the last four digits
Recently I've come to notice a rather odd phenomenon occurring in the realm of official university business, banking, subscription services and utilities. A long time ago, it used to be that one's Social Security number was reserved specifically for government use. Not long ago, though, it began to be used for all sorts of things unrelated to SS, purely as a convenient method for personal identification. Since one's SS number should be kept secret to begin with, theoretically it's great as a sort of universal passcode. The same quality tends to apply now to credit card numbers. Again, just as with SS numbers, a credit card number on file with whatever organisation or agency or company with whom you're dealing can serve as a passcode. The realm of theory soon breaks down, though, if an untrustworthy party comes in contact with one of these numbers in association with your name. Now they can start the process of identity theft, although I don't really see identity theft as a huge problem at the moment (despite the fact that victims of identity theft profiled in the mass media tend to acrimoniously point out just how long it took them to restore their credit rating), if it ever was in the past. However, I do see the potential for it to become a large problem again soon if we keep on the same trend that we are on now.
The first attempts at isolating third parties from SS and CC numbers as much as possible involved a highly secured initial sign-up process in which someone provides their full SS or CC number (obviously a full CC number is needed anyway if the entity plans on charging you, the customer, for something). But thereafter, the customer needs only provide the last four digits of their SS or CC number to, for example, a customer service representative over the phone. This technique is nice in theory, but again starts to break down.
Already, having only the last four digits of an SS or CC number is almost as good as having the full number. My concern is this: that soon, all an identity scammer will really need in the first place are the last four digits of one's SS or CC number, and they'll be able to do as much damage as they would have been able to with the full number. In fact, they might not need anything at all, because with many automated systems, a four-digit number is trivial to brute-force (that is, trying every possibility in succession). Obviously, calling a customer service agent on the phone 9999 times won't fly, but a four-digit number is still much less secure than a nine-digit (like with SS numbers) or 13 to 19-digit number (like with credit cards).
So who asks for the last four digits of an SS number? Well, Cingular for one. So do most banks and insurance companies. Web hosting companies and online stores tend to ask for the last four digits of CC numbers. So how do we fix this? It might help to have some systems ask for, say, six digits instead of four. Then, if a third party recovered the last four digits, they wouldn't be able to use this with other systems that asked for six. It's true that if they recovered six digits, they'd be able to use it with four-digit systems, but at least it would cut the number of exploitable systems by half.
The truly damning problem is that the opposite strategy (that is, asking for more information, not less) allows for more information that third parties that have infiltrated the security of those services can recover at once. When credit cards first appeared, all you needed to provide was a credit card number. Later on, they added the expiration date and the signature (if your signature doesn't match, the transaction shouldn't go through). Then they added the three-digit 'security code.' In the end, all you have to do is send all this information once to the wrong party, and then it doesn't matter how many little extra numbers you have on your card.
--Eoban
The first attempts at isolating third parties from SS and CC numbers as much as possible involved a highly secured initial sign-up process in which someone provides their full SS or CC number (obviously a full CC number is needed anyway if the entity plans on charging you, the customer, for something). But thereafter, the customer needs only provide the last four digits of their SS or CC number to, for example, a customer service representative over the phone. This technique is nice in theory, but again starts to break down.
Already, having only the last four digits of an SS or CC number is almost as good as having the full number. My concern is this: that soon, all an identity scammer will really need in the first place are the last four digits of one's SS or CC number, and they'll be able to do as much damage as they would have been able to with the full number. In fact, they might not need anything at all, because with many automated systems, a four-digit number is trivial to brute-force (that is, trying every possibility in succession). Obviously, calling a customer service agent on the phone 9999 times won't fly, but a four-digit number is still much less secure than a nine-digit (like with SS numbers) or 13 to 19-digit number (like with credit cards).
So who asks for the last four digits of an SS number? Well, Cingular for one. So do most banks and insurance companies. Web hosting companies and online stores tend to ask for the last four digits of CC numbers. So how do we fix this? It might help to have some systems ask for, say, six digits instead of four. Then, if a third party recovered the last four digits, they wouldn't be able to use this with other systems that asked for six. It's true that if they recovered six digits, they'd be able to use it with four-digit systems, but at least it would cut the number of exploitable systems by half.
The truly damning problem is that the opposite strategy (that is, asking for more information, not less) allows for more information that third parties that have infiltrated the security of those services can recover at once. When credit cards first appeared, all you needed to provide was a credit card number. Later on, they added the expiration date and the signature (if your signature doesn't match, the transaction shouldn't go through). Then they added the three-digit 'security code.' In the end, all you have to do is send all this information once to the wrong party, and then it doesn't matter how many little extra numbers you have on your card.
--Eoban