Imagine that a government report finds that 7% of U.S. passports in use today are counterfeits. An emergency task force would be assembled to find a quick and resolute solution to this gross offense. Yet, every year more than 7% of the U.S. adult population falls victim of identity theft—more than, say, the number of people affected by asthma.
Why, then, does asthma attract a major government counter-action, while identity theft attracts … a major campaign of warnings, alarms, and handwringing? In a word, it’s because of overconfidence. Too many cybersecurity leaders believe that outsmarting the fraudsters is an imminent reality. They’re wrong. We are not winning.
The U.S. government needs to help the victims and curb the growth of this plague. It should address the fundamental fact that once a person’s Social Security number, date of birth, place of birth, mother’s maiden name, and biometric signature are stolen, the victim is forever vulnerable because those personal parameters are immutable.
The government should issue a limited-lifespan personal ID, a cyber passport, and mandate that any consequential contact with the government, like filing taxes, would require this cyber passport code. Same for opening accounts, or withdrawing money from bank accounts.
An annual cyber passport, when compromised (and the theft not detected), will serve the thief on average only for six months. Beyond that, having the victim’s permanent data attributes will not suffice. Anyone who realizes that his or her cyber passport was stolen could immediately request a replacement.
The legislation should not mandate citizens sign up, but should require that institutions verify cyber passports for any listed activity. High-risk individuals could be issued a new cyber passport every six months; others, maybe every two or three years. The cyber passport would be issued based on the physical presence of the person, with robust biometric identification. Given the cost of identity theft, the front-end cost of issuing the cyber passport would be minimal.
Administered correctly, the cyber passport will void the benefit cyber fraudsters enjoy today from holding the immutable attributes of their victims. To continue to abuse their victims, they will have to steal fresh and valid cyber passports, and that would be harder than before.
The transmission and storage of the newly issued cyber passports will be governed by legislation exploiting modern cryptography: (1) verification databases will hold a cryptographic image of the cyber passport (e.g. hash), so that thieves will not be able to produce the cyber passports even if they break into that database; (2) cyber passports per se will not be transmitted online; instead, a cryptographic dialogue will accomplish the same goal, while denying an eavesdropper the chance to learn how to steal the user’s identity the next time around.
The cyber passport initiative is one for which only the federal government will do. It has to be nationwide, though it can be administered by states honoring each other’s codes (as with drivers’ licenses), and it must be accompanied by legislation that will enforce established security standards for data in storage and data on the move. The initiative will also require an effective instant validation apparatus, much like the ones used by credit card companies to authorize payments.
Should we make progress in the war against identity theft, then the lifespan of these passports could be extended. What is most powerful is the ability of any citizen to request a new passport any time he or she even suspects a compromise. People will be ready to pay a modest fee to avoid the nightmare of identity theft.
The cyber passport initiative should first cover the increasing number of victims who find themselves abused time and again because their permanent personal data is in the hands of thieves. Victims who are issued cyber passports would so inform their banks, their medical practitioners, and others, who by law will then have to request the cyber passport any time someone with that name attempts contact. The cyber passport administrators would inform the Internal Revenue Service and other departments of the issued codes. No one with an uncompromised passport will again face a situation where the IRS refunded someone else in his name.
It’s so simple: a randomized, replaceable, short-lived, memorable code: difficult to steal, and quick to heal! Let’s roll!
—Gideon Samid • Gideon@BitMint.com