Tag Archives: identity theft

Is there any truly secure personal identifier?

identity theft warning signIf there were any criminal elements unaware of the potential for brute-force guessing of United States Social Security numbers, we can be sure they know about it now, as the news is everywhere. Thankfully, it’s still not particularly easy to do and has a low success rate:

An SSN consists of nine digits, the first five of which are assigned by established criteria based in part on the zip code in which someone was born. Now Alessandro Acquisti and Ralph Gross of Carnegie Mellon University in Pittsburgh have shown that it is possible to predict the remaining four digits from someone’s birth date.

For 8.5 per cent people born between 1989 and 2003, the researchers were able to identify the complete SSN within less than 1000 attempts.

Obviously a rethink is required, as an SSN can be used to apply for credit cards – but what to replace it with? In this specific instance, preventing automated online credit card applications would be a wise move, incorporating the added bonus of making high-interest credit less easy to obtain on a whim. [image by TheTruthAbout]

But the SSN issue is symptomatic of the growing problem of identity theft. Are there any ID systems that can’t be hacked, spoofed, brute-forced or cloned? If not – and I rather suspect not – what do we do in situations where it’s necessary to conclusively confirm a person’s identity, especially in situations where the person isn’t present?

Perhaps some sort of localised bureau network would be of use, with every town having an office that could act as an identity clearing house for a multitude of different high-risk transactions, requiring the applicant or transactee to attend in person to confirm that they are who they claim to be. Sure, it’d add an extra layer of hassle to things like applying for credit cards, but that’s a small price to pay for a lower likelihood of having someone else apply for one in your name.

But then any national bureaucratic system will have the sort of baroque operational architecture that invites colonisation by corruption and good old fashioned human error… perhaps it would end up as a step sideways, or even backwards. Sounds like a problem for Bruce Schneier!

Perhaps it’s time to accept that in any large system where user convenience is increased, the risk of identity theft increases in proportion. But what will it take for us to give up quick credit and one-click ordering?

Whoops! UK government forgets how to transfer data, mails CDs with 25m people’s private details

From the annals of incredibly stupid things to do comes this one from the UK.  Evidently someone (a junior official who’s probably been sacked by now) from the Revenue & Customs office thought it’d be a good idea to burn their database of people to a couple compact discs and send it off by unregistered post to the National Audit Office.  The CDs contain personal records, “including their dates of birth, addresses, bank accounts and national insurance numbers“.  The link also has video of the Chancellor speaking.

This points to a lot of concerns people have about their private data.  Similar things have happened in the US – my parents were sent a letter by their mortgage company a few years back saying that a box of data reels containing more than one million entries on loans had been ‘lost.’  My folks were given ONE free credit check and then told to closely monitor their accounts for the next seven years.

An update tells us that the R&C thought it would be too expensive to remove the personal details not needed by the NAO.

(image from mutednarayan)