I found out today that someone found the small amount of information about me they needed to nearly successfully buy stuff in my name. They call this "identity theft", but since my identity still seems to be intect (pats his rampant ego) and since as an ardent SF fan, I'd like to reserve the term identity theft for the possibility of someone stealing a copy of me, I prefer not to use that term for this form of fraud.
Luckily I already had a fraud alert placed on my accounts before this happened; I started placing these alerts a while ago, on the basis that the banking system's verification methods are so broken that it makes sense to just do it pre-emptively, before you have any reason to think someone is trying to defraud you. Who knows if that does any good though.
Oddly, I almost ranted about this id theft nonsense last week, before I knew this happened. The thing is, while I'm calling to report credit cards as compromised and learning that someone managed to put together my name, address, phone number, and a not very well secured credit card number; at the same time I have something here with these properties:
- Anyone can use it to verify if a given statement (such as "transaction
128: please pay this person $500") was actually made by me and actually
applies to the person I meant it to.
- Using it doesn't automatically give it to a supposedly trusted third party, such as the low-paid phone support guy who has my credit card number and all the rest up on his screen right now as I ask him to cancel the purchase.
- According to the experts is not breakable by any means except for a brute-force attack that would use the resources of a medium-sized country.
- Can be used to identify me with a fair degree of certainty, even if you've not met me.
- Is suitable for use on the internet.
- Even if physically stolen from me is not trivially easy to break and use.
- If I lose it or know that someone has stolen it from me, I can revoke its use in a way that is just as hard to forge or break.
- Can, incidentially, be used to make private conversations just as hard to snoop on. But that's probably a different rant.
That magic thing is a public and private key pair for GPG, and it seems really weird to me that I can use this for unimportant things like signing email, and for crucial things like authenticating changes to the software deployed on millions of coumputers, but I cannot use it to pay a bill.
I wonder if the world at large will ever catch on to the uses of public key cryptography? Anyone want to start a First Bank of GPG?