Monday, April 26, 2004

Identity Theft

I think we can all agree that passwords are a painfully awkward technology. And today the whole password process is getting worse and worse because so many services and sites are requiring passwords. Personally I have over 100 accounts that I manage, and chances are that you have just as many yourself. We have passwords for bank accounts and ATM cards. We have passwords for ecommerce sites like Amazon, eBay and Paypal. We have accounts to read content on places like the NY Times, LA Times and Chicago Tribune. And so on. All these accounts and passwords add up quickly.

Given the importance of passwords to financial and national security, this article is humorous:

Passwords revealed by sweet deal

The subtitle is: "More than 70% of people would reveal their computer password in exchange for a bar of chocolate, a survey has found." 70% is a lot of people.

The poor security of passwords helps to explain why identity theft is becoming so prevalent. Most banks (where the serious financial identity theft occurs) rely on pseudo-passwords. A bank will authenticate you with publicly available information like your mother's maiden name, the last four digits of your SSN or even your birthdate.

Because of the use of pseudo-passwords, identity theft has become a gigantic problem. If you type the term "identity theft" into Google you get 1.3 million hits. The FTC notes that 27 million people have been hit by identity theft in the last five years, and "People whose identities have been stolen can spend months or years - and their hard-earned money - cleaning up the mess thieves have made of their good name and credit record. In the meantime, victims may lose job opportunities, be refused loans, education, housing or cars, or even get arrested for crimes they didn't commit." All because of poor security.

The easiest way to eliminate the problem with pseudo-passwords is to eliminate pseudo-passwords themselves. We should simply publish a list on the Internet that contains everyone's name, birthday, SSN and mother's maiden name. This would force companies to authenticate people over the phone with a real password, and that would solve part of the current identity theft problem.

Ultimately, however, we need to have a universal, fool-proof way to authenticate identity that is easier and more secure than passwords. Is it fingerprints or iris scans? Is it DNA from a blood sample? These techniques could be implemented fairly easily in a physical location like an airport, but they don't work very well over the phone right now. What is the ultimate solution?

Comments: Post a Comment

<< Home
ARCHIVES © Copyright 2003-2005 by Marshall Brain


This page is powered by Blogger. Isn't yours?