Security Pie

Credit Cards by "s e v i n" at flickr.com

Here in Australia, in order to perform a certain set of transactions (for example, to open a bank account) there is a government mandated identification process, called the 100 Point Check[note: PDF] and is codified in the Financial Transaction Reports Act of 1988.

The short version is this: When you come to identify yourself, you need to have 100 points. To reach this number you have to supply documented proof of your identity which adds up to 100 points. Lets see what’s considered as identifiers:

• Primary Documents – 70 points BUT you can only use one of those.
  It includes passports (something you have + something you are) but also a birth certificate (something you have). Hmm.
• Being a customer (of the financial institution) for more than 1 year – 40 points.
  This strikes me as bizarre and completely counter productive. If I’m a customer of more than a year it means that the checks for my identity are more LAX than if I’m a new customer? An attacker would invariably choose the identity of an existing customer to steal, and a long-standing customer would be an EASIER target.
• Another financial institution OR another CUSTOMER (who has previously been identified) attests to the identity – 40 points.
  Here we take one established identity and leverage that to identify another. “If I trust X and X trusts Y, then I can partially trust Y”. This is the classic web of trust, and probably a good idea.
• The name and signature/picture is matches any state/federal/university issued license or benefit card – 40 points for first document, 25 points for additional
  This is “something you have” + “something you are” identification, and the document has been issued by a recognized authority (Certificate Authority in PKI terminology). My only issue with this one is that on some of those cards, you might sign the certificate yourself after it is issued, which in the hand of the impostor reduced it only to “something you have”.
• Name and Address verified from documentation held by the financial institution or government offices or a current/previous employer – 35 points
  This is entirely “something you know” (you don’t have to provide any of the documentation) and since that password is your name and address, which is probably in the phone book, these are free 35 points the attacker can get with very little effort. Not good.
• Name, Address and Telephone verified in the phone book / by calling the person – 25 points
  In this section there’s a “something you know” – the phone book lookup and very easy to get – and calling the person, which is an additional “something you have” (the phone) and is much harder to get. The former is very weak, the latter is stronger. Land line phones are tied to your address and usually have physical security. GSM Cellphones have moderately strong encryption. I would give more than 25 points for this one
• Name from credit cards, telephone bills. marriage certificate, foreign driver’s license (all labeled “secondary identification” – 25 points BUT may only be counted once per issuing institution
  So, 4 credit cards from four different banks all carrying your name is proof enough for your identity. Considering the name on the credit card is something you can define (you can issue credit cards to friends and family!) and the signature on the back is put there by you, this is extremely weak. This one item can subvert the entire system for the hard-working identity thief who obtains enough credit cards.
• Name and Address from various sources like your landlord, and being a customer for less than a year – 25 points
  I have to say here that my landlord has never seen me.
• Name and Date of Birth from a school or a professional association – 25 points
  That includes, I guess, those you sign up for by filling in a web form

In my opinion, the system starts out good. It sets standards for the ability to rely on a particular piece of identification that is somewhat proportional to the ease of forging it. Then it messes up in a big way by assigning a very high score to documents which are easily obtained (“something you have”) or information that is easily learned (“something you know”) allowing you to aggregate a number of low-quality documents and easily reach the 100 point mark.