If someone finds or steals a government Personal Identity Verification card, it’s possible that they could access sensitive or secret information during a very limited window before its loss was reported or discovered.
As someone who has covered identity and biometric technology for decades, I was surprised to hear President Trump announce last week that a photo identification was now required to purchase groceries. I had not experienced this before and assumed it was some sort of new national security policy designed to keep our vegetables out of the hands of terrorists.
I realize that he was making the case for better identification protocols when voting, even though that isn’t how voter fraud takes place these days. Thousands of Russian agents aren’t secretly sneaking into the country pretending to be American citizens so that they can tip the scales in the next election. They are buying fake Facebook ads and trying to trick us into voting against our best interests.
Just to make sure there was no new policy, I conducted a fact-finding mission to the local grocery store, leaving my identification behind. Cautiously, I crept into the soda aisle, loading up on Pepsi, which was on super sale. Then I figured I would go for broke, as I was deep in enemy territory at that point anyway, and also grabbed two kinds of Doritos, Nacho and Cool Ranch. With a trembling hand and a cart with a shaky wheel, I approached the express line—the one with a real person working it. The self-checkout would have been too easy.
I inserted my credit card into the payment machine and watched as the woman scanned my items. Other than a brief look of disdain at my unhealthy selections (full disclosure, I also bought a mega pack of chocolate chip cookies—also on sale), she hardly gave me even a sideways glance. The machine alerted me to remove my card. I grabbed my receipt and made a quick getaway. A half-hearted “have a nice day” mumbled from the checkout person was my only pursuer.
I had achieved the impossible. I purchased groceries, or something that might qualify as such, and nobody challenged me during the heist. I almost ate a celebratory cookie in the parking lot.
Seriously, I didn’t really expect to be challenged about my identity, but good reporters cover all possibilities. Plus, I really wanted those Doritos. The truth is that the last big advance in terms of payment and identity for purchasing things was EMV, named for Europay, MasterCard, and Visa, the three companies that originally created the standard. It’s why at most stores you insert your chipped credit card into the payment device instead of swiping, and why you don’t need to sign anymore.
For buying cookies, having the credit card with the hack-resistant chip is probably enough security. It’s possible that if you drop your card, someone could pick it up and make a few purchases before you can report it stolen, but the chip makes large-scale stolen credit card fraud very difficult.
The amount of information contained by identification cards these days makes things like the Homeland Security Presidential Directive 12, issued back in 2004 by President George W. Bush, much easier to implement. Combined with commonsense best practices like background checks on all cardholders and multiple forms of identification in order to obtain the card, it represents a good, if static system that is subject to the same limitations as EMV. If someone finds or steals a government Personal Identity Verification card, it’s possible that they could access sensitive or secret information during a very limited window before its loss was reported or discovered.
There are a few technologies being fielded that could change that. Over in the payments area, a company called NuData Security, which is a division of Mastercard, is looking to start fielding EMV 3-D Secure authentication protocol (EMV 3DS). Not surprisingly, it builds upon EMV, which Mastercard helped to create. EMV 3DS adds passive biometrics, historical data and behavioral analytics to chipped cards.
How it works is that the company collects data about users with cards or other products that support it. This can be anything from how they log in and browse web pages to how much pressure they put on a touchpad when swiping. Their history is also taken into consideration. The idea is that in the event of a scripted type of attack, where a computer program is using stolen data to create fake accounts, the process of doing that won’t match the real user’s biometric patterns. Or if a real user only ever buys groceries in Maryland, but suddenly starts purchasing big screen televisions in Berlin, then there is a high degree of certainty that something is amiss.
NuData has a few successes listed on their webpage, though not too many. I am wondering if EMV 3DS might be running up against privacy concerns, especially in Europe, where privacy is taken very seriously.
The new technology might find a more receptive home within the halls of government. Gathering location, historic and biometric data like typing speed and usage patterns would be much easier within a closed system like the federal government. And it would likely face less resistance as well. After all, much of the data driving EMV 3DS is collected passively, which would actually be much less intrusive than the background checks already required by HSPD 12.
If EMV 3DS could tell that someone with a government smartcard is behaving suspiciously, within a government building or while accessing a network remotely, that might be a good way to combat stolen or compromised credentials. Even if the bad guys can get a hold of a government login or PIV card, they wouldn’t know how fast the linked employee types, their daily behaviors, or their login patterns, all of which could be used to raise a red flag and thwart a potential attack.
I’m confident that our grocery stores are secure given the current level of technology, as are our in-person voting protocols. But it’s always good to look at new security methods, and it seems like EMV 3DS has the potential to be a great benefit to government, enhancing what agencies already have in place and closing a few potential vulnerabilities.
John Breeden II is an award-winning journalist and reviewer with over 20 years of experience covering technology. He is the CEO of the Tech Writers Bureau, a group that creates technological thought leadership content for organizations of all sizes. Twitter: @LabGuys