23 September 2017
Stephen Wilson

Stephen Wilson in Lockstep

Stephen Wilson - Lockstep Group

34Posts 132,067Views 174Comments
A post relating to this item from Finextra:

Bank of New York Mellon breach hits 4.5m customers

22 May 2008  |  56778 views  |  0
3071.jpg
Bank of New York Mellon has lost unencrypted back-up computer tapes containing the confidential details of around 4.5 million customers.

We could make ourselves less vulnerable to breaches

27 May 2008  |  3881 views  |  0

 

People often bemoan being treated "like numbers" in the modern world.  If we think more deeply about ID theft, the real problem is that when we deal with people numerically, we need to take more care about the pedigree of those numbers.  

Card-Not-Present fraud and all manner of identity takeover is enabled by the fact that most "identity" verification protocols simply involve gathering more and more numerical data.  Asking for CVV2 numbers to "prove" that the person has the credit card in front of them is a case in point. Entering one's CVV2 numbers into a web form only leaves the magic numbers vulnerable to theft and replay. 

On their own, numerical data has no pedigree.  There is no way that a merchant server (or a payment gateway or anyone else) can tell if a given string of identity numbers is genuine or replayed. 

If we took greater systemic care with numerical data online, then lost and stolen data (like the Bank of NY Mellon tapes, or those infamous CDs that the British government mislaid in the post last year) would lose all its value. 

I think there's a huge intellectual blindspot around this issue.  Consider this.  In Australia, there has been a high profile and expensive program to develop a new national health identifier.  One would think that an important new identifier would be rolled out with some technological safeguards to mitigate takeover, phishing, counterfeiting and the like.  But the chief executive in charge of the project last year, when asked about how the identifiers would be carried, disavowed the project of any responsibility for that: 

We're interested in the unique identification of individuals and providers in healthcare. We're not positing a token. The identifier could be attached to a range of things.... [We'd] be happy to use cards as tokens if that option were available but there are other tokens, such as USB devices, and other forms of authentication. We're agnostic on that. Ref: "Doing the numbers on e-health". 

Technology agnosticism I think has led to some weak decision making in Internet authentication.  Some identity technologies are mainfestly better than others; some (like PKI and smartcards) can confer pedigree on the numbers they carry, through digital signatures.  When a merchant server processes a digitally signed transaction originating from a tamper-proof device, they can be assured that the identity data is real and not replayed. 

True, these approaches, including digitally signed e-mail, have been very awkward in the past and they gave PKI an enduring bad name.  But the advent of smartcards, connected readers, and APIs built into the operating system and application stack radically change the game.  PKI can now be made as easy to use as a conventional plastic card.  Over the next one or two years, with consumers becoming habituated to smartcards, we would have to be mad not to  leverage embedded PKI to safeguard the pedigree of all manner of personal identity data, and thus innoculate ourselves against the harm arising from ever worsening privacy breaches. 

 

 

TagsSecurity

Comments: (0)

Comment on this story (membership required)

Latest posts from Stephen

Now is not the time to go soft

03 August 2012  |  3895 views  |  2 comments | recomends Recommends 0 TagsSecurityPayments

How much worse can CNP fraud get?

17 July 2012  |  3098 views  |  1 comments | recomends Recommends 0 TagsSecurityPayments

Credit card numbers are like nitroglycerine

13 January 2012  |  4604 views  |  0 comments | recomends Recommends 0 TagsSecurityPayments

Banks really know their customers

13 December 2011  |  3202 views  |  1 comments | recomends Recommends 1

Taking full advantage of Chip

02 June 2011  |  4391 views  |  6 comments | recomends Recommends 0

Stephen's profile

job title Managing Director
location Sydney
member since 2008
Summary profile See full profile »
I specialise in digital identity, privacy, smart technologies and fraud prevention. I run the Lockstep Group, which researches and develops innovative solutions to Card Not Present fraud and identity...

Stephen's expertise

Member since 2008
34 posts174 comments

Who's commenting on Stephen's posts