Fighting Fat-Wallet Syndrome

By Bruce Schneier
Wired News
February 9, 2006

I don't know about your wallet, but mine contains a driver's license, three credit cards, two bank ATM cards, frequent-flier cards for three airlines and frequent-guest cards for three hotel chains, memberships cards to two airline clubs, a library card, a AAA card, a Costco membership, and a bunch of other ID-type cards.

Any technologist who looks at the pile would reasonably ask: why all those cards? Most of them are not intended to be hard-to-forge identification cards; they're simply ways of carrying around unique numbers that are pointers into a database. Why does Visa bother issuing credit cards in the first place? Clearly you don't need the physical card in order to complete the transaction, as anyone who has bought something over the phone or the internet knows. Your bank could just use your driver's license number as an account number.

The same with those airline, hotel and rental car affinity cards. Or any of the discount cards given out by supermarkets, office supply stores, hardware stores and -- it seems -- everyone else. They could use any of your existing account numbers. Or simply your name and address. In fact, if you forget your card, they'll look up your account number if you give them your phone number. Why go to the trouble and expense of issuing unique cards at all?

A single, centralized authentication system has long been the dream of many technologists. Those involved in computer security will remember the promise of public-key infrastructure, or PKI. Everyone was going to have a single digital "certificate" that would be accepted by all sorts of different applications. It never happened.

And today the most far-reaching proposals for national ID cards -- including a recent South African proposal -- envision a world where a single ID would be used for everything. It won't happen either.

And neither will a world of biometrics. It's the obvious next step: Why carry a driver's license? Use your face or fingerprint.

But the truth is, neither a national ID nor a biometric system will ever replace the decks of plastic and paper that crowd our wallets.

For starters, the uniqueness of the cards provides important security to the issuers. Everyone has different rules for card issuance, expiration and revocation, and everyone wants to be in control of their own cards. If you lose control, you lose security. So airline clubs ask for a photo ID with your membership card, and merchants want to see it when you use your credit card, but neither will replace their cards with that photo ID.

Another reason is reliability. Your credit card company doesn't want your ability to make purchases to disappear if you have your driver's license revoked. Your airline doesn't want your frequent-flier account to depend on a particular credit card. And no one wants the liability of having their application depend on someone else's infrastructure, or having their infrastructure support someone else's application.

But security and reliability are only secondary concerns. If it made smart business sense for companies to piggyback on existing cards, they would find a way around the security concerns. The reason they don't boils down to one word: branding.

My airline wants a card with its logo on it in my wallet. So does my rental car company, my supermarket and everyone else I do business with. My credit card company wants me to open up my wallet and notice its card; I'm far more likely to use a physical card than a virtual one that I have to remember is attached to my driver's license number. And I'm more likely to feel important if I have a card, especially a card that recognizes me as a frequent flier or a preferred customer.

Some years ago, when credit cards with embedded chips were new, the card manufacturers designed a secure, multi-application operating system for these smartcards. The idea was that a single physical card could be used for everything: multiple credit card accounts, airline affinity memberships, public-transportation payment cards, etc. Nobody bought into the system: not because of security concerns, but because of branding concerns. Whose logo would get to be on the card? When the manufacturers envisioned a card with multiple small logos, one for each application, everyone wanted to know: Whose logo would be first? On top? In color?

The companies give you their own card partly because they want complete control of the rules around their own system, but mostly because they want you to carry around a small piece of advertising in your wallet. An American Express Gold Card is supposed to make you feel powerful and everyone else feel green. They want you to wave it around.

That's why you still have a dozen different cards in your wallet. And countries that have national IDs give their citizens yet another card to carry around in their wallets -- and not a replacement for something else.

earlier essay: Big Risks Come in Small Packages
later essay: Security in the Cloud (Feb 06)
categories: Business of Security, ID Cards
back to Essays and Op Eds

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..