Friday, June 09, 2006

How NOT to do identity

There's a thread over at the 37 signals blog that calls for the idea of portable credit card numbers. Its interesting that none of the comments so far see the inherent security issues with this idea.

Phone number portablity is nice because humans are expected to dial numbers, and it's very useful to associate a number with a person, and have the relationship persist for tens of years. There is no real security issue with this because the knowledge of a phone number has reasonably low value in scamming. The fact that numbers are considered permanent helps also keep the required size of the number pool smaller (new area codes not withstanding).

A credit card number happens to be its present size due to historical circumstances. Its an account number, from computers, for computers. The fact that a human may be required to recite it from time to time is the primary reason they aren't longer, or cryptographically secure (i.e. 1024+ bit random numbers in hex --> 256 characters long!)

Unlike phone numbers, the current credit card system relies on the 16 digit number as an essential element of security. Its part of a secret, along with a "security code" (3 or 4 digits tacked on to answer public concerns in the last few years), and the name, address, and other identifying (and likely publicly) data.

The current credit card system is amazingly insecure. The mere knowledge of a few facts, along with the 16+4 digits allows one to charge ANY AMOUNT against a credit card account, for the duration of the life of the card. The system forces the card holder to trust every merchant the wish to conduct business with, for the full security of this information. This is equivalent to handing all of you money to the merchant, and trusting they will take the correct amount of cash before returning your wallet to you. Only it's not even that safe, they can then dip into your wallet at any time in the future. If their computers are compromised, they anyone else who learns this secret aquires the same capablity.

A far more reasonable approach would be to use one time keys for every transaction. The credit card companies could offer a smart card, which would compute a cryptographically secure payment code which would denote the amount authorized, along with any authorization for future payments. The payment code would only work for the specified payee... if their computers were compromised, or if anyone else learned the secret... the knowledge would have zero value.

This is how this should be done. It's silly to trust that a 16 digit number with our financial futures.

Your credit card number is NOT an identity... don't be fooled into thinking it is.


No comments: