In today's Wall Street Journal the CEO of Equifax presents the four steps to end identity theft:
- Secure our data systems (information security)
- Verify identity of applicants (business process)
- Buy a credit monitoring service (self serving sales pitch!)
- Punish identity thieves (negative motivation)
I think he's pretty close (if you skip step #3 which attempts to put the burden back on the customer). The biggest hole in this solution is that we have no universal means to verify identity. There is a lot of fraud being committed because of this and once some smart organizations decide to work on this problem we stand little chance of making any real progress.
My solution is to use existing and cheap technology to build an identity system that is controlled by the individual and accepted by businesses, governments and other individuals.
High level overview:
- Digital certificates issued by any number of independent CAs
- Highest level of authenticity based on simple DNA typing done at health clinics for a modest fee (which is a field on the digital certificate)
- Certificates may be installed on credit (smart) cards, passports, PCs
- You lose your card(s) you simply have CA revoke the certificate and request a new one
- Someone claims to be you? Easy, no one else is made of your DNA - let's meet at the health clinic...
In essence you are identified by your DNA not your: name, social security number, mother's maiden, driver's license, etc. But you don't give people your DNA 'number' (not that it is secret - it isn't) - you give them a trusted token of your choosing [credit card | ID card | digital signature] that they can easily authenticate. I can even have multiple certificates so that if one card is stolen, the others are not affected.
There still exists the small window between when a card is stolen and when it is discovered and revoked. Issuers may still want to use PINs or mutual authentication mechanisms to reduce their liabilities - this is where the law serves a good purpose - the trusting party (let's say bank) must be able to prove that the individual approved the transaction to avoid the loss.
As the CEO rightly points out, restricting data warehouses and adding more legislation will only serve to harm our economy and not fix the problem.
Doug Ross also offers a suggestion to DHS for managing identity.
Interesting. A few weeks ago, I came up with an alternative system that would run under the aegis of DHS. In any case, solutions like this are "boil the ocean" deals because they require so many changes to existing infrastructure. Ah, well.
Posted by: directorblue | April 26, 2005 at 10:16 PM
Why so?
You can build upon existing systems incrementally.
1) Add a DNA field to digital certs
2) Trial the implementation with an existing CA like Thawte (it would improve upon their Web of Trust authentication without having to scrub what they already have)
3) Sign up a DNA typing service (being used today for cheap paternity testing)
4) Sign up an organization that is really tired of identity issues - anything from an airline to a bank although local would be easiest to pilot)
5) Review - improve - grow
Posted by: Stuart Berman | April 26, 2005 at 10:57 PM