http://quenelle.org/unix/2006/credential-theft/ UNIX developer tools and other cool stuff Wed, 06 Apr 2011 01:02:36 +0000 hourly 1 http://wordpress.org/?v=3.2.1 http://quenelle.org/unix/2006/credential-theft/comment-page-1/#comment-8 Developer Tools highlights @ UNIXy Goodness Fri, 20 Feb 2009 04:21:35 +0000 http://quenelle.org/unix/?p=89#comment-8 [...] Online Identity Part 1 [...] [...] Online Identity Part 1 [...]

]]> http://quenelle.org/unix/2006/credential-theft/comment-page-1/#comment-3 Bob Blakley Sat, 14 Feb 2009 02:03:03 +0000 http://quenelle.org/unix/?p=89#comment-3 Chris, You attribute lots of things to me here which I do not in fact believe, but I'll respond to just a few points. First, Websters' is about the worst dictionary definition of Identity. American Heritage has a much better one: "The collection of attributes by which a person or thing is generally recognized or known". This highlights the important problem, which is authentication. The credential exists because we need to recognize a person when we see her again, or when we see her for the first time after someone else who saw her previously has described her to us. The credential is a device to make it easier for me to recognize you if I know lots of people & might not remember you all that well - that is, it's an authenticator of my identity. Now there are at least three kinds of bad things that might happen with a credential (authenticator): 1. I might steal your credential and use it. This is theft followed by fraud. To prevent this, we put things like pictures and descriptions on the credential (so I can tell if someone who looks different from you is trying to use the credential), and we give you a PIN number (so someone who isn't you won't know how to use the credential). 2. I might manufacture a credential which claims to be yours, but which has my picture and my PIN number. This is counterfeiting followed by fraud. To prevent this, we put things like watermarks and holograms on credentials, to make it hard to manufacture credentials which look authentic. 3. I might find out enough about you to open an account in your name, and have the institution which issues legitimate credentials make one with my picture on it and give me the PIN. This is IDENTITY THEFT followed by fraud. This is a harder problem to solve than the previous two, because the credential is just simply genuine. The problem this presents you with, WHICH YOU DO NOT HAVE IN THE OTHER TWO CASES, is that in order to stop me from charging against your credit rating and to avoid having to pay for my purchases, YOU HAVE TO PROVE THAT YOU'RE YOU AND I'M NOT, because BOTH OF US HAVE LEGITIMATE CREDENTIALS CLAIMING TO BE YOU. The problem with preventing Identity Theft (i.e. the third bad thing that could happen) is PRECISELY that there is no unique determinant of a person's identity: there is nothing you can show the authorities which definitively proves that you are you and everyone else is not (even DNA doesn't do this for a small but important percentage of the population - including, for example, identical twins). Bruce Schneier writes about a related, and also difficult, problem in a recent blog entry: http://www.schneier.com/blog/archives/2006/01/forged_credenti.html If you want a clear set of definitions of identity, authenticator, attribute, etc..., you could do worse than to look at the report of the National Academy of Sciences panel on "Authentication Technologies and Their Privacy Implications". The definitions are in chapter 1: http://www7.nationalacademies.org/cstb/pub_authentication.html Regarding placing legal restrictions on the kinds of IDs people can use for significant transactions, I'll note two things: first, both the ICAO attempt to add biometrics to passports and the US REAL ID act have to date been hugely expensive and not very effective (Bruce also comments on this in a recent blog entry), and second, you seem to have the theory that government is better at reducing identity risks than business. I think the opposite is true - businesses will very effectively control fraud when they are responsible for paying for it. It wasn't the banks who decided to use Social Security Numbers for identification; it was the Federal government. Chris, You attribute lots of things to me here which I do not in fact believe, but I’ll respond to just a few points. First, Websters’ is about the worst dictionary definition of Identity. American Heritage has a much better one: “The collection of attributes by which a person or thing is generally recognized or known”. This highlights the important problem, which is authentication. The credential exists because we need to recognize a person when we see her again, or when we see her for the first time after someone else who saw her previously has described her to us. The credential is a device to make it easier for me to recognize you if I know lots of people & might not remember you all that well – that is, it’s an authenticator of my identity. Now there are at least three kinds of bad things that might happen with a credential (authenticator): 1. I might steal your credential and use it. This is theft followed by fraud. To prevent this, we put things like pictures and descriptions on the credential (so I can tell if someone who looks different from you is trying to use the credential), and we give you a PIN number (so someone who isn’t you won’t know how to use the credential). 2. I might manufacture a credential which claims to be yours, but which has my picture and my PIN number. This is counterfeiting followed by fraud. To prevent this, we put things like watermarks and holograms on credentials, to make it hard to manufacture credentials which look authentic. 3. I might find out enough about you to open an account in your name, and have the institution which issues legitimate credentials make one with my picture on it and give me the PIN. This is IDENTITY THEFT followed by fraud. This is a harder problem to solve than the previous two, because the credential is just simply genuine. The problem this presents you with, WHICH YOU DO NOT HAVE IN THE OTHER TWO CASES, is that in order to stop me from charging against your credit rating and to avoid having to pay for my purchases, YOU HAVE TO PROVE THAT YOU’RE YOU AND I’M NOT, because BOTH OF US HAVE LEGITIMATE CREDENTIALS CLAIMING TO BE YOU. The problem with preventing Identity Theft (i.e. the third bad thing that could happen) is PRECISELY that there is no unique determinant of a person’s identity: there is nothing you can show the authorities which definitively proves that you are you and everyone else is not (even DNA doesn’t do this for a small but important percentage of the population – including, for example, identical twins). Bruce Schneier writes about a related, and also difficult, problem in a recent blog entry: http://www.schneier.com/blog/archives/2006/01/forged_credenti.html If you want a clear set of definitions of identity, authenticator, attribute, etc…, you could do worse than to look at the report of the National Academy of Sciences panel on “Authentication Technologies and Their Privacy Implications”. The definitions are in chapter 1: http://www7.nationalacademies.org/cstb/pub_authentication.html Regarding placing legal restrictions on the kinds of IDs people can use for significant transactions, I’ll note two things: first, both the ICAO attempt to add biometrics to passports and the US REAL ID act have to date been hugely expensive and not very effective (Bruce also comments on this in a recent blog entry), and second, you seem to have the theory that government is better at reducing identity risks than business. I think the opposite is true – businesses will very effectively control fraud when they are responsible for paying for it. It wasn’t the banks who decided to use Social Security Numbers for identification; it was the Federal government.

]]>