Australia's Medicare data leak certainly won't be the last such, so why are so many expressions of digital identity so badly protected?
To answer this question, The Register spoke to Lockstep Technology's Stephen Wilson about yesterday's discovery that numbers are being traded on Tor sites.
It's a question he's been studying in detail, because his company, Lockstep Technology, has been working on an identity theft problem for America's Department of Homeland Security. In work that's “not a hundred miles” from the Medicare problem, he's looking at how to secure first responders from identity theft.
About Medicare, he asked, why has nobody protected Medicare numbers against “data replay” with the same solution the credit card industry adopted years ago – chip-and-PIN?
After all, the Medicare card is burdened with a double life: in a doctor's office or a hospital emergency room, it's an administrative unit that lets payments flow around the system – but if you're opening a bank account, it's part of the proof of your identity. In that secondary role, merely the details on the card (name, number, expiry date) should not be sufficient, because that's what opens the number up to abuse.
The problem statement is simple: “What is manifestly apparent is that our data is too easily replayable,” Wilson told The Register.
“The credit card industry fixed that years ago with chip-and-pin. The credit card number is the currency of the payment system – you can't get rid of them.”
That led to carding crime that was solved by chip-and-PIN in any cases but “card not present” transactions, which Wilson called the “classic identity theft – steal a factoid about me, and use it.”
In most use-cases, though, providing the chip means credit card transactions are digitally signed with something the owner controls. “Nothing's perfect, but to a pretty good approximation, you can eliminate identity theft,” Wilson said.
“I don't understand why we're not doing that – you could chip-and-PIN Medicare cards”, he added – and nothing else, not even the familiar look-and-feel of the card's design, has to change.
Take off the tinfoil
The main reason it hasn't already happened is simple: government mishandling of IT and privacy means too many citizens will link a better Medicare card to more efficient invasions of privacy.
It boils down to “overreach and confused agendas” in government, Wilson said, citing the example of the proposed-but-abandoned Human Services card.
That proposal brought out the tinfoil hats “because the government of the day didn't know how to explain it” – and because governments have a bad habit of trying to get one item (the Medicare card or the Human Services card) do too much.
“You could chip-and-PIN the Medicare card to prevent replay and nothing else,” he said. “By and large, chip-and-PIN is just a refit of the magnetic stripe – credit cards never changed.”
Constraining such a move to that one application should “defuse the alarms people have about chip-cards and government”.
So far so good, but the Medicare card leak does illustrate that the proliferation of identities makes citizens vulnerable from too many directions at once.
There are so many credentials: as well as Medicare numbers, Australians have credit cards, bank account numbers, tax file numbers, employee numbers, drivers' licenses and many many more. These might be accessible to thousands of individuals.
In handling personal data, Wilson says, “we've forgotten the need-to-know principle.”
“Look at the OPM issue in the US – who needed to know that, and why was it ever online in the first place?”
Laziness, convenience, or overwork – all contribute to people ignoring the principle: “Some healthcare systems will default to giving anybody access, because some intern in a hospital doesn't wan to get proper clearance,” he said.
Need-to-know, limited data collection, and privacy all get overlooked “in the heat of the moment, or because someone's lazy, or under 'minimum viable product' pressure”.
And because the governments are following fashion and attaching APIs to everything with too little oversight – something pursued with a “religious zeal” that “trumps common sense”.
The Register suggested the Medicare leak could be as simple as an insider selling individual records from a system for which they've got a valid login, and “the Medicare Factory” acting as the retailer, but Wilson's not so sure.
“I'd bet on an exposed API that's weakly authenticated,” he said. “Somewhere there'll be an API that should only be whitelisted or accessed by someone already logged in. But once you're through there, you can get the number.” ®