|
Does secrecy help protect personal information?
Marcus Ranum
POINT Like most of you who read this, I'm pretty tuned in to computer security news. Between the litany of stories about lost data and stolen laptops, and the letter I got from the Veterans Administration in September, I thought it was time to do some math. By totaling the recent reports of exposed personal information, I have scientifically calculated that there are 15 Americans whose information has not yet been impacted. I wonder who they are.
More to the point, I wonder why we're doing things the same old way when the same old way is obviously not working. Security practitioners will tell you until they're purple in the face that passwords are bad technique, but the financial and medical industries and the government have decided to rely on 9-digit passwords (your Social Security number) and 16-digit passwords (your credit card number) as the master keys for virtually everything. What we're seeing is abundant proof of the stupidity of that idea. There's an easy fix, of course: just publish it all.
The single best way to bring about change in the system is to remove the value of that particular piece of information by giving it up. Remember, for all intents and purposes, it has already been given up. In order to improve the situation, we need to get past the denial.
What are some realistic things we can do other than just relying on trivial secrets? Well, it'd be pretty simple for credit card companies to improve their identity verification before they extend credit. Maybe we'd start to see things like change-of-address forms requiring proof of address, or ecommerce sites shipping to only an address on file. The last time my credit card number was stolen (online), an upscale designer's Web site cheerfully shipped $4,000 worth of watches and shoes to a Mr. Asd Jkf in Toronto. That's absurd!
The current situation regarding personal information mirrors the state of computer security. For the last decade or so, everyone has let their guard down and gotten sloppy and stupid in the face of all the new whizz-bang connectivity. Rather than building a decent infrastructure and thinking about how to address the problem systematically, businesses and the government have stuck their heads firmly in the sand and kept trying to patch the status quo over and over, until it's just a mass of duct tape, spit and baling wire.
How about an example of a simple fix? Why can't my Visa card service include a list of 100 30-digit numbers, generated randomly, with each statement, then send them to my registered address and let me use those as one-time codes to authenticate transactions?
The most obvious answer involves two-factor authentication and authorization management: you know, two simple ideas from the dawn of computer security. Identifying people using something you know plus something you have obsoletes phishing scams, and allows the user to make a simple decision such as "make me come to my branch office in person to change my billing address" or "I will only apply for credit in person."
Worrying about protecting personal information is locking the barn door after the horse has left the county. The problem is that we shouldn't be relying on trivial personal information as an authentication token. There are plenty of pieces of personal information worth protecting, but my mother's maiden name is not one of them.
|
