Digital Transactions Authoritative, insightful and timely information for payments professionals
Gideon Samid • Gideon@AGSgo.com
Asymmetric cryptography, credited to Whitfield Diffie and Martin Hellman, is widely considered a brilliant innovation underlying e-commerce. The technology of private key versus public key allows two strangers to communicate private matters to each other. And when you see the “latched lock” icon on your screen, you feel assured that you and the merchant you buy from are engaged in a protected conversation.
But neither the Diffie-Hellman key exchange nor RSA provides any assurance or determination as to the identity of the two parties to the conversation. They, and the various other asymmetric constructs, only refer to continuity. They are designed to ensure that whoever started the conversation will be the ones to continue talking, regardless of their identity. That means that if a hacker convinces a merchant that he is you, then even if you show up during the conversation, you will not get in because the latched icon provides continuity to the hacker.
This unsettling reality is consistent with cryptographic services in general. Cryptography provides discrimination between someone who holds a piece of designated information (it could be called a key, or a password, or a PIN) and the ones who don’t. Anyone who secures that designated information may pass himself off as his victim. This makes identity theft inherently easy and profitable. So as we look at ways to combat this fast-growing, far-reaching crime, we better revisit the notion of identity at its roots.
In short, identity is a complicated concept. When you lose a tooth, do you lose part of your identity? When the technology of heart transplants came to the fore, the question of identity came up as well: Are you yourself, or are you your donor? The answer to questions like these was to root identity in the brain. But then we ask if Alzheimer’s patients are themselves.
In the real world, we identify people through numerous parameters that we automatically register, such as face, voice, and so on. But in the online world, you establish your identity by a single stream of bits. Anyone who can guess what that stream is will successfully steal your identity. Fingerprints, iris characteristics, voice signature—they all become a stream of bits. Hackers don’t need your sweaty palm to pose as you. They only need the bit-wise rendition of your attributes.
Now, combine this with the technology of convenience that allows tele-managing of secure networks. With this technology, a hacker who steals the identity of an off-site system programmer can assume control of the network’s most secret parameters.
With this profound vulnerability in mind, it is amazing how much sensitive data are protected by nothing more than a single, stealable password. The new technology by which people identify themselves through non-repeatable data is an important step ahead. But it does not stop phishing, it’s cumbersome, and it relies on eroding cryptographic intractability.
A good identity-establishing protocol should include mutual authentication to hinder phishing, and it should employ history-based dialogues. It is very powerful for an institution to report to you when you have logged in before. And there are tricks to ensure that you review this information, and have a chance to spot a problem when the report does not jibe with your memory.
Similarly, the institution should report to you on any phone conversation or regular letter mailed to you. Any inconsistency with your personal knowledge should raise suspicions. The absence of such questions should raise your suspicion as to the true identity of the Web site you are logged onto.
The newest aspect of identity theft is the shadow option. Someone takes your parameters and lives in the virtual world as you, but in parallel to you. No intersection. So you are not in the least aware of your “shadow.” Often, that shadow destroys your online reputation, and one day you find false but discrediting stories popping up on Google for anyone to see who might be checking you out. Good luck trying to fix this!
Even more alarming are shadows that establish a growing cyber history that is linked to you, but that is not you. To live in the cyberworld with an identity not yours has become a regular tool for criminal and intelligence organizations.
None of these problems will be easy to solve. The beginning of wisdom is to admit that the question of online identity is inherently a complex issue, and must be respected as such.
