbers, addresses, mother’s maiden names, and so
forth. If we’re going to keep this
solution, then we need to ensure that people know something that is not, and never will be, public knowledge. In short, everybody will need a “secret” Social Security Number, or other identifying
text string, which would be issued when they are born.
Their parents would store it in a secret place, and have them
commit it to memory as soon as they were old enough.
I doubt this will work.
In order to effectively validate this secret, somebody else will need to
look it up. Even if you use a
fully encrypted process, sooner or later, the secret is going to get out, and
we’ll be right back to Social Security numbers.
Something you have is generally some type of possession
which can be uniquely identified, such as an RSA token. Unfortunately, tokens are easily lost –
people will constantly be having to ask for new ones. And if the token is the principle way of
identifying somebody, how do you figure out that the right person is asking for
the replacement token?
Something you are represents physical characteristics, such as
finger prints, retina patterns, or bone structure. Since we’ve ruled out something you have and something you know,
we’re probably going to have to go with this one. And yet, this is a very tricky and
problematic option. The first solution
that everybody immediately thinks of are finger prints. They are unique to a person, and have
successfully solved countless crimes by criminals who fail to take the basic
precaution of wearing gloves. It’s easy
to find their fingerprints covering everything they touched.
That’s the problem with fingerprints.
We leave them everywhere.
Finding somebody’s fingerprints is a trivial exercise – just pick up any
object they’ve handled. And once you
have their prints, they’re pretty easy to replicate. All you need is a pair of extremely thin latex
gloves, encoded with another person’s prints, and voila! You are now that person.
Retina patterns are a little better, but still
problematic. With today’s technology,
you don’t leave your retina patterns lying around everywhere. But what about with tomorrow’s
technology? How long before a high
quality camera can take a picture of somebody from 5 or 10 feet away, and see
enough detail to capture all the necessary details in their eyes? Heck, all you need to do is to put your own
camera onto something that looks like an ATM, and ask them to have a retina
scan to make a deposit. (This is already done for skimming a person's ATM card.) What you do with
that information is a trickier challenge, but it doesn’t seem impossible for
somebody to invent a set of contact lenses in the near future that can match
another person’s retinal patterns. And
once that happens, here’s the real problem with retinal patterns and finger
prints – you can’t change them. You’re
stuck for life, so as soon as anybody figures out what yours are and invents
the technology to duplicate them, you’ve now lost your identity permanently.
DNA scanning is possible, I suppose. But frankly, I simply don’t want to spend much
of my time time envisioning a world where you’re asked to spit into the handy receptacle
to prove your identity every time you wish to make a purchase. So we’ll leave it at that.
That leaves facial and body recognition. This seems to have some promise. Unlike when humans recognize faces, computers
are not fooled by wigs or extra glasses.
Facial recognition software works by looking for structural features
such as the contours of the eye sockets, shape of the cheek bones, and length
of the jaw line. Weaknesses in the
facial recognition systems tend to result from poor lighting or bad angles,
which can be reduced or eliminated when the subject wishes to be identified to
complete a transaction. Add measurements
of bone structures to the mix just for safety, and you’ve probably got a fairly
robust system.
But remember, the purpose is to identify somebody, not just
validate them. Which means that every
time you want to really demonstrate your identity, you need to be measured – we
don’t want people simply showing a photograph to fool facial recognition
software. Which means that first of all,
your measurements have to be recorded in a secure, encrypted database somewhere
– probably initially when you are born, and then updated every year until you
reach maturity. Then, to demonstrate
you are the same person who belongs to these measurements, you need to subject
yourself to detailed scanning that can confirm that you are a real live person
who has facial and body features that match those on record. Only then can anybody safely assume that you
are who you say you are.
Of course, this doesn’t prevent identity theft, it just
brings it down to a manageable level.
You still have the problem of an impostor taking your turn when you go
to be measured. Or a hacker breaking
into the database to update the records recording who you are. And of course, you’re always in danger from
your evil identical twin.
In the meantime, call up the Utah Department of Health and
give them an earful about losing their data. We may never be able to go back to the days when are personal information was relatively obscure and private. But I miss them already.
No comments:
Post a Comment