Litan scoffed at the idea. "The retailers are already paying for fraud" in the form of higher interchange charges, she said. "The banks are already collecting this. What are they doing with it?"

In fact, Litan didn't hold out a lot of hope for change, at least in the short run. "Identity thieves have gotten more clever," she said. "The only way this will be solved is if the data is rendered useless if it's stolen. Then it won't matter if they steal it." She offered up examples of how that might be done, including more sophisticated authentication on debit cards and payment processors relying on identity scoring systems that were able to spot thieves using indicators like physical location.

"But I really think that it will take an extreme attack of some kind and broad disruption before things change," Litan said. When asked what form such an attack might take, she put forward a pair of scenarios.

"We know [that criminals and cyberterrorists] are collecting tens of millions of records, maybe as many as 100 million. They might just publish them all on the Internet. Or a massive attack on banks, a massive number of bank account takeovers all at once," she said. "A simultaneous attack like that would slow commerce down. It would be a kind of financial 9/11."