« NYT Krugman Exposes Republican Corruption... Except It Is Democrats Involved | Main | NYT: Christians Are Blue-Collar Idiots »

June 21, 2005

Credit Card Theft, National IDs, and Strong Authentication

The NYT has this on Credit Cards being openly traded on the web.

It's not news to me, at least. (See this and this for examples of how easy it is to do and this was a year ago). The information is not hard to get and some sites are out there that show you how to "social engineer" the information out of merchants and people. This doesn't include things like Citibank getting their tapes stolen, the Mastercard theft, and others.

The problem is that credit cards are easy to use by people who are not the holder of the card. Ultimately, identity theft is also easy for the same reason. The privacy crowd crows that we don't want to have a national ID card, but the problem is, we already have one.

You need this ID to set up a bank account, get a job, get credit, go to the doctor, and a variety of mundane tasks. The ID is your social security number, and with that number you basically own the identity of the person.

The problem with both social security numbers and credit card numbers is that they both do not use strong authentication before using. Credit cards, for instance, use things like zip codes, the security number on the back, or your mother's maiden name to verify the information. The problem is, all that is public information or already on the card itself.

Strong authentication or two-factor authentication more appropriately, takes two things, something you have and something you know in order to authenticate you. The reason it takes both is that it is easy to steal things, but hard to steal knowledge. One can lift a wallet easy enough, or use the various technological means out there to pilfer a credit card number. If it requires something that only you know also, then having the number alone is useless. With that something you know being information like a zip code that is easily knowable by others, it becomes useless (or a lot less useless for security reasons at least).

The credit card industry needs to find something else (and I'll have a paper on the topic shortly), and we either need to ditch social security numbers as a national ID, or come up with something better.

Posted by John Bambenek at June 21, 2005 12:52 PM

Trackback Pings

TrackBack URL for this entry:
http://jcb.pentex-net.com/mt/mt-tb.cgi/614

Comments

Post a comment

Thanks for signing in, . Now you can comment. (sign out)

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)


Remember me?