January 13, 2006

Personal security can be improved…

Posted in Encryption, Mac at 7:04 pm by a11en

but no one seems to be asking for the items which can help with this from the companies they deal with on a regular basis. A prime example of this is the banking system. We live in an age where computing power for every day tasks so exceeds the requirements that processor time is spent now on transparencies and pretty buttons instead of the specific daily tasks required by the masses. This is a good thing. However, it apparently doesn’t translate into the real world. We are still using credit cards without any type of digitial signature and rarely even a physical signature needed. This essentially means that if someone snags your credit-card you might as well start praying to the gods of plastic that they can stop your account in time before the number makes its way across the country or globe for various cell-phone and computer purchases [items of high resale value].

In this day, with our technological advancement, should we really accept this? Back in the day when I watched “Beyond 2000” on the Discovery Channel, I remember seeing a show where a guy was fishing and making a banking purchase using a public-key system. This was around the time public key encryption was discussed in the public [my memory ain’t so hot these days, so pleas forgive mistakes here]… in anycase, it essentially suggested that key encryption could prove very useful to banking systems for confirming ownership/identity. I completely agree with this sentiment.

A simplified example of how this system would work is as follows: (i) purchaser owns a special credit card which includes a touch key pad similar to those old slim calculator business cards (new systems are even slimmer, or possibly used via external keyboard systems) (ii) purchaser calls up some company or is there in person, and requests a purchase (iii) seller gives purchaser a number which purchaser keys into his card (iv) purchaser keys in his personal passphrase (to unlock the private key inside his card), and card gives back a number which purchaser reads off to the seller (v) seller confirms identity of purchaser and purchase is authorized.

The beauty of the above, is that each purchase can only be made when authorized by the owner of the card by unlocking and signing/encrypting the purchase via the number given by the seller. It’s a single-use key which allows the purchase to be made. Even if someone is listening to the whole thing, they can’t determine the purchaser’s key and therefore cannot run amuck with purchaser’s identity for his own devices.

A system like this could seriously hinder the rampant identity theft [of which I’ve been a victim in the past].

Now a few extra points: some will say biometrics will solve this issue. Unfortunately, a good portion of the biometrics are actually hackable (look up laserprinting and thumbprints). I may agree here if you use iris scans which check for pulsing of blood in the eye and iris movement. Each of these systems is, however, only as good as it’s weakest link. If there is a portion of the system in the clear, or editable, it’s quite possible we could “loose” our identity of the data is lost or tampered with. So, no matter what level of security, the system should not be fully trusted. On another front- why in the world would companies keep tapes of various customer information completely in the free and clear? Most frustrating: a recent bank lost a tape of customer information in transit. A huge security leak. Will these people be safe or have their identity trampled through the mud? Some of this problem comes from the way credit reporting companies work. Don’t kid yourself, you still can’t change all the data. I was unable to correct flags on my credit account which were made by the ID thieves in attemps to purhcase various items on credit, as both the credit reporting company and the company who made the requests for credit information claimed they didn’t know how to remove said items. Great! So, my credit still is not completely fixed due to no one willing to admit they have a flaw in the system that should be fixed. Now, these companies are doing their best, I guess, but shouldn’t it be a law that we should have complete and open access to our own information at any point in time for observation and correction as needed? They instead require you to purchase this ability from their companies, except for a single once a year ability to check this information. With the ID theives storing information for 6 months and re-attempting use of said information, this yearly check up would seem quite naive and not sufficient for keeping information correct.

And finally, a problem no one talks about: the use of Social Security Numbers as identification. This should be fineable on a federal level. It is not an identity, and is clearly not secure. I had a second name on my SSN record, whether it was due to transposition or due to maliciousness, I have no idea, but the use of this number should be stopped. Just because someone tells you a number over the phone (that’s relatively easy to find out) does not mean said person is who he says he is. For every time this number is requested, a similar public key encryption routine as discussed above can be used to positively identify the owner in a secure manner. In fact, even without releasing the identity of the user. An amazing thing, public key encryption is. Why it isn’t pervasive in our current society is beyond me.

Some useful/helpful links: [Public Key Encryption via Wikipedia], [Frank Abagnale’s Website], [Bruce Schneier’s Website],[2], [GPG], [PGP]

in regards to allowing comments- we’ll see how it works. 😉 If the spammers come, comments will be removed.