Identity in a Post-Breach world (draft)


Posting this here first, my thoughts to follow. Random thoughts below are draft :).

Random thoughts on the matter

  1.  We still need a single identifier in Malaysia (IC Number), this is administrative necessity. LHDN needs to check your bank accounts, Election Commission needs to know you’re not double-voting..etc.
  2. But that single identifier should not be used as an authenticator. No one should ask me for my IC number as a means of authenticating myself. When I call the bank, they shouldn’t be asking me for my IC number as a means of proving my identity to them.
  3. There’s too much info in the IC number (age, state, gender). Take all of that out, and replace with a random blob of numbers — one that cannot be guessed as well. So something like 8 numbers and 4 letters large enough, so criminals can’t guess.
  4. We need ‘identity-freezes’ in Malaysia. In America you can freeze your credit, but in Malaysia we need to go a step further and put an Identity freeze, especially for internet services.
  5. Check out section 114(a) of the evidence act, wrongly registered phone numbers are a thing, and they’re bad. If someone registered a pre-paid account in your name, and posted something bad — you’d be in trouble.
  6. If you took a loan from Maybank to buy a house, and 1 year later defaulted on the loan, no other bank in the country would grant you a loan. This protects the banks from issuing credit to someone who can’t pay back. So we have credit freezes.
  7. Let’s use the same mechanism to allow people to lock their identities, so no one can open bank accounts, telco accounts, not even Astro, TNB or Indah Water as long as the identity is locked. This way, the value of a stolen identity is tremendously reduced, and we protect breached victims.
  8. Identities can be ‘un-freezed’, e.g. when you buy a house, but then re-freezed shortly after.
  9. More thoughts to come…..

Add comment

Astound us with your intelligence