Large-scale data breaches exposing sensitive personal information are becoming commonplace. For numerous reasons, conventional personal (identification) information leaks from databases that store online and/or on-site user transaction data. Collected ID numbers and supporting personal information enable malicious parties to commit large-scale identity fraud. Gates and Slonim (NSPW 2003) proposed the owner-controlled information paradigm to address privacy violations of personal information where users are expected to maintain all their information using a personal device. Rubin and Wright (FC 2001), Molloy et al. (FC 2007), and others explored the use of one-time numbers to address credit card fraud (mostly for online use). However, several other types of ID number are at least as sensitive as credit card numbers. Our fundamental assumption is that collected personal information will eventually be breached. To combat identity fraud under this new environmental attack paradigm, we introduce a more general approach involving localized or customized ID numbers for both card-present and card-not-present transactions. We also explore four variants of the general idea to spark more discussion and further research in this area. Copyright 2008 ACM.

, , , ,
New Security Paradigms Workshop 2008, NSPW '08
School of Computer Science

Mannan, M. (Mohammad), & Van Oorschot, P. (2009). Localization of credential information to address increasingly inevitable data breaches. Presented at the New Security Paradigms Workshop 2008, NSPW '08. doi:10.1145/1595676.1595680