Failures of Information Security: Observing the World and Asking Why

By Adam Shostack and Andrew Stewart, Addison-Wesley Professional |  Security, data breach, information security

Why do these approaches persist? The idea that we have a “core identity” that is truly “us” seems to be both strong and pervasive, as does people’s desire to build on it. These drivers seem to be deep-seated, despite the practical problems. The willingness to build identity systems without testing our ideas mirrors and reinforces a willingness to build security systems on faith. The deep-seated desire to make identity-driven systems work is not only emotional, but also economic: the use of SSNs to identify us is inexpensive to the people designing the systems. Other systems might cost more to deploy, might be harder to use, or might be more intrusive on the surface.

One outgrowth of such faith is the fastest-growing crime in America today, identity theft. This term calls to mind the deep sense of violation that many of its victims feel, because we often believe that our identity is our “good name” and one of the most important things about us.

To get a credit card in the U.S., all you need is a date of birth and an SSN that match a record in a database. Criminals who obtain credit take on as much debt as they can and then disappear. The loan is reported to credit bureaus and collection agencies. Collection agencies attempt to track down the person identified, thinking that he is the person responsible for the debt, and a Kafka-esque nightmare ensues.

Credit fraud is not the only goal of identity fraudsters. They can obtain medical care under false names, leading to a risk that medical records will be unfortunately intertwined. They can obtain driver’s licenses and passports under false names, leading to repeated arrests of innocent individuals. As more and more systems are based on the notion of identity, the value of identity fraud will grow. Some states have proposed “identity theft passports” to help victims of identity fraud. However, the more we tighten the security of identity systems, the less willing authorities will be to believe they can be compromised and defrauded. This will increase the value of compromising these systems and make victims’ lives more difficult.

Addressing identity theft will likely involve some investment in technology, and perhaps more importantly, an understanding of the motivations of the various participants that make it such a problem. One of the themes of this book is using economic analysis to increase our understanding of systems and using that understanding to reach better outcomes. Looking at identity theft allows us to see that all the players behave rationally. That rational behavior imposes costs on everyone who touches the financial system.

Join us:






Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question