11.18.2009

Identity Theft Madness


Identity Theft in The Matrix

There is nothing I hate more than being lied to.

Ok, that's not really true, but using 'hate' in the first sentence really makes the blood boil, doesn't it?

Good. Now that your blood is at a slow simmer, I can explain to you from whence this hatred comes. I was watching the television last night, enjoying the feeling of my brains rotting from the inside out, when a commercial came on that grabbed my attention. If I could find a video of it, I would post it. For now, you'll have to take my word for it, because I don't remember the company's name.

A lonely man is buying something over the Interwebs and he whips out the ol' credit card to pay. He types the numbers into the appropriate field and hits Enter. Cut to a squalid slum in a desert in some country in Africa (Nigeria, I think), where a dirty, poor-looking man is staring intently at a LED-backlit, super-awesome computer connected to the Internet, waiting for something to happen. All of a sudden, credit card numbers appear in bold font, one number at a time, and he smiles smiles of joy and pleasure as he quickly prints out the numbers and hands it off to an emaciated little boy, also smiling like he was just given double rice rations by the Nigerian government. The boy runs along the dirty city market streets, where chickens squawk and burly men rip off the destitute horde with impunity, until he reached a small shack where the purchased items are stored. The man in charge takes the slip of paper with the card number, smiling like his 4th wife just gave birth to a boy, and packs up the item for the lonely man. Cut to an ominous warning about identity theft, and how it will happen to you unless you buy our product..

Now, I know that commercials lie. I mean, marketing is just a word for that blurry area between lie and truth that businesses pour money into and cultivate to capitalize on the almost-lie that compels people to purchase their products. But sometimes the line of falsehood is crossed, and when it happens in a subject that I am somewhat educated in, it drives me nuts.

Let's go over some factual knowledge. This is how eCommerce functions these days.

The basic rule of ID security on the Interwebs is that the last person to see credit card numbers in unencrypted clear text is you. Once you finish entering data and submit it, assuming you're using a legit eCommerce service (more on that later), the relevant data is encrypted using a cryptography algorithm. The common algorithms used today are all variants of RSA (Rivest, Shamir, Aldeman, the people who wrote it) and are typically encased in a protocol called TLS (Transport Layer Security, the successor to the ever-popular SSL [Secure Socket Layer]) that uses RSA encryption with 1024 or 2048-bit keys.

Now, for some cryptography 101 (5 in binary). Plaintext is encrypted through the use of keys. Keys both encrypt and decrypt data by using whatever algorithm you choose to apply the key to the data. There are two ways to increase security in a data transfer. You can make the algorithm stronger and less vulnerable to computational flaws and vulnerabilities, or you can simply make the key longer and thus harder to guess. This is where the terminology can get confusing.

Saying an algorithm has 12 bits of security is very different than saying the algorithm has a 12-bit key, and people tend to get confused. When I say that an algorithm has 12 bits of security, I'm saying that there has been a proven method to break the algorithm and find a key with 11 bits of complexity. So the effective security is 12 bits. When I say the key is 12 bits, I'm saying that the key itself is 12 bits long. Just for perspective, 12 bits (11111111111) means that there are  4096 possibilities for the key.

If you want to know how complex the RSA algorithm is (the original one written in the 70's) just take a gander here and hope your brain doesn't explode. I'm going to discuss the details of that. The relevant point is that the algorithm uses keys that are 1024 or 2048 bits in length. That means that there are 22048 or 1024 possibilities that the key could be. Just for some perspective once again, IP addresses are 32-bits. There are 4,294,967,296 possibilities there. The number is bigger than anyone can imagine, and binary represents it in 2048 digits (Any internet calculator in which you type in 2^2048 will return 'Infinity'. So, unless someone comes up with an efficient way to break RSA as it stands today (Hint: Nobody has), if you transfer data over the Interwebs with TLS, nobody will know your credit card numbers.

So, how do companies use this? Enter Public Key Cryptography. Also developed in the 70's, PKC revolutionized the way messages were ciphered and deciphered, and is the standard operating procedure of all eCommerce and other data sensitive services on the Interwebs. An analogy widely used is that of a mail slot. I own a locked mailbox with a slot. People know where the box is and where the slot is to deliver mail, but only I have the key that unlocks the box to get access to the mail. The mail slot is the public key, and my unique access to the mailbox is the private key. The keys are related in that they both are relevant to the mailbox, and this is reflected mathematically in practice. There has to be a trust system that guarantees the keys are related, just as the post office is responsible for relating mailboxes to keys. When I drop my mail in the mailbox, I want to know that the private key to that mailbox is only owned by the one person that belongs to the mailbox. This is accomplished using the PKI (Public Key Infrastructure). It is a system that sets up companies to distribute certificates that guarantee relationships between private and public keys on the Internet. The biggest company these days in Verisign.

Oh, and all this, all this complex infrastructure and cryptography, is symbolized in your browser by one letter. Normally, in your URL, you'll see http://blabla.bla. If you're using TLS, and therefore RSA and PKI, you'll see https://blabla.bla. The s stands for secure, and you know you're dealing with a legit and secure website.

So, how does this all go down in real life?

When you buy a product from amazon.com, this is what happens to your information. If you'll notice the address bar on the page that asks you for your credit card information,

it has changed to https. This means that any data entered into this paged will be encrypted with a public key given to Amazon by a certification company (VeriSign is this case) that tells my computer to trust that encrypted communication between me and amazon will be only readable by amazon. Since you purchased a product from amazon, you are authorizing them to draft payment from your account. If you don't Amazon to keep your information safe, then you shouldn't ever spend with anything other than cash from now on. And then get some professional help, because you are a hopeless paranoid. Anytime you swipe your card, you are giving some business your numbers. They don't steal those numbers because it is in their best interests not to. If you ever find unauthorized transactions on your statement, banks are very lenient about cancelling those charges, and re-issuing a card if needed. And if Amazon ever steals your credit card information, the entire company would face huge lawsuits and litigation and would not come out profiting from the venture.

The other, potentially more vulnerable, method of purchase is through third-party portals like Ebay. Things are a little different there. They use Paypal. What paypal does is manage both sides of the transaction through their own TLS certificates, and this way the seller never sees any payment information. Paypal drafts the account and pays the seller, so the only security vulnerability is PayPal's trustworthiness. Being that their entire business model hinges on that one attribute, I wouldn't worry about them too much.

So, basically, it's just as safe, if not safer, to shop online than to shop in a store. Nobody in Nigeria is reading your numbers and smiling like a moron.

Oh, and the whole pitch of Identity Theft? Ya, you can't get that from a credit card number. Unless you can access bank records that match credit accounts to SS numbers, and then match SS numbers to whatever else you need, your "Identity" is safe. Nobody is going to be walking around with your Passport and ID pretending to be you. The only possible theft here is from your bank account.

I guess that says a lot about what people perceive as their identity, and that's sad.

2 comments:

Benjamin said...

But what about that big hand that comes out of the computer screen? Can't it steal my card?

Ruler of the Interwebs said...

Did you not read the caption?

Post a Comment