Some Final Thoughts: Identity Theft

<RANT> Identity theft via Internet fraud tactics such as phishing is making the media rounds as we write these pages. Like many issues surrounding security, this high profile creates the expectation that technology will magically save the day at some point. New authentication technologies in particular are held out as the silver bullet for the problems of identity theft.

Perhaps someone will invent the perfectly secure and easy-to-use authentication protocol someday, but in the interim, we wanted to decry what we believe to be a much more easily addressed factor in identity theft: the widespread use of personally identifiable information (PII) in web authentication and identity management. Most of us have experienced the use of facts about our personal lives to authenticate us to online businesses: government identification (such as Social Security Number, SSN), home addresses, secret questions ("What high school did you attend ?" and so on), birthdates, and on and on.

As Internet search engines like Google and incidents like the 2005 CardSystems security breach are now making plainly obvious, many of these personal factoids are not really that secret anymore. Furthermore, as we noted in this chapter with the FTC consent decree against Microsoft's Passport, the liability for storing such sensitive information can be potentially crippling to a business in the event of a breach.

So, we'd like to make a simple demand to all of those businesses out there who may (or may not) be listening: quit collecting our PII and don't even think about using it to authenticate us! <RANT>