Blog article
See all stories ยป

An article relating to this blog post on Finextra:

Bank of New York Mellon breach hits 4.5m customers

Bank of New York Mellon has lost unencrypted back-up computer tapes containing the confidential details of around 4.5 million customers.

See article

We could make ourselves less vulnerable to breaches


People often bemoan being treated "like numbers" in the modern world.  If we think more deeply about ID theft, the real problem is that when we deal with people numerically, we need to take more care about the pedigree of those numbers.  

Card-Not-Present fraud and all manner of identity takeover is enabled by the fact that most "identity" verification protocols simply involve gathering more and more numerical data.  Asking for CVV2 numbers to "prove" that the person has the credit card in front of them is a case in point. Entering one's CVV2 numbers into a web form only leaves the magic numbers vulnerable to theft and replay. 

On their own, numerical data has no pedigree.  There is no way that a merchant server (or a payment gateway or anyone else) can tell if a given string of identity numbers is genuine or replayed. 

If we took greater systemic care with numerical data online, then lost and stolen data (like the Bank of NY Mellon tapes, or those infamous CDs that the British government mislaid in the post last year) would lose all its value. 

I think there's a huge intellectual blindspot around this issue.  Consider this.  In Australia, there has been a high profile and expensive program to develop a new national health identifier.  One would think that an important new identifier would be rolled out with some technological safeguards to mitigate takeover, phishing, counterfeiting and the like.  But the chief executive in charge of the project last year, when asked about how the identifiers would be carried, disavowed the project of any responsibility for that: 

We're interested in the unique identification of individuals and providers in healthcare. We're not positing a token. The identifier could be attached to a range of things.... [We'd] be happy to use cards as tokens if that option were available but there are other tokens, such as USB devices, and other forms of authentication. We're agnostic on that. Ref: "Doing the numbers on e-health". 

Technology agnosticism I think has led to some weak decision making in Internet authentication.  Some identity technologies are mainfestly better than others; some (like PKI and smartcards) can confer pedigree on the numbers they carry, through digital signatures.  When a merchant server processes a digitally signed transaction originating from a tamper-proof device, they can be assured that the identity data is real and not replayed. 

True, these approaches, including digitally signed e-mail, have been very awkward in the past and they gave PKI an enduring bad name.  But the advent of smartcards, connected readers, and APIs built into the operating system and application stack radically change the game.  PKI can now be made as easy to use as a conventional plastic card.  Over the next one or two years, with consumers becoming habituated to smartcards, we would have to be mad not to  leverage embedded PKI to safeguard the pedigree of all manner of personal identity data, and thus innoculate ourselves against the harm arising from ever worsening privacy breaches. 




Comments: (0)

Now hiring