Busting the Myth of Identity Theft
Let's dispel a common misconception: that someone can be the victim of identity theft. "Identity theft" does not actually exist. When someone steals your TV, it's gone unless the police recover it. Your identity, on the other hand, remains in your possession even after someone "steals" it, though perhaps in a slightly less usable condition. The problem of identity theft is actually a problem of sloppy merchants, those who precisely balance the cost of rigorous authentication against the cost of letting a few thieves slip by. Unfortunately the consumer's loss is not part of the merchant's calculation of profit and loss; indeed, businesses spend a tremendous amount of effort persuading victims of their business practices that the fault lies with the victims—caused by carelessness or by failing to purchase identity theft protection. One of the easiest ways to curtail "identity theft" is to make merchants liable for the time and energy of people whose identities are stolen, which will change how merchants calculate their profit and loss.
A different method to change the status quo may arrive through the back door, although I have some reservations I'll discuss below. I spoke with Dan Miller of Opus Research, who made me aware of two interesting developments. Taken together, these developments may mean that merchants will stop dithering and implement voice biometrics. Furthermore, the public will no longer be able to avoid widespread and privacy-invading submission of their biometrics to numerous corporate and government databases.
Dan relates that over the past few months, the voice biometrics industry has undergone a sea change. The old focus on technology metrics has faded away. Now voice biometric companies discuss solutions, the tools merchants need in order to conduct their daily business. The companies spend more time focused on what merchants need, for example, by working with partners to integrate voice biometrics into other infrastructure tools.
The other big change comes courtesy of the U.S. government in a recent call for "layered, multifactor, and risk-based" authentication for banks, financial institutions, and for access to government benefits. I can't imagine why the sudden interest in financial companies, but this campaign brought voice biometrics forward as a viable candidate.
Consider phone calls to a bank and transactions on the Web. In both cases, we test only the knowledge of the user—we ask if he knows a PIN, a password, or a login name ("something you know"). Most companies even use Social Security numbers as a "secret," although it's hard to imagine anything less secret than a Social Security number.
To make transactions more secure, we add two other factors of identification. The first is "something you have." The most common example is a bank ATM card, which, unlike your PIN, cannot be stolen by a casual glance over your shoulder; this additional security factor gives banks enough confidence in your identity that they allow machines to dispense money to you.
But for the best authentication, you need three factors, so let's add "something you are." "Something you are" can include the shape of your eye's iris, your fingerprints, or the sound of your voice. Voice biometrics, in conjunction with knowledge of a PIN, would give phone calls two-factor authentication, a huge step up for security from a single factor. Combined with "something you have" (such as the possession of a cell phone), the security becomes rather excellent.
Two problems remain. Today thieves steal PIN numbers, so "something you know" is not entirely secure. They duplicate ATM cards and steal cell phones—and if cell phones start to be widely used for authenticating bank transactions, they will become even more of a target. Thus "something you have" is vulnerable. Even "something you are" can be stolen: Auto thieves in Malaysia cut off a man's finger to foil his car's fingerprint scanner.
Can your voice be stolen? Once voice authentication proliferates, expect criminals to tap into telephony systems to record voice interactions. Some voice biometric systems include "liveness detection" to defeat recorded voices; widespread deployment of voice biometrics will give criminals an incentive to find ways to defeat this countermeasure.
Even if voice biometrics works perfectly, authentication comprises only a small part of a complicated system that secures your account. After a decade of cleaning up their acts, most companies operate relatively secure Web sites—so customer records disappear in a number of other ways. Voice biometrics will add both security and vulnerabilities.
Finally, as a U.S. citizen, I'm reluctant to surrender my biometric information to a government database. I'm not reconciled to the decades-old innovation of photos on drivers' licenses. Biometrics such as voices and faces, which can sample noninvasive data—a phone call or video recording as opposed to a DNA sample—lend themselves to ubiquitous, automated surveillance. Few things can corrode a free society like unlimited personal data in the hands of the police.
Moshe Yudkowsky, Ph.D., is president of Disaggregate Consulting and author of The Pebble and the Avalanche: How Taking Things Apart Creates Revolution. He can be reached at firstname.lastname@example.org.