What do you need to apply for a credit card?
Well, your name. Of course you need to know your full name.
Your address? Yup, definitely need to know that, right?
Birthdate, naturally. I definitely know when I was born.
Social Security/Social Insurance Number. Everyone born in the US or Canada has one or the other of these. It’s a unique number given to each of us to identify us to the government. We’re told not to give it out to anyone but the government or an employer. You don’t even NEED it to apply for credit, but it helps identify you as the one, true you.
Seems like a pretty secure system, right? I mean, it’s not like anyone can find out the first 3 items that you need. Perfectly secure.
And if your information does get out? Such as in the Equifax leak announced last month? I’m sure it’s pretty easy to keep people from using your information, right? I mean, if someone gets into my Yahoo! account, I can just change the password to something else, locking them out. Surely I can do something similar to my credit, right?
So what can I do?
Freeze my credit? So not only can others not use it, but neither can I?
Hmmm…seems a little complicated to protect myself. I sure wish there was an easier way.
Wait. A couple of years ago my PayPal account got hacked. I’m not sure how, since I had a pretty secure password on it, but I guess enough monkeys at keyboards will eventually write Shakespear, and my password was most definitely not as good as The Bard’s writing. So I guess the only option I had left was to freeze my PayPal account, right? I mean that way nobody could access it anymore, including myself. Sounds like a small price to pay to keep the villains of the internet from trying to purchase Fifa 15 (Yes, that was actually what the hackers used my PayPal to purchase.) am I right? It’s not like I had any other option to secure my account.
Except I did. Two Factor Authentication. If you don’t know what that is, here’s a quick and dirty explanation: True security relies on being able to verify yourself in two different ways. The first is something you know. Traditionally this is your password. It can be secure, unless someone else finds out what it is, of course. Then all bets are off. This is why we add the second factor. It can be one of two things: Something you are, such as a fingerprint, iris, or your face. The other way is something you have. This is the most used second factor. You’ve probably seen it when you sign into Facebook, or WordPress. You sign in, and a one time use code is sent to your phone, or a request to approve the login is sent. This is a variation on an RSA SecurID Keyfob, where a seemingly random number is generated when you press the button. I say ‘seemingly’ because the number is actually generated based off of a complex mathematical equation involving the time, the serial number of the key fob, and a private ‘seed’. I won’t bore you too much with the details, but you can always look it up here if you’re interested in getting into the more technical details of it.
So after I got hacked, I enabled Two Factor authentication on my PayPal, which meant even if bad guy hacker in China (or I suppose England or South America based on what they tried to buy) was able to get my password again, well now they’d need the code generated on my phone, at that time. Maybe not 100% secure, but way more hackerproof than it was.
Authenticators are nothing new. Companies have been using them to give access to VPN servers for employees for decades. Blizzard has been using it for nearly ten years to secure player accounts from hacking. Facebook, PayPal, WordPress, even Gmail all use some form of authentication.
Why are my social network and my games more secure than my personal credit information? At this point in our level of technology, isn’t it about time we gave up SIN/SSNs for a much more secure key? Instead of assigning a SIN number, why not assign us an encryption key? Either in a smart card, or an authentication key/app paired with a private key. In the unlikely event that your information is compromised somehow? All you need to do is change your personal key (the seed) and it instantly invalidates anything already paired with the old key. Not a problem for you, because you can just reauthenticate any systems that need to with your new key, but it effectively locks the bad guys out of your business.
Imagine this was the technology we were using when Equifax got hacked. As it stands right now people are scrambling to try to figure out if their information was stolen, worried that people will be taking out credit cards in their name, freezing credit to keep anyone, including themselves, from being able to sign up for any new credit based services. With an encryption key, then it would be a quick call to change your personal key, meaning that all the information taken by the hackers is invalidated and useless. Credit cards, Tax accounts, bank systems, just about every financial based system would be connected to the account making it very difficult for security breaches to harm you.
I want my real assets to be just as tightly covered as my virtual assets.