The “Shared Secret” Identity Model is Finished
“Who are you?”
It’s an important question in modern society. From establishing your rights to live and work in a certain place to ownership of assets like property, companies and bank balances, most of us are asked to provide evidence of our identity several times a day.
To answer the question, we have developed a “model of identity” which relies on “shared secrets”. And, for historical and practical reasons, those secrets reside on a broad sweep of databases outside of your direct control.
One’s drivers license, credit card number, employee badge, date of birth, social security number, mother’s maiden name, first pet, birth certificate, address, zip code and all the passwords and PINs are secrets that one shares back and forth with governments, employers, financial institutions and retailers. We do this on a regular basis to establish identity to the satisfaction of all the systems with which we must integrate on a daily, weekly, monthly and annual basis. It’s how we own things, pay for things get paid and receive goods and services. It is core to our economic existence.
So, who makes it easy for the “bad guys” to collect our information? We do. To make our lives more efficient and convenient for everyone, we usually don’t bother with actually showing a credit card or a passport or a social security card to a live person (remember “notary publics”). The data is enough. And who keys that data into potentially hacked databases? We do when we buy something online during our lunch break. The payments industry calls it a “card not present” transaction. Add in the critical information that we freely give away to Facebook, Google and others so that they can sell us more things we might want and someone “skilled in the art” can gather enough information with a browser to do some serious identity fraud. Think about how much information one actually has to provide on a pre-approved credit card application.
“Hold on”, you might say. What about having good password discipline and never clicking links in emails and all the other 5, 10, 12 or whatever steps that one reads about online? Well, they help make life a bit more difficult for the “bad guys” but they do nothing to address the core problem of the shared secret model.
The core problem is that the value of one’s identity increases with time while the security of that identity on databases (represented by the shared secrets) decreases with time. The sad fact is that a modern database is most secure at establishment. Its security deteriorates with time and usage.
To demonstrate, let’s pick two points in our digital lives: age 15 and age 55.
At age 15, most of us are not worth much. We might have some pocket money from a summer job and some cool gadgets. But no matter how we are presented to a credit provider online, we are just not worth much to anyone beyond our friends and family. At the same time, our “shared secrets” are few and have not been in circulation for long. We might have a passport and certainly our social security number has been lodged with several schools, insurance companies and doctor’s offices. Ditto mother’s maiden name. But we have yet to share our details over to the DMV to get a learner’s permit (usually requiring a birth certificate, social security number, address and some sign off from an identified parent or guardian). At age 15, we are pretty secure against the identity thieves. Not only will it be difficult to ferret out the few secrets we have shared with the institutions in our lives but there’s just not much value in pretending to be a 15 year old.
At 55, the picture changes dramatically. Our mid-life selves have been sharing the same secrets (address, mother’s maiden name, SS#) with countless institutions for decades. Some of those institutions may no longer be around, some may not have put much thought into securing our data and some may have simply sold it off or been hacked. Once those “secrets” are released into the wild, there is an active secondary market (rumored at $1 per identity for a 50,000 person minimum buy) for the data. Why would someone “invest” in a lead list of “shared secrets”? As we enter our highest earning years, a decent FICO score, a large store of assets and other valuable attributes accrued over a lifetime of achievement and hard work make a tempting target. Identity thieves can come up with many creative strategies to use a valuable identity to engage in profitable scams.
And, the door swings both ways.
Remember that a person under the law includes more than just humans. Corporations, trusts, estates and other legal constructs are also persons.
That’s one of the reason “phishing” scams work so well. It is almost as easy to steal the shared secrets that secure our institutions as it is to steal critical secrets relating to human identity. Why? Because, at some point, critical “shared secrets” can be gleaned from the humans who control access to the corporation’s databases. The best “Nested ID” strategy can be unraveled pretty quickly.
And the two attacks can be used together. One simple case is the formatting of an HTML email. When it “comes from your bank,” you may or may not fall for it (depending on your level of sophistication which statistically works against older, more valuable targets). But how about that $50 reward promotion from “Amazon Rewards” for being such a good customer? “How about you play with my 1-click button for a few hours…” Still feeling bulletproof?
The point of this post is not to scare you silly but to set the stage for what is coming next…the Device Identity Model. While it sounds like a version of “Skynet”, it actually means that persons (human and corporate) will be able to leverage devices and recent innovations (which I will describe in the next post) to establish and manage control over identity to a degree not thought possible today. Identity thieves will still exist in the new world but one’s individual ability to thwart their efforts will increase exponentially.