Why must we live in fear of identity theft? Why must we pay companies to mitigate the effects of identity theft? Instead, we can beat cyber hackers and avoid identity theft by fundamentally changing the way we use information to authenticate users. If hackers steal information because it is valuable, then devaluing that information could negate the threat. In cases like identity theft, this could make some hacks not worth the effort and could have other social benefits because you can actually share your birthdate with your friends.
A variation of this article was published at CyberDominance.com in January, 2017.
There are many objectives to offensive cyber actions and crime. One of these is the stealing of PII or other pieces of information that allow identify theft (let’s call this “critical personal information” (CPI)). If a hacker can steal your birthdate, SSN, city of birth, address, mother’s maiden name, full name, the street where you grew up, the make and model of your first car, etc, they can likely access any of your sensitive banking or government information, and perform nefarious actions with this access. So surely such a hacker’s top priority is to steal this information.
The Inconvenience and Impracticability of Protecting Your Information
No longer can you share “sensitive” information about yourself like your birthdate, details about where you grew up, and details about your family, lest you are practicing poor OPSEC and poor Cybersecurity. And should you let it slip a single time in your life and your information is captured by the nefarious hacker, you might as well quit life because your information could forever be compromised. Sure, you can buy “identify theft protection” and monitor your credit report, but those services are reactive and can’t prevent anything. You can’t get better at protecting your information after a compromise – rather, you can, but what’s the point? You have to spend your entire life not sharing personal details with your friends (making you closer, better friends) because somebody long ago decided that information was going to be the key to all of your money and government services.
As with many zero-tolerance security problems, the adversary wins if they succeed once. The user must be perfect. However, unlike physical security, in the case of CPI the adversary should be able to keep stealing and compromising things like banking accounts – because the user can’t change their birthdate, name, mother’s maiden name, SSN, etc without considerable effort (if at all) and incredible inconvenience. The user would literally have to change their identify. The low cost to the adversary and high cost to the user makes this a fight the user is doomed to lose.
And if they don’t lose or become compromised, it is probably just by luck. They got lucky with a bank that wasn’t hacked. They got lucky because a website that did get hacked encrypted all CPI and therefore the CPI wasn’t compromised. Most meaningful actions that can save the user are out of the user’s control. There is nothing the user can do about it – they are at the mercy of a system that requires CPI to give them access to services.
The only people who might know your CPI without hacking a computer system, assuming you are practicing all of the cyber OPSEC, are your close friends and family. This forces you to be tight-lipped around your good friends if you fear the “insider threat.” The fact that you have to steer a conversation away from what should be a benign topic of who you are, who your family is, and where you are from, is itself an issue.
In other words, the user is bearing the consequences of the hack. Banks and other websites and services can take some losses, but their losses are as permanent. And yet they are arguably the party most able to prevent theft of information that you give them. This inversion of interest means they won’t be as careful, and you have to be more untrusting of your friends.
The game is stacked against the user (and the banks and organizations that must repay or repair loss by the user), so we need to change the game to favor the user. We need to devalue the information hackers manage to steal. One common way this is already done is by properly encrypting data at rest and in transmission. When the hacker steals that information, it is useless without a valid key.
Another way would be to change the fact that the user is at the mercy of CPI. In other words, if CPI is so valuable the knowledge of it could result in total and permanent compromise, what if we found a way to make that CPI not valuable? What if your birthdate wasn’t needed to access your bank? What if an adversary discovering your mother’s maiden name couldn’t use it to steal your identity?
Why are things the way they are now? Why is CPI so valuable? At some point, places like banks and their depositors had a desire to authenticate users. They wanted to verify that someone is who they say they are. Once they verify that, the person can do whatever they have permissions to do. But why did they assume that “if a person knows the birthdate and SSN on file, they must be the right person.” I presume this is because, other than the SSN system, there wasn’t a standard way to uniquely identify an individual person quickly. Recording, then having a person ink their fingerprint would require all tellers be a fingerprint expert, and couldn’t work over telephone and in the drive-thru. So this (knowing someone’s CPI) was probably the best option they had at the time. Furthermore, CPI didn’t reside in systems that could be hacked cheaply and anonymously. If you wanted to hack the ledger of depositors you either had to break in and read the pieces of paper, or be one of the few people who could hack the 1980s computer systems. In other words, it was costly and you would likely be caught or at least identified.
You have to spend your entire life not sharing personal details with your friends (making you closer, better friends) because somebody long ago decided that information was going to be the key to all of your money and government services.
If my memory serves, it used to only be a few pieces of information. Now, such businesses add more information like where you grew up and the date you at your first ice cream cone. They call it “beefing up Cybersecurity” but it really just continuing to make the same mistake. Yes, there are virtues to multi-factor authentication, but the use of information that is compromised once discovered is only a temporary solution.
Are there ways that we can reduce or eliminate the hacking value of CPI? It seems that a big way would be for authenticators (e.g. banks) to not want or need this type of information. Authentication requires a way to uniquely identify an individual, are there ways to authenticate without your personal information? I believe we might now have the tools to make this feasible. Here are some ideas, to be used probably in combination with one another. All of these assume that security is not perfect, so if there is a compromise of information it would not be permanently damaging, and they aim to devalue PII/CPI:
- Authenticate via biometrics, for example finger and voice printing (Something You Are).
- If you can build a trusted channel that could sample the individual and transmit the sample in a way that could not be spoofed, and compare it to a sample collected at user account creation, storing that benchmark sample encrypted. The tools to make this work are rapidly developing, evidenced by inclusion in smartphones and laptops. In this scheme, your identifying information wouldn’t be “What is your SSN, etc” – none of that matters. Simply verify that the person who deposited the money is the person wishing to access that account, for example.
- In banking, there are likely laws that require banks to verify the identity of the person (as opposed to uniquely identify…) for law enforcement purposes. Perhaps there is a way to remove or work around those requirements.
- A critical part of this is to make it so that knowing the fingerprint itself does not permanently damage the user, like knowing a birthdate or SSN would – without this ability, biometrics probably shouldn’t be used.
- Biometrics do impose serious concerns, however, and could impose a bigger threat than the status quo. I don’t know of a way around this, but I do think that some serious out-of-the-box thinking is needed here.
- Via a physical token (Something You Have). Maybe that token is permanently attached to your body so you don’t lose it? Perhaps an RFID chip that requires a PIN or some other decryption key.
- Via a “random” number or keyphrase (Something You Know). For example you go to a bank and they assign you a user number, and your token requires a PIN to use. Just make it something that isn’t a part of your identity.
These aren’t really new ideas, but they are potentially new applications of old ideas with the aim of this: to reduce the use of CPI as an authentication mechanism, thereby empowering and protecting the user’s identity. Take the identity out of the war and it can’t become a casualty as easily. A host of other schemes can follow that allow users to take control of the “things” that can be stolen and how to react to them. At least in this case if the user’s authentication mechanisms become compromised they are not permanently damaged because they can get new tokens, new numbers, etc. What is clear is that we need to think outside of the box.
There must be a better way to protect against identity theft. Instead of adding more questions and schemes to protect your identity we need to change authentication to not be based on personal information. Some of this would require regulatory changes, but there are probably creative ways to get started.
There are probably other ways we can take the wind out of a hacker’s sails by devaluing the information they manage to steal. This idea definitely applies to identity theft but there are other areas this could work. What are some ways you are devaluing information? What are some creative ways to do this that aren’t being done?