Author: Mark Rasch, Managing Principal, Cybersecurity
When workers were tearing down the old Apollo Theater in Times Square, they discovered a cache of men’s wallets and women’s purses hidden in the attic. Apparently in New York in the 1940’s and 1950’s, the Apollo was the epicenter for pickpockets – targeting tourists and residents alike. The cache represented a time capsule of sorts, with photographs of sweethearts, friends and family members, stored fortune cookie fortunes, paycheck stubs, utility receipts, social security cards, and handwritten driver’s licenses. Gone of course was any hint of cash – after all that was what the pickpockets were after. Also conspicuously missing for 21st century mentalities are loyalty program cards, access cards, or credit cards (although Bank AmeriCard and Diner’s Club both existed back then).
I say this as my wallet gets thinner and thinner. I keep a newly “secure” driver’s license with digital pictures, holograms and other security devices for identification. And corporate and personal credit cards with a digital chip which occasionally gets scanned. A box store membership card and a too infrequently used health club membership card. And that’s it. My kids, on the other hand have bulging thick wallets filled with nothing – or nothing important.
When we think of the items in our wallet or purse, we should consider them to be tokens. A driver’s license is a token issued by the state indicating that we passed a minimum competence examination to operate a motor vehicle in that jurisdiction. A credit card is a token issued by a bank indicating that we have an account (a bank account if a debit card, a revolving credit account if a credit card) with that institution and allowing third party merchants to interact with that account. Loyalty cards are similarly tokens for accounts which establish a relationship with a particular merchant or club. Even the cash in your wallet is a token issued by the government with whatever value society decides to imbue on it.
Every one of these tokens will soon be obsolete – if they aren’t already. This doesn’t mean that they will disappear. We have invested billions in the infrastructure necessary to issue, read, and interact with these tokens. A folded note will still be easier to read than a file stored on an Android phone. A tangible physical object serves as a reminder of our loyalty to a particular institution. But the functionality of these tokens has already been duplicated in things like Apple Pay and Wallet, Android Pay, and other electronic wallet substitutes. Our family pictures are on our devices and/or in the cloud (sometimes without or knowledge). Electronic substitutes exist for identity, relationship, affiliation, authority, and access control. There are even electronic substitutes for cash (like Bitcoin) despite the fact that a Florida court recently ruled that laundering Bitcoin does not constitute “money laundering.”
This move from physical objects to their electronic substitute is not without risk. The Apollo theater attendees knew (or soon realized) that they had been robbed. The contents of my electronic “wallet” can be stolen without my knowledge. The Times Square visitors knew (or should have known) that the Times Square of the 40’s though 50’s was a wretched hive of scum and villainy. For electronic records there is no safe haven. If someone stole a 1950s wallet, there was little chance of false personation and identity theft. Since much of our modern interaction is virtual; you steal my token, you steal my identity. What’s worse, I can now get new credentials and new tokens in your name, and become you online. And now new crimes of false personation, identity theft, identity fraud, and synthetic and virtual identity fraud exist that could not have been contemplated back then.
All of this is by way of saying that, in designing any token system – whether it’s a driver’s license, a financial instrument, an access card, or a user id and password, we must take particular care in determining how it will be used, and how it can be abused. We misplace our trust in the token, rather than in the person presenting the token. Multi-channel and
multi factor systems, sometimes with a biometric component should be considered – but the privacy and anonymity implications of such systems should also be considered. We must preserve the right and the ability for people to interact without a permanent record of their actions.
When we think of information security, we have to think not only of computers and networks, but of how people interact with them – in the virtual and physical world. And you can take that sentiment and put it on a note and stick it in your wallet. The movie playing at the Apollo Theater in the summer of 1958 was Ben-Hur. Some things never change.