With the reported loss of employee data by Time Warner yesterday, I have been thinking about what Bruce Schneier wrote in his newsletter about two factor authentication and identity theft. I have to now agree with his point -- the way to meet this threat is not to rely on authentication of the user -- multifactor or otherwise -- but to authenticate the transaction. The attack we are trying to really prevent in this area is fraudulent transactions. People steal identities not to simply collect them but to commit fraud of some sort.
This also shifts the burden in the right direction -- today if someone gets your personal information, you the consumer get a letter saying to contact your bank, track your credit card statements, look at your credit reports, etc. The burden for resolving the situation rests on the victim of the attack -- who in many cases never knew their personal data was at risk. I received such a letter recently and I was furious -- why is it my responsibility to clean up after some company's bad security pratices?
The burden really should be on the companies who trade on that information -- they need to authenticate the transaction and ensure that it is a legit charge or request. If it turns out to be fraudulent -- they need to bear the burden and the cost of the fraud. It works that way with my credit card and I like it as a consumer, even if it means higher fees.