Recorded Behavior as Data Authentication

Taming Credit/Payment Card Fraud and Identity Theft

or

Why Not Text Me to Confirm Each of My Credit Card Transactions?


Back in the 90s, when e-commerce was in its infancy, one vision held that commerce would come to depend on everyone acquiring certificates and private keys under public key infrastructure (PKI). Under this vision, each actor in commerce would be identified by her unique private key. But she would have to protect her private key as though her life depended on it. If a criminal were to shanghai her private key, he could impersonate her (steal her identity).

The PKI school eventually fell out of favor. One reason is that it assumed ordinary people and corporations could prevent crooks from stealing the private keys.

Today we see that the stealing of data like private keys is not so uncommon.

Peter Huber offers an alternative vision in “Secure I.D.s and the Net,” Forbes, August 13, 2007, p. 64. Recognizing that criminals routinely swipe credit card and social security numbers, he argues that efforts to keep such data elements secret do little to authenticate legitimate users. Instead, what really confirms a person's identity is her recorded pattern of behavior over time.

As multiple, independent databases record the details of our day-to-day march through life, they create a unique profile for each of us. They record that you went through a toll booth here (at 7:15pm), you purchased a hamburger there (at 7:39pm), you scanned a thumbprint some other place and on and on. When it comes time to confirm you are you, a gatekeeper will pull details from these disparate databases and compare them against the person claiming to be you. For instance, when your credit card company wants to confirm it is really speaking to you on the phone (or responding to a cell-phone text message seeking confirmation of a transaction), it will ask you to reveal that you know where you purchased the hamburger the night before.

Here is an article I posted on the law of card data security.

--Benjamin Wright

Mr. Wright is an advisor to Messaging Architects, thought leader in data records management.