Target. What’s the first word association that comes to mind when someone mentions that word? If it’s “identity theft,” you’re not alone. The recent security breach at Target hit home to millions of people, because it’s not only one of the largest retailers, it caters to one of the widest customer bases of them all.
(The pink highlights below are in honor of Breast Cancer Awareness Month. More about that next week.)
Of course, Target’s not alone. JP Morgan Chase and Home Depot are just two more big names who recently reported identity theft data breaches. Every day, it seems, some large outfit is admitting their databases are not as secure as they led us to believe, and you wonder: how many others have not been reported… or discovered? As a recent USA Today article pointed out: identity theft is an industry. It even has its own website: Databreaches.com.
What can you do? My wife and I have, to paraphrase The Godfather, gone to the mattresses: we use cash wherever possible. Sure, you may say we’re at risk for someone holding us up, but if that happens, they’ll take my cards as well, so there’s no security downgrade in going from plastic to paper and coin. However, this is the twenty first century: when you rent a car or make an airline or hotel reservation, you can’t get away from plastic. Same with so many things you buy online — paper and round pieces of metal only take you so far.
And plastic has become vulnerable to crooks with computers. So, far, fortunately, the outcome hasn’t been complete identity theft: that happens when someone takes over your drivers license, social security number and everything else to buy houses in your name and then default after taking out second mortgages. The damage (again: so far) has been limited to crooks selling your debit and credit card data to others who create fake cards.
Banks have figured most of these things out, and, as a consequence, the life of these cards typically is a week or less, before they get canceled, and you and I are left with no cash loss, only the inconvenience of getting new cards.
What the twenty first century taketh away, fortunately, it might be giving back. With so many trillions of dollars at stake, the arms race is on between the bad guys who want your money and the good guys (who also want your money, but at least they give you something in exchange for it). In days gone by, banks built bigger, deeper and safer vaults, and the bad guys would figure out how to crack them. When banking went digital, computer security evolved encryption and similar access control technologies. But each time the good guys would develop something, the bad guys would find ways to beat it.
And that’s why we have this wave of identity theft and cyber fraud: the bad guys have caught up and seem to be winning.
But… we may be on the cusp of a one-two combination that could end up making identity theft less profitable for the bad guys. The heart of this technology consists of two parts: biometrics and decentralized data storage.
Biometrics is the science of using unique parts of your body to identify you. The finger scanner on your new iPhone, or the laptop you’ve used for years, works by reading your fingerprints. Most people know fingerprints are unique to each person, and very difficult to forge. That’s an example of biometrics.
Barclays Bank has introduced something even more advanced. For a fee, they will provide corporate clients with desktop devices (like in the picture above) which can identify authorized users by scanning the unique vein patterns inside their fingers. These scanners, developed in Japan by Hitachi, have been around for quite a while, during which time they’ve been refined and successfully used in ATMs in Japan and Poland. These scanners don’t read your fingerprint, or any other surface of your body. By passing light through your finger, they read the pattern of veins inside your finger. Apparently, every person has a unique vein pattern, formed in the womb, which makes this form of identification impervious to James Bond (or, more accurately, his Russian counterpart, James Bondski) handing you a drink so he can capture your fingerprint from the glass.
These vein scanners are expensive, though; you know it’s a high cost gadget when Barclays doesn’t even want to mention its cost or the fees it charges. It also explains why Barclays is starting this new technology out with larger corporate clients: it’s a lot easier for them to justify the cost of something like this when you compare it to the enormous sums of money those clients move around and want to protect.
Whether it’s fingerprints, vein patterns or other exotic biometric identifiers, experts are figuring out how to tap into something unique to you and me, which can’t be copied, like passwords or PINs.
However, a chain is only as strong as its weakest link. And all those wonderfully unique biometric identifiers have to be translated into a series of zeroes and ones, and end up as a computer file somewhere, whether it’s the NSA, CIA, FBI or any other alphabet soup law enforcement or spying agency… or your bank. Therefore, while it’s difficult to replicate an actual fingerprint or vein image, it’s relatively easy for computers (and crooks in Russia with computers) to read and copy digital files. Therefore, it doesn’t matter what form of security you use: it all gets translated to zeroes and ones… and one set is as vulnerable to identity theft as the next.
The big problem for your bank is: it needs to know who’s on the other side of the electronic link: you or an impersonator. Whenever they receive any identification: password, PIN, or fingerprint scan, they need to digitize it and match it against the file they have on their computers. The crooks know that, and they know where to go find those unique identification information, all digitized and wrapped up with a bow for them to pluck and harvest.
That’s where Apple Pay and the Barclays vein scanning technologies come in: the identification data is not where the crooks are used to finding it.
Apple Pay uses a fingerprint sensor on their new computer-called-a-phone to let you make retail purchases in a way which never tells the retailer anything about you. When you pay, all you do is tap your (bent or unbent) iPhone 6 to a special terminal on the counter. The tap allows the retailer to deduct the correct amount from your bank account, but without the retailer knowing anything about you: no personal information ever gets transferred.
What retailers don’t have can’t be stolen. To quote Apple: “With Apple Pay, instead of using your actual credit and debit card numbers when you add your card, a unique Device Account Number is assigned, encrypted and securely stored in the Secure Element, a dedicated chip in iPhone… These numbers are never stored on Apple servers. And when you make a purchase, the Device Account Number alongside a transaction-specific dynamic security code is used to process your payment. So your actual credit or debit card numbers are never shared by Apple with merchants or transmitted with payment.”
That means retailers have no information on you which hackers can get at for identity theft. With something like that, you can shop at Target and Home Depot again with peace.
The Barclays/Hitachi system, though technically different, uses the same principle to get around the problem of the centrally held computer files: the computer file with the verification data doesn’t reside in a central computer; it resides in the device itself, and is never transmitted or shared.
When a Barclays finger vein scanner is unplugged, no hacker can get at it, because it’s offline. If the user plugs it in when she needs it, and takes it offline after use, it’s hard to see how that system could ever be hacked. In theory, a smartphone may be easier to hack, because it’s usually connected to either a cellular or wi-fi network.
In practice, though, it’s extremely unlikely that a single device (phone or scanner) will get hacked — not because it can’t be done, but because of simple economics. There just isn’t a big enough incentive to entice hackers to try and hack individual devices one at a time, for a few hundred bucks each, when they’re used to getting millions of identity keys at a time from Target, JP Morgan, Home Depot, and other big corporations, from a single hack.
If Apple Pay is successful at the retail level, and the Barclays/Hitachi finger scanning solution works for online transactions, you may see an entirely new industry spring up as other companies enter the market to offer cheaper biometric identification devices which keep the identification code within the device, not somewhere on a Big Brother computer system, where
all the king’s horses and all the king’s men
can’t protect them from getting hacked again.
If this generation of identity theft protection works, you and I will be able to sleep easier again. Just like you sleep easy knowing that the good team at Stailey Insurance makes sure you’re protected from all known risks. But it’s important that you give them a call to make sure your policy is not out of date. Things keep changing, and we all tend to overlook the impact of those changes on our coverages. Just like those new iPhones: you need to let them know which smartphone you have, so they can make sure you’re protected against theft, drops… and, yes, bending. Give them a call today: only good things can come from that call.