I just returned from a trip to my local MVA (Motor Vehicle Administration) to get my driver’s license renewed. And I came home worried more than ever about my identity being hijacked by a bad actor.
Having spent many years as a fraud analyst, I went into this process duly impressed that they were making it hard for me to prove my identity before they would renew my license, in compliance with federal Real ID requirements. This time, to get my license renewed, I had to come up with four identity documents (aside from my expiring driver’s license) that proved I was who I said I was. Those docs included
- My Passport
- My W2 because I needed to prove the link between my name and social security number, and I have no idea where my SSN card is
- Two billing or financial statements that proved my name linked to my address
Finally, after waiting in lines, I presented my documents to the clerk renewing my license. Relieved I passed the checklist, he started scanning these highly sensitive documents into his system. I asked him why he was doing that, to which he replied it was a federal requirement for the state MVA agency to store those identity documents.
Great! Just what I want to secure my identity – all my most sensitive information stored in by an underfunded state government agency in a database that is subject to hacks, data breaches and data theft.
Why in the world does the MVA need to store these documents? They already have access to this information through connections with tax authorities and other government agencies.
So much for added security around my identity. I am 100% certain that the security cost to me in this transaction was much greater than any security gain I will obtain from a new REAL ID driver’s license.
Too bad – it could have been a real step up. They could have just verified those documents manually, recorded them as verified in a database, and left it at that!
Plug: Decentralized Blockchain-Based Identity will save us all….. 🙂
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.