The news media here are reporting about yet another massive leaking of credit card information. As usual, we get the hand-wringing about computer security at corporations, proposals to require tougher punitive actions against companies that have lax security, et cetera. Underlying every report is an assumption
that this is just the way things have to be: of course
companies have to amass huge databases of highly valuable financial identifiers, and of course
the only way to mitigate the harm caused by individuals breaking into these databases is to tighten the security around them.
But wait just a moment here. What is a credit card number, anyway? A credit card number is essentially a token which means (translated to English) "I, Daniel Burrows, authorize the bearer of this card to incur indebtedness upon my behalf up to $LARGE_SUM_OF_MONEY." Shouldn't we at least think twice about spreading this sort of thing around? Again: I'm supposed to keep my credit card number a secret, but what earthly good is a secret that (by its very nature) I have to tell to large numbers of people?
Ok, so credit card numbers have problems, but is there any reason to think we can do better? Consider this question: why do we need credit card numbers in the first place? If you think about this a bit, you'll realize that the essential function that my credit card number serves is this: it proves my identity to the credit card company at the time that I use the card to fund a transaction
. Can we do this without passing magic blank-check tokens around? Phrasing this more formally: is there a way for me to prove my identity, but without permitting the party to whom I am proving my identity to masquerade as me?
Well, readers with a technical background (especially any Debianites) should know that the answer is "of course there is!" (and the rest of you should have figured it out from the direction my rhetorical questions were tending ;-) ) In fact, this scenario is one of the key features of a modern public-key cryptographic system. Briefly, in a public-key system, I have a secret "key" that only I know -- no-one
, and I mean no-one, besides me is allowed to know it. I also have a public "identity" corresponding to the private key -- everyone
is allowed to know this. The system then defines techniques by which I can prove that I know the private key corresponding to my public identity.
Hopefully you can see some obvious applications of this idea to resolve the problems with credit cards, although of course this is just a sketch; there are issues I've glossed over or left unaddressed. However, the thing that really frustrates me is not merely that people have overlooked one technique or another; I'm not even especially bothered that we're still using the old horribly insecure system (even if a replacement system were ready to roll out today
, it would take a long time to convert everything out there to use it). What bothers me is that there is this vast blind spot about the whole idea of credit card numbers. These things are a truly terrible idea in the modern day and age, and I wish more people would think just a level above the usual public discourse about them; not just "how do we fix the latest instance of this problem?", but "can we completely eliminate the cause of this class of problems?"
Or, <rhetoric>Stop trying to bail a ship full of holes, and ask yourself whether you need a new shipwright.</rhetoric>