False Security

I’ve had a pretty rough week. Mere days after finding out someone likely had possession of my name, address, & social security number, and calling all my banks, credit cards, and the credit bureaus, I was given the opportunity to bathe my wounds in a pool of salt: someone else, in an unrelated incidence, had gotten a hold of my credit card and tried to buy a $2k computer. 

Fortunately, regarding the latter instance, fraud and identity theft hurts credit card companies as much as it does their customers, so it was only minutes before they voided the charge, apologized, and put new cards in the mail.

And unfortunately, with regards to the former, there’s little one can do when that information gets into the wrong hands. Unlike a nine character password, which takes 1.12 millennia to crack using brute force,  you can’t change your social security number. All you can do is hope that creditors do sufficient due diligence to verify that you are you, and that you’re not that douche bag who’s pretending to be you.

The nine digit number, which is on countless documents, in countless phone calls, and is required to set up more accounts than should, is still somehow considered reliable. If dozens of companies, with varying levels of security, know my name, address, and social security number, how can any other company use this information as proof that I am who I say I am, and not any one of the potentially thousands of others who have access to it?

Years ago, I read about the at that time new Global Entry system for fast security checks at airports. The idea is simple: thorough background checks, fingerprint records, and photos, all so you can waltz through (the already ridiculous) airport security faster than everyone else. A frequent traveler at the time, I was excited at the prospect of spending less time taking off my belt and shoes and being groped so I could spend more time waiting at the gate. But I never applied. I never even did more research. Why? The require your fingerprints. 

I’m not concerned that giving up my fingerprints means one day I won’t be able to commit a murder with no gloves on. I concerned that this “secure” background check all revolves around the assumption that no one can forge fingerprints. And why is this so problematic? For the same reason it’s silly to rely on the knowledge of a social security number to prove one’s identity: 

Fingerprints cannot be changed.

Technology is awesome. It gets better and better. And unfortunately there are some bad guys who are good at developing technology. Let’s assume just one of them figures out how to put some rubbery plastic on his fingers, masquerading them as yours. You find out, are outraged, frustrated, irritated, bothered, and exhausted from all the hoops you need to jump through. But what are you left with? A flag on your account? Who knows if everyone else will get the report that everyone else’s fingerprints haven’t been breached, but yours have, so all the fancy expensive security equipment people invested in is no longer valuable.

So do yourself a favor. Use 1Password to store crazy secure passwords which you change all the time, request all of your banks to require a verbal password for any phone checks, and try to avoid any service that uses your social security number for identification.

#security #technology

← Return