can help prevent identity theft, says BU computer scientist
Identity theft is so alarming in part because it is initially imperceptible:
a bank clerk surreptitiously jots down a social security number, or an
employee at a data storage center peeks at some credit card information.
Often victims have no idea how the crime occurred, yet they are left
financially devastated and facing the arduous task of righting a ruined
And the looting has just begun. Earlier this year, the
Boston-based market research firm Aberdeen Group estimated that financial
from identity theft worldwide will triple to $24 billion in 2003, partially
because of an increase in online business transactions.
So when will
we get a miracle technological fix to the fast-growing problem? Unfortunately,
says CAS Computer Science Assistant Professor Leonid Reyzin,
the issue of identity theft is far too complicated for a quick solution,
partly because our society compels us to treat crucial secrets — our
credit card and social security numbers — hardly as secrets at
all. However, he says that innovative cryptographic technology, if commercialized,
can make financial transactions more secure. Credit cards or debit cards
can be designed to authorize a charge by transmitting an encrypted digital
code directly into a computer, for instance, without causing the card
number or other personal information to be revealed, even to the machine
that accepts the card.
The B.U. Bridge spoke with Reyzin recently about online security issues
and about simple precautions that consumers can take to protect themselves
B.U. Bridge: How can people protect themselves against
Reyzin: One of the most important things to remember is
that you should never e-mail anybody your social security number — or
card number, for that matter. E-mail isn’t secure: between your
computer and the computer you’re communicating with, your message
travels through roughly 10 to 20 other computers, and each of those
computers has a systems administrator who can access that message and
whom you don’t know and so have no reason to trust.
B.U. Bridge: What makes a person susceptible to
online credit card fraud?
Reyzin: When you make a legitimate purchase
online, the merchant keeps a record of the transaction that includes
your credit card information.
These records are very difficult to safeguard, both because the computers
that can access them are operated by humans who make mistakes and
sometimes are not trustworthy, and because computers can usually
B.U. Bridge: How do you know if a Web
site is safe to give your credit card number to?
Reyzin: A Web
site is secure if there is a small lock icon in the bottom corner of
your computer screen, or if the Web address of the page where
you’re asked to enter your credit card information starts with “https,” as
opposed to the typical “http.” However, this only means that
the information is protected from prying eyes in transit. The merchant
still has to decrypt the message to charge your credit card, and then
you face the same problems involving the safety of the stored records.
B.U. Bridge: Is the technology involved in online
transactions as safe as it could be?
Reyzin: Technology does exist
to improve the security of online transactions, but the industry has
been slow to improve electronic security systems
for various reasons. Credit card companies, for instance, seem willing
to accept the liability for fraud rather than spend the money to make
Currently, I’m conducting research with my BU colleague
Gene Itkis to develop technology that would allow electronic data storage
to recover quickly after they are broken into. It assumes that data will
always be broken into, and that it’s best to limit the damage that
occurs when it happens. So for example, software might be designed so
that if an
intrusion occurs, only one day’s worth of information could be
lost, instead of one year’s worth. Traditional cryptography, in
contrast, has tended to think about keeping very large collections of
data secret, and in that sense, has put all its eggs in one basket.
B.U. Bridge: Do you recommend any of the commercially
available software packages that promise to make electronic communications
mask one’s online identity?
Reyzin: There are a few companies
out there that promise to do things such as encrypt communications, or
like Anonymizer, traffic your Internet
connection through their company’s server to mask your online identity
to the Web sites that you visit. Unfortunately, these types of services
are extremely difficult to design properly, and recently there has been
shown to be serious problems with at least one of them. A study done
by David Martin, a former BU colleague of mine who now teaches at UMass-Lowell,
showed that one such service, Safeweb, unknowingly made people’s
online information less secure rather than more so, because it accumulated
all of the person’s tracking information in one place, where it
could be broken into relatively easily.
B.U. Bridge: Is there a way to avoid receiving
Reyzin: Most spammers accumulate e-mail addresses from
public sources, and once you get on a list there’s no way to get
off it because these lists are shared by marketers. If you respond to
a spam, it will
just make it worse because it shows them that yours is a live address.
Another thing that attracts spam is putting your e-mail address anywhere
on the Web, because just as there are search engines for finding particular
phrases on the Internet, there are search engines that can find e-mail
Cryptography can help with this issue, too — the basic
problem with spam is that it costs nothing for somebody to e-mail you.
A recent cryptographic
idea is to require people with whom you’re not familiar to pay
a cost to contact you. But not a monetary cost — rather a cost
in time: it would require their computer to solve a computational puzzle
being allowed to communicate with your computer, which might add one
second to the time it takes the e-mail to go through. For a casual computer
user — say a reporter who’s never e-mailed you before — it
would take his computer an extra second to send you that e-mail, which
of you will even notice. But for a spammer sending out a million messages,
theoretically that will tie up his computer for a million seconds.