h a l f b a k e r yWhere life imitates science.
add, search, annotate, link, view, overview, recent, by name, random
news, help, about, links, report a problem
browse anonymously,
or get an account
and write.
register,
|
|
|
Please log in.
Before you can vote, you need to register.
Please log in or create an account.
|
Drivers' licenses in most American states now have a magnetic stripe on the back that can be read with any cheap commodity-grade 2+ track card reader. Track 2 is the interesting one... in most states, the first 6 digits represent a code unique to the issuer, followed by 14 digits for the issuer-assigned
ID code and another 4 digits representing the issuer-assigned expiration date in the form "YYMM".
What I advocate is adding a 42-byte field to retail POS software that would store the 6-digit issuer ID, the 32-byte hex-encoded MD5 hash(*) derived from the 14-digit issuer ID, and the 4-digit expiration date from track 2, and enable customers who'd rather carry one less card to have the clerk run their drivers' license through the card reader and associate its hash with their store-assigned account number. Thereafter, they could leave the store-issued membership card at home in a drawer, and use their drivers' license instead.
Of course, there will *always* be people who'll freak out at the thought of sharing their drivers license number with a store. Those people can keep their drivers' licenses firmly clenched in their fists and keep carrying separate membership cards for every business that issues them. The rest of us can enjoy one-card convenience and leave the Blockbuster, Bally's, grocery store preferred customer, and other cards at home.
--------------
(*)MD5 is a one-way hash scheme that generates a 128-bit number from an arbitrary string of text. Admittedly, there's no absolute guarantee that any particular 14-digit issuer-assigned ID will never generate the same MD5 hash as another... which is why we leave the issuer ID and expiration date "as-is". The likelihood that two people from the same state with the same expiration date will have issuer-assigned ID numbers that resolve to the same hash AND be customers of the same store is about as close to "zero" as you can get.
The main reason for hashing it is to make customers feel better about privacy. However, simply using the md5 hash of the 14-digit issued ID would make it too easy to discover the original ID by simply cross referencing the stored hashed value against the known md5 hashes of every combination between 00000000000000 and 99999999999999 -- something that would probably take way too long for an individual to do from his PC, but would probably be easy against a DVD-ROM database of them that organized crime and the like would almost certainly produce eventually. However, we can dramatically improve the situation by "salting" the 14-digit ID number first.
So far, we've ignored track 1 of the card, which contains character data (as opposed to only digits like track 2) because its contents can and will vary radically from issuer to issuer. However, we can still put it to good use. I'd read the character data from track 1 without bothering to interpret it. I'd then add up the 14 digits comprising the issued ID and find the modulus "M" of that sum and the number of characters read from track 1, and prepend the first "M" characters of track 1 to the ID number and find the md5 hash of the whole resulting chunk. Since someone attempting to work backwards would have no way of knowing exactly how many characters were prepended nor what the characters were, it would be next to impossible to derive the original ID number from the hash with any degree of confidence in any realistic time. If it would make a meaningful difference, the salting scheme could probably be made even better, but even something as simple as this scheme would almost certainly be good enough.
"Patent in the cards for 11-year-old boy"
http://www.ohio.com...usiness/5874466.htm One card for all purposes. [waugsqueke, Oct 21 2004]
One possible "national ID" outcome
http://www.adcritic...ve/view.php?id=5927 [Flash req] [bristolz, Jan 17 2005]
[link]
|
|
I wish I could put my credit/debit, movie rental, health insurance, and phone cards on my license also.
But I fear that there are certain religious groups that will freak out about this concept. |
|
|
We don't have a magnetic strip on our licenses over here. I like the idea though. I think we are definitely heading this way, probably with a chip inserted under the skin somewhere. |
|
|
I'll stay over here with "those people" and let you all be assimilated without me. |
|
|
I just checked - my driving licence
doesn't have a magnetic stripe on.
Up until a few years ago the UK
driving licence was just a large
sheet of paper with your name,
address and data of birth on - not
even a photo. |
|
|
(snip) "Not everyone in the world has... [some specific thing of identifying value]" (snip) |
|
|
Ergo, the suggestion that it be made an optional alternate to the store-issued card. |
|
|
Actually, I *might* be wrong, but I believe that for historical reasons, and maybe ISO, the convention of storing the issuer ID as the first 6 digits, the issued ID as the next 14, and the expiration date as the next 4 on track 2 (the digit-only track), is pretty close to a universal practice (though I'd guess there are also a few issuer IDs that mean "this is a low-volume issuer whose real ID is conveyed by the first 8 or 10 digits of the issued ID instead", kind of like how IP address blocks work). So they could probably use just about *any* card with the right form factor if you wanted them to -- probably even a credit card or atm card. |
|
|
Two words: identity theft |
|
|
Seriously... if the merchant knows only the issuer ID (not exactly a big secret, you can find a list of issuer IDs for compliant state drivers' licenses online), expiration date, and hashed & salted ID, what EXACTLY could someone usefully do with the info if he acquired a copy of the store's database that he couldn't do if it were absent? |
|
|
[miamicanes] - you answered yourself. //What EXACTLY could someone usefully do with the info?// If you have a hash that's not worth stealing, then it's not worth having. |
|
|
Say I use an MD5 that is derived from the second chapter of my favorite science fiction novel. Totally unrelated to any data in my account identifier. It is only identifiable through access to the appropriate database linkage. Now, the card carrying this code is brought in to the grocery store and scanned. The vital question here is: does it permit access to the account? Either (NO) <meaning the card is useless anyway> or (YES) <meaning that all of my credit cards, membership cards, etc. were stolen at once.> |
|
|
Sigh. Let me put it yet another way. The purpose for hashing the values related to the drivers license ID is to prevent someone with no legitimate reason for having access to it from learning that specific number. Sitting in the merchant's database, the hash is utterly useless to someone who wants to figure out that particular individual's driver's license number. All the hash does is let the computer confirm that the data encoded on the plastic card with a magnetic stripe being swiped through the reader matches the data encoded on whatever plastic card was swiped through at some point in the past. |
|
|
Insofar as the REALLY sensitive info that would actually facilitate identity theft is concerned (name, address, etc), that's going to be collected and stored ANYWAY, regardless of whether or not the customer chooses to associate his DL hash with it to avoid having to carry around the additional card that he's going to be given regardless. |
|
|
As far as the use of drivers' licenses goes, it's simple: in the US, just about everyone drives. It's the one piece of highly-credible ID that nearly everyone has available. In fact, the tiny minority of people who don't drive can get a state-issued ID card if they want to... issued by the state department of motor vehicles (it would be stupid to create an entire state bureaucracy just to duplicate the task already done by the DMV for 99% of the population anyway). |
|
|
I'll go on a limb and say it loudly: there will never, EVER be a mandatory national ID card in the United States. Period. Full stop. End of story. States might very well eventually issue licenses with a common collection of data in a mutually compatible machine-readable format out of mutual convenience (or under pressure from merchants), but the federal government would NEVER be able to mandate compliance, and you can rest assured that there will always be a half-dozen states that will be different just because they can be. Nor will ID cards themselves ever be mandatory, as in people being required to carry them at all times and present them to government officials upon demand. Neither Americans in general nor state governments in particular would stand for it, if only as a matter of upholding constitutional principles. |
|
|
A credible ID that's useful as a highly-versatile general-purpose ID card for doing business is a great convenience. A government-issued ID that *MUST* be carried at all times and presented to government officials on demand is a police state. |
|
|
Now, it's quite possible that someday businesses might refuse to serve anyone failing to produce a credible ID, but that's totally different from being forced to do it by a government under threat of punishment. Maybe it's just an American thing, but we can appreciate having the inalienable right to tell someone demanding to see ID as a condition of completing a commercial transaction to f**k off, then walk away without further consequence, sanction, or obligation (a distinction that hardly anyone else in the world seems to value or see the point of for some reason). |
|
|
[reensure] //The task remains, of course, to encourage everyone to carry one's license at all times even when "not the one who's driving"// |
|
|
In some parts of the country it is still quite advisable to have some form of National ID on you to prevent a charge for vagrancy. |
|
|
An 11 year old boy was recently awarded a patent for a system which adds and removes magnetic stripes from existing cards. The concept is to use one card for all your 'stripes'. (link) |
|
|
I'm sure that all of these cards will have, encoded somewhere on the magnetic stripe, the string 1010011010. |
|
|
C'mon, admit it. You're one of THEM, aren't you? |
|
|
There are 10 types of people.
Those who understand binary,
and those who don't. |
|
|
I'm a member of the universe. Here's my card. |
|
| |