Does secrecy help protect personal information?
POINT Like most of you who read this, I'm pretty tuned in to computer security news. Between the litany of stories about lost data and stolen laptops, and the letter I got from the Veterans Administration in September, I thought it was time to do some math. By totaling the recent reports of exposed personal information, I have scientifically calculated that there are 15 Americans whose information has not yet been impacted. I wonder who they are.
More to the point, I wonder why we're doing things the same old way when the same old way is obviously not working. Security practitioners will tell you until they're purple in the face that passwords are bad technique, but the financial and medical industries and the government have decided to rely on 9-digit passwords (your Social Security number) and 16-digit passwords (your credit card number) as the master keys for virtually everything. What we're seeing is abundant proof of the stupidity of that idea. There's an easy fix, of course: just publish it all.
The single best way to bring about change in the system is to remove the value of that particular piece of information by giving it up. Remember, for all intents and purposes, it has already been given up. In order to improve the situation, we need to get past the denial.
What are some realistic things we can do other than just relying on trivial secrets? Well, it'd be pretty simple for credit card companies to improve their identity verification before they extend credit. Maybe we'd start to see things like change-of-address forms requiring proof of address, or ecommerce sites shipping to only an address on file. The last time my credit card number was stolen (online), an upscale designer's Web site cheerfully shipped $4,000 worth of watches and shoes to a Mr. Asd Jkf in Toronto. That's absurd!
The current situation regarding personal information mirrors the state of computer security. For the last decade or so, everyone has let their guard down and gotten sloppy and stupid in the face of all the new whizz-bang connectivity. Rather than building a decent infrastructure and thinking about how to address the problem systematically, businesses and the government have stuck their heads firmly in the sand and kept trying to patch the status quo over and over, until it's just a mass of duct tape, spit and baling wire.
How about an example of a simple fix? Why can't my Visa card service include a list of 100 30-digit numbers, generated randomly, with each statement, then send them to my registered address and let me use those as one-time codes to authenticate transactions?
The most obvious answer involves two-factor authentication and authorization management: you know, two simple ideas from the dawn of computer security. Identifying people using something you know plus something you have obsoletes phishing scams, and allows the user to make a simple decision such as "make me come to my branch office in person to change my billing address" or "I will only apply for credit in person."
Worrying about protecting personal information is locking the barn door after the horse has left the county. The problem is that we shouldn't be relying on trivial personal information as an authentication token. There are plenty of pieces of personal information worth protecting, but my mother's maiden name is not one of them.
Does secrecy help protect personal information?
CounterPoint Personal information protection is an economic problem, not a security problem. And the problem can be easily explained: The organizations we trust to protect our personal information do not suffer when information gets exposed. On the other hand, individuals who suffer when personal information is exposed don't have the capability to protect that information.
There are actually two problems here: Personal information is easy to steal, and it's valuable once stolen. We can't solve one problem without solving the other. The solutions aren't easy, and you're not going to like them.
First, fix the economic problem. Credit card companies make more money extending easy credit and making it trivial for customers to use their cards than they lose from fraud. They won't improve their security as long as you (and not they) are the one who suffers from identity theft. It's the same for banks and brokerages: As long as you're the one who suffers when your account is hacked, they don't have any incentive to fix the problem. And data brokers like ChoicePoint are worse; they don't suffer if they reveal your information. You don't have a business relationship with them; you can't even switch to a competitor in disgust.
Credit card security works as well as it does because the 1968 Truth in Lending Law limits consumer liability for fraud to $50. If the credit card companies could pass fraud losses on to the consumers, they would be spending far less money to stop those losses. But once Congress forced them to suffer the costs of fraud, they invented all sorts of security measures--real-time transaction verification, expert systems patrolling the transaction database and so on--to prevent fraud. The lesson is clear: Make the party in the best position to mitigate the risk responsible for the risk. What this will do is enable the capitalist innovation engine. Once it's in the financial interest of financial institutions to protect us from identity theft, they will.
Second, stop using personal information to authenticate people. Watch how credit cards work. Notice that the store clerk barely looks at your signature, or how you can use credit cards remotely where no one can check your signature. The credit card industry learned decades ago that authenticating people has only limited value. Instead, they put most of their effort into authenticating the transaction, and they're much more secure because of it.
This won't solve the problem of securing our personal information, but it will greatly reduce the threat. Once the information is no longer of value, you only have to worry about securing the information from voyeurs rather than the more common--and more financially motivated--fraudsters.
And third, fix the other economic problem: Organizations that expose our personal information aren't hurt by that exposure. We need a comprehensive privacy law that gives individuals ownership of their personal information and allows them to take action against organizations that don't care for it properly.
"Passwords" like credit card numbers and mother's maiden name used to work, but we've forever left the world where our privacy comes from the obscurity of our personal information and the difficulty others have in accessing it. We need to abandon security systems that are based on obscurity and difficulty, and build legal protections to take over where technological advances have left us exposed.
Send comments on this column to firstname.lastname@example.org.
Coming in March:
Is penetration testing worth it?