B.U. Bridge

University Professor Geoffrey Hill, at the Marsh Chapel Poetry Reading, Friday, April 18, 5:30 p.m.

Week of 11 April 2003· Vol. VI, No. 28

Current IssueIn the NewsCalendarArchive

Search the Bridge

Mailing List

Contact Us


Cryptography can help prevent identity theft, says BU computer scientist

By David J. Craig

Identity theft is so alarming in part because it is initially imperceptible: a bank clerk surreptitiously jots down a social security number, or an employee at a data storage center peeks at some credit card information. Often victims have no idea how the crime occurred, yet they are left financially devastated and facing the arduous task of righting a ruined credit history.

And the looting has just begun. Earlier this year, the Boston-based market research firm Aberdeen Group estimated that financial losses stemming from identity theft worldwide will triple to $24 billion in 2003, partially because of an increase in online business transactions.

Leonid Reyzin Photo by Vernon Doucette


Leonid Reyzin. Photo by Vernon Doucette


So when will we get a miracle technological fix to the fast-growing problem? Unfortunately, says CAS Computer Science Assistant Professor Leonid Reyzin, the issue of identity theft is far too complicated for a quick solution, partly because our society compels us to treat crucial secrets — our credit card and social security numbers — hardly as secrets at all. However, he says that innovative cryptographic technology, if commercialized, can make financial transactions more secure. Credit cards or debit cards can be designed to authorize a charge by transmitting an encrypted digital code directly into a computer, for instance, without causing the card number or other personal information to be revealed, even to the machine that accepts the card.

The B.U. Bridge spoke with Reyzin recently about online security issues and about simple precautions that consumers can take to protect themselves against fraud.

B.U. Bridge: How can people protect themselves against identity theft?

Reyzin: One of the most important things to remember is that you should never e-mail anybody your social security number — or your credit card number, for that matter. E-mail isn’t secure: between your computer and the computer you’re communicating with, your message travels through roughly 10 to 20 other computers, and each of those computers has a systems administrator who can access that message and whom you don’t know and so have no reason to trust.

B.U. Bridge: What makes a person susceptible to online credit card fraud?

Reyzin: When you make a legitimate purchase online, the merchant keeps a record of the transaction that includes your credit card information. These records are very difficult to safeguard, both because the computers that can access them are operated by humans who make mistakes and sometimes are not trustworthy, and because computers can usually be hacked.

B.U. Bridge: How do you know if a Web site is safe to give your credit card number to?

Reyzin: A Web site is secure if there is a small lock icon in the bottom corner of your computer screen, or if the Web address of the page where you’re asked to enter your credit card information starts with “https,” as opposed to the typical “http.” However, this only means that the information is protected from prying eyes in transit. The merchant still has to decrypt the message to charge your credit card, and then you face the same problems involving the safety of the stored records.

B.U. Bridge: Is the technology involved in online transactions as safe as it could be?

Reyzin: Technology does exist to improve the security of online transactions, but the industry has been slow to improve electronic security systems for various reasons. Credit card companies, for instance, seem willing to accept the liability for fraud rather than spend the money to make major changes.

Currently, I’m conducting research with my BU colleague Gene Itkis to develop technology that would allow electronic data storage systems to recover quickly after they are broken into. It assumes that data will always be broken into, and that it’s best to limit the damage that occurs when it happens. So for example, software might be designed so that if an
intrusion occurs, only one day’s worth of information could be lost, instead of one year’s worth. Traditional cryptography, in contrast, has tended to think about keeping very large collections of data secret, and in that sense, has put all its eggs in one basket.

B.U. Bridge: Do you recommend any of the commercially available software packages that promise to make electronic communications secure or to mask one’s online identity?

Reyzin: There are a few companies out there that promise to do things such as encrypt communications, or like Anonymizer, traffic your Internet connection through their company’s server to mask your online identity to the Web sites that you visit. Unfortunately, these types of services are extremely difficult to design properly, and recently there has been shown to be serious problems with at least one of them. A study done by David Martin, a former BU colleague of mine who now teaches at UMass-Lowell, showed that one such service, Safeweb, unknowingly made people’s online information less secure rather than more so, because it accumulated all of the person’s tracking information in one place, where it could be broken into relatively easily.

B.U. Bridge: Is there a way to avoid receiving spam e-mail?

Reyzin: Most spammers accumulate e-mail addresses from public sources, and once you get on a list there’s no way to get off it because these lists are shared by marketers. If you respond to a spam, it will just make it worse because it shows them that yours is a live address. Another thing that attracts spam is putting your e-mail address anywhere on the Web, because just as there are search engines for finding particular phrases on the Internet, there are search engines that can find e-mail addresses.

Cryptography can help with this issue, too — the basic problem with spam is that it costs nothing for somebody to e-mail you. A recent cryptographic idea is to require people with whom you’re not familiar to pay a cost to contact you. But not a monetary cost — rather a cost in time: it would require their computer to solve a computational puzzle before being allowed to communicate with your computer, which might add one second to the time it takes the e-mail to go through. For a casual computer user — say a reporter who’s never e-mailed you before — it would take his computer an extra second to send you that e-mail, which neither of you will even notice. But for a spammer sending out a million messages, theoretically that will tie up his computer for a million seconds.


11 April 2003
Boston University
Office of University Relations