Social Security, credit card and bank account numbers are just identifiers--names--without which you wouldn't know where to send the bill. Perversely, we treat these names like passwords. We make a very ill-advised assumption that if you know one of these identifiers, then it must be your personal identifier. Unlike passwords, they aren't secret, so how can they not be stolen?
Credit card issuers keep adding little information tags to the cards to make them more difficult to abuse, but these are just variations on a flawed theme. A decade ago, anybody could download a simple application to generate bogus credit card numbers that could easily be used to rack up charges to nonexistent accounts. Once that was foiled, criminals started stealing card numbers instead of making them from scratch. The counter to that was ensuring the expiration date was correct, and when waiters started pilfering that off of the magnetic strip a three-digit code was printed onto the back of the card. The core flaw remains unchanged; if the information needed to verify a transaction is the same information used to initiate one, then that information will always be accessible in the clear and will always be a target for theft. The credit card system is a dike with more holes every day, and the Payment Card Industry Data Security Standard only provides a limited number of fingers. It's a losing battle.
However, identity theft is not just about stealing existing credit card numbers; it's also about creating new credit accounts in someone else's name, or gaining unauthorized access to someone's bank accounts. The growing number of large-scale thefts of personal information makes it clear that cybercriminals have a huge incentive to overcome whatever data protection mechanisms we put into place.
Do we really want to force more and more innocent people into defending themselves from aggressive bill collectors? If not, we're going to have to adopt multiple new layers of defense. If account numbers are exploitable because we treat them like secrets, then we can use asymmetric encryption to verify that someone initiated a purchase, without having to actually share his identifier (such new mechanisms are especially needed for Internet transactions). Process and laws also will need to change. If credit is being inappropriately granted on the basis of weak personal ID, then we need stronger standards for personal identification. Is it just a coincidence that the countries where consumers wait longer for credit approval have lower rates of credit fraud? U.S. and U.K. regulations put the burden on individuals to prove they didn't borrow money, instead of forcing lenders to prove that they did. This gives credit issuers an economic motivation to make bad loans.
Strengthening data protection laws and payment card security standards are Band-Aids that don't address the core problems of poor authentication, primitive transaction validation protocols and perverse economic incentives. It's clear that posturing politicians and corporate executives are not going to solve the information security problem of cyber wizards stealing and abusing our "good names." Maybe it's time for security professionals to step up and show 'em how it's done.
Jay Heiser is a London-based research vice president at Gartner. He also writes a regular column for Information Security magazine. Send comments on this column to [email protected].