Equifax 与传统密码的危机

文章翻译，原载于2017年9月25日TIME杂志

Equifax 与传统密码的危机

  在美国，想要得到一个人的信息相当容易。你需要的只是几个手机密码或者电子邮箱密码，和一些人们的生活细节信息。

  9月7号，美国最大的信贷风险评估公司Equifax承认公众有权关注他们失误泄露的一亿四千三百万个账号信息。这次的信息泄露不像雅虎和MySpace那两次那么高调，但这对于窃取个人信息的不法之徒来说却是一座金矿。尤其考虑到这次的信息是完全公之于众的——可不止是名字和ID，还有社保、信用卡甚至是驾照信息。这些信息足够去假冒某人开一张信用卡或者去冒名借贷了。（如今Equifax面临国内三十多项指控，却没有给大众一个回应。）

有很多途径去避免这些灾难。其一，当然是要求公司做好信息保障工作，从源头防止信息泄露。但据业内管理人员说，更大的问题在于我们频繁地注册、认证个人信息——密码、验证码、生活细节——太容易被窃取了。解决方法是我们要全面检查这些获取个人信息的渠道，不管是线上还是线下。

  进行生物特征或者说物理特征方面的信息采集——像是指纹、面部识别和虹膜识别——去认证一个人的身份。近几年，这种方法在不同平台相继出现。包括智能手机（iPhone X和三星Galaxies面部识别解锁）；移动银行APP（城市银行和美国银行都能用指纹注册）；甚至是机场安检（TSA在美国两座机场采用指纹录入）。生物特征识别最主要的卖点是别人复制你的生物特征相当困难。美国生物公司BIO-key的高级主管Jim Sullivan说：“任何人都能看见你，知道你有多高，但只通过程序采集的信息，他们不知道你长相如何，身高几许。”

  即便如此，黑客总能找到规避新安全标准的方法，生物学也不例外。研究者表明，使用数字化的方法去伪造一枚指纹是可行的。近期有一项测试，只要把一张相片放在前置摄像头前，就能骗过三星Note8的虹膜扫描仪。不过这点麻烦可以通过增加指纹识别，感受血流，从而认证使用者是个“真人”而解决。即使有这些风险，生物识别也比单纯的密码验证码安全多了。

  然而，尤其在美国，生物识别技术难以为政府提供服务。为了建立基于某种生物特征的身份体系，政府必须去收集、储存全美国人民的生物信息，这项工作开销太大，过程也复杂，还要面临一些监管上的问题。即使这项工程完工了，也会出现一些意想不到的问题。想想印度的Aadhaar项目，如今已经把九成以上印度公民的生物信息记录在案。虽然这项工程急剧减少了诈骗犯罪率，但批评者认为这也同样使一些公民失去了政府福利。上半年，印度互联网与社会研究中心的研究主管Sumandro Chattapadhyay在《Guardian》上说：“这个体制终将通过指纹来决定一个孩子是不是可以被饿死——基于庞大而透明的互联网。”

  在美国，信息安全最大的障碍或许来自于我们的自满：我们使用基于文字和数字的身份识别体系很舒适方便。法律上的缺口，像是Equifax，劫持客户信息过一段时间再卖给其他黑客——这种后果我们不能立刻感受到。Garter的安全分析师Avivah Litan承认：“这个体制已经崩溃了，更严重的后果还在后面等着我们呢。”

  In The U.S., It's almost comically easy to hack someone’s life. All you need are a few numbers to access most smartphones, a string of characterist access most email accounts and a handful of biographical details to steal most identities.

  And so when news broke Sept. 7 that Equifax, one of America’s largest credit-rating agencies, had been compromised, exposing data from as many as 143 million accounts,people were rightfully concerned. The hack wasn’t as large as other high-profile incidents, like the ones at Yahoo and MySpace, which jeopardized an estimated 500 million and 360 million user accounts, respectively. But it’s a likely gold mine for identity thieves, especially considering the type of information that was exposed—not just names and addresses, but also Social Security, credit card and driver’s license numbers. That’s more than enough to open a credit card in someone’s name, take out a loan, and more. (Equifax, which is now facing more than 30 new lawsuits in the U.S., did not respond to multiple requests for comment.)

There are ways to prevent these calamities. One way, of course, is for companies to do a better job securing users’ information so it doesn’t get hacked in the first place. But the bigger issue, say industry experts, is that the information we use to establish and verify our identities—passwords, pass codes, biographical details—is simply too easy to steal. And solving that problem requires overhauling the way we think about proving who we are, both online and in real life.

  Enter biometric authentication, or using a person’s physical traits—such as a fingerprint, a face or an iris—to double-check his or her identity. In recent years, this method has popped up on a variety of platforms, including smartphones (you can “unlock” the newest iPhones and Samsung Galaxies using your face); mobile-banking apps (Citibank and Bank of America both allow you to log in to your account using a fingerprint); and even airport-security checkpoints (the TSA is testing fingerprint scanners at two U.S. airports). The main selling point: it’s a lot harder for people to steal your identity if they have to physically recreate it. “Anyone can look at you and see how tall you are,” says Jim Sullivn, a senior executive at the biometric firm BIO-key. “But they can’t look at you and be that tall just by knowing that information.”

  That said, hackers have always found ways to circumvent new security standards, and biometrics are no exception. Researchers have demonstrated that it’s possible to digitally compose a fake fingerprint. And a recent test of the Galaxy Note 8’s iris scanner indicated the sensor could be fooled by holding a photo up to the phone’s front- facing camera. But there are ways to fight back— such as augmenting the fingerprint sensors to test for “liveliness,” like blood flow. And even with

its risks, biometrics are still far more secure than passwords and pass codes.

  Yet it will be tough for biometric verification to make the jump from technology premium to government standard, especially in America. In order to create any kind of biometric-backed ID system, the government would have to collect and store biometric data on every U.S. citizen—a process that’s costly and complicated, and would face major regulatory issues. And even if it succeeds, it could have unforeseen consequences. Consider India’s Aadhaar program, which has now enrolled more than 90% of the country’s population into a biometric database. Although the system has dramatically cut down on fraud, critics argue it may prevent some citizens from accessing government benefits. “We are building a system that will decide whether a child will eat or not . . . based on [the] quality of Internet connectivity and cleanliness of the child’s thumbprint,”Sumandro Chattapadhyay, research director at India’s Center for Internet and Society, told the Guardian earlier this year.

In the U.S. the biggest hurdle may be complacency: we’ve all gotten comfortable with text- and number-based identity veri cation. And when there are large breaches, like the one at Equifax, the hijacked data is often sold to other hackers for later use—meaning the consequences aren’t always felt right away. “The system is broken,” says Avivah Litan, a security analyst at Garter. “But the pains just aren’t great enough yet.”