When Schneier talks security, people should listen

Most of you have never heard of him. But Bruce Schneier is one of my geek heroes. He doesn’t know it, but this co-founder and CTO of Counterpane Internet Security is the one who introduced me to the concept of public key encryption. My email has never been the same since (mostly because my friends can’t read my 4096 bit scrambled messages)!

No seriously…Bruce was the author of Applied Cryptography, which was one of the first books on encryption that didn’t require a PhD in astrophysics to understand. You could also send away for the source code associated with the book – I did, and six weeks later I had a floppy loaded with algorithms. I never compiled any of that source, but it led me to grab PGP, so it was worth the trip.

The reason I say all this is because Mr. Schneier is a guy who knows security. And by that I mean not only the code, but the processes behind them, and how they can affect users in our data driven world.

Now Bruce has commented on “identity theft,” and again it is worth listening to.

In this contribution over at CNET News.com, Bruce questions the very concept called “identity theft,” and expounds upon some of the reasons why the pursuits of legislation to fix the problems will miss the boat.

Bruce’s first contention is that “identity theft” is a bit of a misnomer – identities are never actually stolen – what is stolen is the data that acts as tags for peoples’ identity. It is the fraudulent transaction perpetrated as a result of that data acquisition that is the real crime. He goes on to suggest that if traditional financial institutions (such as banks) bore some liability for those fraudulent transactions, much the same way credit card companies do, that they would be apt to approach the fraud in a different way.

Credit card companies, through the use of sophisticated pattern recognition technology, are able to stop transactions that don’t fit the cardholders’ historical charge composition. It works well enough that they don’t mind bearing some liability for what fraud does happen. If banks utilized similar measures, as Bruce suggests, much of the data that is stolen could be rendered useless.

While I don’t know how quickly banks and brokerages will adopt such measures, if ever, I do know that they are already subject to a number of regulations designed to “know the customer.” The Bank Secrecy Act, the NASD Manual, and even the Patriot Act outline compliance measures that cost financial institutions a bundle to comply with. Taking it one step further, to “know the transaction,” seems like a logical next move.

If Bruce’s presumptions are correct, the presently pending legislation that is designed to stop the data mishaps will be ineffective, as the fraudulent transactions can co-exist in that environment. But, if the transaction can be stopped by some computer algorithm, why steal the data in the first place? Some additional measures are taken at the transaction level, and “identity theft” simply dies as a result of technological obsolescence. Interesting.

***UPDATE***

Schneier has not let up on the message, and others are picking up on it too.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.