Tuesday, December 07, 2004

Identity Theft

Following the thoughts of the previous post, it's obvious to me that identity theft isn't a problem of theft of identifying information.

We live in a world where information about me is not valid as an authenticator. If someone can buy my credit report, then all information contained in it is of ZERO value as an authenticator.

The problem with identity theft, IMHO, is that there are some companies who use information like that found in my credit report - information that a stranger can find out about me someplace on the Internet (or via private detectives, in the extreme) - and make the false assumption that if someone knows that information, that person must be me.

So far, that's just stupidity on that other entity's part. It becomes a problem for me if that other entity attempts to claim that I am financially responsible for their mistake.

IMHO, we can fix the identity theft problem by declaring that no entity (e.g., merchant) can expect to fix responsiblity on me unless that entity can prove that there is no way any imposter could have faked the authentication process. We must put the onus of proof where it belongs - on the merchant performing the stupid process - not on the victim. That done, there would be two effects, I predict:

1. identity theft would disappear

2. it would be nearly impossible to establish easy credit - with the result that the economy would slow down

12 Comments:

Blogger bob blakley said...

Forbidding reliance on identity absent PROOF that no one can have impersonated the identity holder is certainly SUFFICIENT to prevent identity theft, but it goes a long way past NECESSARY. In fact, I claim it goes all the way to "impossible".

What do you think it would mean to "prove" that an "impostor" could not have faked the process by which "I" authenticated "myself" to blogger to post this response?

Even if one could define and then actually generate such a proof, however, I don't think that doing so would be the right response to the identity theft problem. What your proposal is trying to prevent is - by my definition - not identity theft but simple fraud. If I simply take your credit card number and use it to purchase goods, I haven't stolen your identity. If you cancel the credit card, I can't use it any more - so you're still in control.

I define "Identity theft" as the theft of a "breeder document" which enables ME to generate NEW identities which people attribute to you. If I learn your Social Security Number and your address (and maybe your mother's birthdate and maiden name, or some other such highly esoteric piece of information), then I can write off to EnormousGlobalBank and take out a NEW credit card in your name. And when you cancel that card (assuming you can), then I can do it AGAIN.

If you accept that this is the problem, I think there's an easier solution than one which relies on demonstrating a "proof" to a third party. It goes like this. Imagine that your Social Security card is the sole "breeder document" for accounts. Now imagine that you (and everyone else is issued a new Social Security card - the actual physical card, not the number.

Imagine that this card has four new features. The first is an LCD window which can scroll text. The second is a "yes" button. The third is a "no" button. And the fourth is a vibrate mode.

Finally, imagine that EVERY TIME you try to open an account using your SSN, the institution trying to create the account sends out a signal. The signal causes your card to vibrate. When you take the card out of your pocket, the screen displays a message on its LCD screen saying "EnormousGlobalBank creating new VasterCard Account for you. OK?" If you believe that the account is being created because of some process you initiated, you press the "yes" button. Otherwise, you press the "no" button.

The key here is NOT authentication. It's awareness (creating the opportunity for the "real" "owner" of the "identity" to know what's being done on his behalf), and, most importantly, TIMELINESS. A big part of the identity theft problem comes from the fact that the average person checks her credit report every time she buys a house - i.e. not often enough to realize that something shady is going on and stop it before a lot of damage is done.

8:43 AM  
Blogger cme said...

Bob, I often agree with your observations, but here I think you're missing the point.

The "breeder document" you refer to is an authentication mechanism.

There are many kinds of authentication mechanism. You can have one that is inextricably linked to a person: genome map; iris pattern; ... You can have one that is impossible to spoof, provided the individual guards it very carefully: a private key. You can have a very high entropy password that has to be shared with the verifier, but otherwise could be as strong an authenticator as the public-key method. You can have a low entropy password - guessable by some entity with just a little work.

Or you can have a shared non-secret - like mother's maiden name or SSN - or some combination of those. This kind of authenticator is worse than useless.

I have a friend who tried to get a certificate from an online CA that quizzed people based on information in their credit bureau database. He flunked. He didn't remember those details. Someone who had purchased his credit report, however, would have succeeded.

What I object to is this use of REALLY STUPID non-authenticator in the place of authentication and attempting to commit someone to financial responsibility based on such sloppy authentication. Any company that does that needs to be punished.

When I talk about proving that a given individual signed up for some account, I'm not talking about absolute mathematical proof. I'm talking about proof in a court of law against the testimony of someone like me as an expert witness.

For example, you could have the person who signed up leave a blood sample - for later DNA comparison if the account ownership is contested.

You could get less intrusive and have a high definition video tape of the individual signing the credit application and saying into the camera(s) that he accepts financial responsibility for the account. That would probably be proof enough.

What I want to completely rule out is the use of non-authenticators - your "breeder documents" - as this authenticator. Shared secrets between two parties are good - provided you can prove to a court's satisfaction that this really was a secret available only to the two parties. Any demonstration that a third party could have knowledge of that "secret" invalidates it as an authentication method.

5:10 AM  
Blogger cme said...

BTW, it's not fraud I'm combating here. The person who steals my identity and opens an account in my name is committing fraud, but the company or bank that allowed someone to do that based on a non-authenticator (like knowledge of a set of facts about me) is the really guilty party here. That company is inviting the fraud - making it trivial. It is the company's behavior that needs to be punished - in my scheme by making them financially responsible for any account they allowed to be opened in such a sloppy manner. The person who actually committed the fraud was entrapped by that company's stupidity. I don't excuse his behavior. I just believe he's much less guilty than the company.

5:30 AM  
Blogger bob blakley said...

Ah, Carl, I agree that we disagree (you know how much I love it when that happens!)

The breeder document, in my view, is not an authenticator.

The breeder document (let's say a birth certificate, or Social Security Card) in my view is the identity. More precisely, it is something akin to a database search key, and what it returns is the complete set of attributes which make up an identity.

The instant before you're born, you have no previous history and therefore no identity. At the moment of birth, you get an identity. You get some observed attributes (like fingerprints) - but many of these, including hair and eye color, may change - so they can't be the identity, and no description of you can be the identity either.

Society, knowing that you're going to need an identity later on, provides you with a reference to an identity, in the form of a birth certificate. It will be used to point to your identity in future transactions. It's a bearer document - the binding of the birth certificate to "you" isn't authenticated in any way whatsoever, though it does list some witnesses (e.g. your parents and maybe a doctor) to the event of your birth.

Later on you can use possession of the birth certificate to assert your identity, but I don't think this is really the same operation as authentication. It's just reference. You can mail a certified copy of your birth certificate and a current picture of yourself to the federal government and receive in return a passport. There is no authentication involved in this transaction (except that a notary validates your signature on the request form and the postal inspector may look to see if the picture looks like you).

Your friends don't need a birth certificate to remember your identity, because they spend a lot of time with you. But if your village gets bombed while you're away, and no one's left to remember you, society will take your birth certificate and the things it directly and indirectly points to (SSN, credit record, etc...) to be your identityRegarding there being no things, the Buddhists explain it this way. Take a wagon wheel. It consists of an axle bearing, some spokes, and a rim. There is nothing which is a "wheel" here - there are just parts, and the arrangement of the parts is a temporary phenomenon which will pass away. Similarly the rim itself is just a set of pieces of wood which have been bent in a particular way and laminated together. There is nothing which is a "rim" here - there are just parts, and the arrangement of the parts is a temporary phenomenon which will pass away. By this argument there are no "things" - there are just patterns which form and pass away.

Plato realized this and tried to argue it away with the notion of archetypes. But this didn't really work, because he couldn't make the categories distinct. Is a cube of wood 2 and a half feet high a "table", or a "chair", or both, or neither?

I agree, by the way, that we need neither things nor identities to build secure systems.

7:52 PM  
Blogger cme said...

Bob, I know that we enjoy disagreeing, but I don't think we have in this case.

I agree with you that an identity document, like a birth certificate, is NOT an authenticator. It's horrible for that. Here, you and I agree.

I also agree that it's used as a bearer instrument.

However, I don't believe that it was ever intended to be a bearer instrument or an authenticator. I suspect it was designed merely as an aid to the memories of the witnesses who were assumed, at the time, to be easily available. That is, in the days that I often refer to as Walton's Mountain, you were born, lived your whole life and died in one town, surrounded by witnesses who watched you grow and change. Those witnesses, who also knew your parents and knew of you from the time of your birth on, could testify (verbally, in court) as to your identity. The birth certificate (or record in a book in the local parish) served as an aid to the memory of those witnesses about details that aren't important enough for them to remember. Their purpose is to remember the large sweep of events - the changes in your physical appearance as you aged - in order to establish continuity of "identity" from that newborn baby to the person standing before the bench.

What I was saying instead was that our processes use this instrument as if it were an authenticator. In your words, it's used as a bearer instrument.

I say that it is used as an authenticator because there is a decision made - a decision that I claim should be a security decision. Therefore, there is authorization. When there is authorization, in any well-designed system, there needs to be authentication first. When I look at the processes we actually use and map them onto this architecture (first authenticate, then authorize) - what I see in the place of authentication is an empty ritual.

In the specific case of identity theft, the authorization is to be given a credit account with which the person is then empowered to walk away with merchandise without paying - on the presumption that the person will pay later. This account is tied to someone who has the ability to pay - but that person is not the one who actually opened the account.

So, to come back to our non-disagreement: the breeder document is an extremely poor authenticator. It's not an authenticator at all, in fact. However, the process uses it as if it were one - which is why I call it an authenticator.

It is the conflict between the way the process uses it and its actual value that creates identity theft - and for that I assign guilt to the entities that created the flawed process. Those are the entities that should have all financial responsibility when the process they created shows the flaws that they built into it.

8:45 AM  
Blogger cme said...

This discussion got side-tracked with reference to birth certificates.

Back to identity theft (for which birth certificates are almost never used) the operation that mapped into the function of authentication in the identity theft process was a demonstration of knowledge about me by someone. The faulty process then takes that as authentication that that person is me.

Here, too, I agree with Bob (I suspect) that knowledge about me is not an authenticator. However, because it is used as one, I call it one - and then criticize it for being so extremely poor.

9:00 AM  
Blogger bob blakley said...

Hmmmm. You wrote "However, I don't believe that it was ever intended to be a bearer instrument or an authenticator. I suspect it was designed merely as an aid to the memories of the witnesses who were assumed, at the time, to be easily available".

I wonder what a birth certificate really was originally intended for. It would be interesting to look at the history here. But I bet we can reconstruct it from the form of the document and the information on it. It contains the names and addresses of a baby's parents together with the signature of a witness - today a doctor but I bet in the past often a priest or "whoever could be rounded up".

What would this specific information be useful for? Here's my guess: proving legitimacy of a child to claim an inheritance. By definition, when a child makes an inheritance claim, the parents aren't around to validate his claim to be their child. In order to make inheritance work, therefore, there had to be a provision by which the parents could give a child a redeemable document which would serve as their attestation of his identity as their child.

A birth certificate is pretty well suited to this purpose, assuming that children are careful to avoid having the document stolen. Presumably if the parents have enough assets to make an inheritance worthwhile, there are a fair number of other copies of their signatures floating around on business documents, deeds, etc..., so there will be something against which to compare the signatures on the birth certificate. And while the parents are guaranteed not to be around when the document is redeemed, there's a decent chance that the witness will be.

9:03 AM  
Blogger cme said...

...and to close out my comments on Bob's comment -- your birth certificate can not be your identity, at least to me. I've never seen it. I know almost nothing about it - except that your father is Bob Blakley Jr. (because you told me that once). Yet, I have in my head what I use for your identity - from my point of view. I have a body of memories that I refer to when I think about you - and that I would refer to when I walk up to you in a room, recognize you and offer to shake hands. That body of memories is, among other things, a biometric template (in that case).

9:05 AM  
Blogger bob blakley said...

Exactly! You already have an identity for me, which you have built up yourself. My birth certificate, which you've never seen, might even say things which conflict with your idea of my identity (it might say that I have brown eyes, for example - though it doesn't).

But from society's point of view, my birth certificate, plus certain other documents, is my identity for people who have never met me and don't have a history of transactions with me. It's my "official identity" from a statutory point of view.

My statutory identity isn't sufficiently useful to enable people to do business or engage in other kinds of relationships with me, so sensible folks build up their own views of my identity based on their own experience, or they contract with "identity services" (like equifax, or the FBI) to find out important things about my identity which the statutory identity doesn't tell them.

9:11 AM  
Blogger cme said...

Ah - Bob's latest comment snuck in before my previous one. I just read it.

Proof of legitimacy, as a contract for inheritance, might be a very good use for a birth certificate and could easily be its original purpose (although why poor folks would make birth certificates isn't so clear then) - but when I show up after your parents' death and claim to be their son Bob Blakley, the birth certificate does nothing to authenticate me. The authentication process still depends on witnesses to my (or your) maturation.

As an instrument granting inheritance, it's an attribute certificate - a grant of rights to a name - with something else required to bind that name to a particular individual. At this point, however, we're way off the topic of identity theft and should continue this discussion in a separate post.

9:12 AM  
Blogger cme said...

Now we really are leap-frogging our comments.

What Equifax or the FBI does is attach attributes together. Some of those (like name, address, ...) could be used to track someone down and that process, in turn, could be used to bind these attributes to an individual.

When someone reverses the process and uses knowledge of facts in an Equifax report as an authenticator - as the only proof needed that an otherwise unknown person on the other end of an anonymous (secured) connection really is me - then they've made a standard newbie's security mistake and need to be punished for it.

9:16 AM  
Blogger cme said...

As for an official identity from a statutory point of view, I'm not especially interested. What I care about is the basic process:

(1) authenticate

(2) authorize

and the existence of this statutory identity doesn't tell me how to authenticate. In fact, my suspicion is that we used to authenticate by witnesses' collective memory in Walton's Mountain days - and when we slowly evolved away from those days so that there were no local witnesses whose memories we could tap, we never replaced the authentication mechanism - substituting empty rituals in its place.

9:21 AM  

Post a Comment

<< Home