Can I change my passwords, please?

Get this: identity theft is not a joke. Bad people roam cyberspace regularly looking for opportunities to take away your identity and your money (in whichever order happens to be the easiest).  Still not convinced? Here is one example: False Security: ‘Scareware’ Spreads (Wall Street Journal, April 15, 2009). Ask anybody who has been a victim and they’ll tell you how much time, money, and mostly aggravation it costs when you get hit.

A couple of years ago I had to go through a very exhausting exercise with my accountants until they finally got the idea that they have to secure all sensitive communications with a password (and not include it in the message; not in any email message!). Just these days I’ve had a similar episode with a mortgage broker. First he sent me a credit report — which includes all the ‘goodies’ an identity thieve would look for — in an email message. When I pointed this out and asked him to not do this again he apologized and promised. Then, today, I get another sensitive document. This time he remembered: “the password is the last four digits of your Social.” I don’t consider this a good password (more on this later) but it is better than nothing. Then I scrolled down his message and found two occasions of previous forwards, each time with the statement: “PW xxxx”. There, just scroll one screen and you got it. Of course I got really furious, and shot back a message that I had not known I was capable of producing. Looks like some people haven’t quite gotten used to reality in today’s digital world. But this brings us exactly to the point of this piece.

We all got used to user names and passwords. We have them on our computers, voice mail boxes, email accounts, and various online accounts. We usually get to choose them — “some restrictions may apply” — and to change them. Sometimes we are forced to change a password every so often; standards are evolving towards restricting the ‘life span’ of a password to no more than 180 days, often only 90 days. And you won’t be able to reuse the same password for a long time. When someone got my friend Bob’s email password, it was a pain for a couple of hours, but then he managed to get his account back by getting his provider to change the password.

Except our life passwords.

“Can I have your date of birth for authentication?” asks the person on the other side of the line (it can be a bank, an insurance company, many other entities you get to call). I give her mine and add: “my DOB is not a very good authentication method”, “why?” she asks,  “because so many people know it”, “I know,” she says, “I only want to make sure who I am speaking to.” Sigh.

Or, they might ask you for your Social Security Number (occasionally, now, only for the last four digits — mine just traveled through several clear-text email messages); Mother’s Maiden Name; sometimes just your Zip Code. So many people post their DOB on Facebook and other social networks; anybody can find out your ZIP code by entering  your name into a search box on line.

What happens if someone knows your SSN/MMN/DOB/ZIP? They pretty much have access to all your personal information. They can call your bank, your retirement account broker, anybody, and ask them to change the address, to move the money, whatever they want. By the time you find out, it may be too late. And, you don’t have the option to change them, the way you can change your password.

And that  is why I say it’s time to move away from SSN etc. as the way to authenticate people. If you look at your Social Security card, you’ll find it written there that it is unlawful to use your SSN for identification purposes. How many people would have to be prosecuted if this was taken seriously? In a fast digital world these antiquated authentication methods are no longer adequate.

A combination of technology, policy, and education are called for. Technology can offer much more reliable alternatives; I will skip any technical details here. On the policy side, just like it is no longer legal to use your SSN as your driver’s license number, it should become completely illegal to use any of these measures as sufficient authentication. Authentication methods should be built on at least one piece of information that only you know (that’s the only true secret), your ‘life password’. Yes, it is technically possible. And people should learn that they should never ever share that ‘life password’ with anyone. Anyone. And, of course, if somehow that password gets compromised, we should be able to change it, unlike our SSN or DOB.

When we have such authentication in place, I won’t worry about my SSN traveling in clear text in an email message.

Will it stop all identity theft? Of course not. But it will make it a lot more difficult, and therefore much less likely to happen.

Leave a Reply

You must be logged in to post a comment.