Why the Equifax Breach Should Not Have Mattered
Marten Lohstroh

Citation
Marten Lohstroh. "Why the Equifax Breach Should Not Have Mattered". The World Congress on Internet Security (WorldCIS 2017), December, 2017.

Abstract
Data security, which is concerned with the prevention of unauthorized access to computers, databases, and websites, helps protect digital privacy and ensure data integrity. It is extremely difficult, however, to make security watertight, and security breaches are not uncommon. The consequences of stolen credentials go well beyond the leakage of other types of information because they can further compromise other systems. This paper criticizes the practice of using clear-text identity attributes, such as Social Security or driver's license numbers---which are in principle not even secret---as acceptable authentication tokens or assertions of ownership, and proposes a simple protocol that straightforwardly applies public-key cryptography to make identity claims verifiable, even when they are issued remotely via the Internet. This protocol has the potential of elevating the business practices of credit providers, rental agencies, and other service companies that have hitherto exposed consumers to the risk of identity theft, to where identity theft becomes virtually impossible.

Electronic downloads

Citation formats  
  • HTML
    Marten Lohstroh. <a
    href="http://www.terraswarm.org/pubs/1011.html"
    >Why the Equifax Breach Should Not Have
    Mattered</a>, The World Congress on Internet Security
    (WorldCIS 2017), December, 2017.
  • Plain text
    Marten Lohstroh. "Why the Equifax Breach Should Not
    Have Mattered". The World Congress on Internet Security
    (WorldCIS 2017), December, 2017.
  • BibTeX
    @inproceedings{Lohstroh17_WhyEquifaxBreachShouldNotHaveMattered,
        author = {Marten Lohstroh},
        title = {Why the Equifax Breach Should Not Have Mattered},
        booktitle = {The World Congress on Internet Security (WorldCIS
                  2017)},
        month = {December},
        year = {2017},
        abstract = {Data security, which is concerned with the
                  prevention of unauthorized access to computers,
                  databases, and websites, helps protect digital
                  privacy and ensure data integrity. It is extremely
                  difficult, however, to make security watertight,
                  and security breaches are not uncommon. The
                  consequences of stolen credentials go well beyond
                  the leakage of other types of information because
                  they can further compromise other systems. This
                  paper criticizes the practice of using clear-text
                  identity attributes, such as Social Security or
                  driver's license numbers---which are in principle
                  not even secret---as acceptable authentication
                  tokens or assertions of ownership, and proposes a
                  simple protocol that straightforwardly applies
                  public-key cryptography to make identity claims
                  verifiable, even when they are issued remotely via
                  the Internet. This protocol has the potential of
                  elevating the business practices of credit
                  providers, rental agencies, and other service
                  companies that have hitherto exposed consumers to
                  the risk of identity theft, to where identity
                  theft becomes virtually impossible.},
        URL = {http://terraswarm.org/pubs/1011.html}
    }
    

Posted by Mary Stewart on 11 Oct 2017.
Groups: tools

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.