John Denker has written a superb essay on why ID “theft” shouldn’t be a problem, and how we already have all the tools to prevent it from being one. Excerpt:
it shouldn’t matter if somebody knows who I am. Suppose somebody can describe me — so what? Suppose somebody knows my date of birth, social security number, and great-great-grandmother’s maiden name — so what?
It’s only a problem if somebody uses that identifying information to spoof the authorization for some transaction.
And that is precisely where the problem lies. Any system that lets identifying information serve as authorization is so nonsensical that it is hardly worth discussing. I don’t know whether to laugh or cry.
He goes on to draw the distinction between entity authenticaiton and transaction authentication, and goes on to propose a couple of schemes for breaking these into two separate mechanisms instead of the conflated mess we now have. Well worth a read for anyone interested in security.
Paul's Down-Home Page 