I was standing inline at a bookstore today waiting to purchase a few Christmas gifts. The women in front of me made her purchase with a debit card and had to enter the PIN. With nothing else to do while waiting inline except to stare forward I easily observed the 4 digit pin. 2592 if I still remember correctly. This is just another reminder of the insignificant effectiveness of current security controls. We establish PINs for the purpose of securing the use of a debit card, but then provide the PIN in a relatively public fashion.
The same holds true with Social Security Numbers. How many times has someone asked you over the phone to verify the last 4 digits of your social security number? Has it occurred to you how pointless this is? In most cases, the caller will loudly reply with the 4 numbers to verify their identity. At this point, everyone in the vicinity knows the last 4 of the SSN and likely the person's full name too. If one of these people wanted to call that same number, they would have all of the information to impersonate the original caller. Again we have established a secret key used to identify the user, but provide this secret key in a public medium.
Here are a few suggestions to fix these problems. For the PIN number, simply use a digital screen to enter the numbers. On each use the ordering of the number changes, similar to the method used by some online banks. Combine this with a privacy screen which prevents those nearby from seeing the number layout and you have a much more secure solution.
While social security numbers themselves are not a good authentication item, we can still secure the transmission of them until a better solution is put in place. Instead of having the individual say the last 4 digits of the SSN to the other party, require the user to enter the 4 numbers into the phone. The party on the other end can decode the button presses as we see in many other phone applications. This system would prevent the disclosure of the SSN to people within earshot of the original caller.
Until we start to apply basic security to our most common uses of sensitive information we cannot expect to live without compromises of credit cards and loss of information used for identity theft.
-Michael Coates