Blog article
See all stories »

An article relating to this blog post on Finextra:

Financial institutions have lost battle to protect customer data - TowerGroup

US financial services firms have lost the battle to protect the personal information of customers and must now assume that all their clients' data has been, or will be, compromised, according to Tower...


See article

We need clearer thinking about privacy and security

There's still not enough clear thinking about the nature of personal information being traded and lost online.  Not all information is the same!

In examining the terrible trend in personal information losses, Tower Group remarks that "While greater access to customer data is key for businesses to improve customer relationship management and business processes, there will always be repercussions, including the possibility of personal data landing in the hands of the wrong parties ... ".  Yet this blurs the boundaries between different types of information.  Too much customer data is used for multiple purposes, in ad hoc stop-gap fixes for security problems.

We really should be differentiating between:

Biographical information, like name, address and DOB, needed by a bank or service provider to establish and maintain a relationship with distinct customers

Identifiers, like bank account numbers, that serve as a proxy for biographical data to manage different customers.

[BTW I contend that the major Internet security and privacy problems would be remedied if pure identifiers could be relied upon, so we didn't need to ask customers for piles of corroborating details.]

Authentication data, like passwords, PINs and biometric templates, whether static or one-time, used to establish the legitimacy of someone claiming to be associated with biographical data or an identifier [Note that the CVCs started out as authenticators but now they're so widely divulged and leaked that they're really just identifiers.  Asking for CVCs over the web is frankly inane, symptomatic of sloppy ad hoc security; we might as well move to 19 digit credit card numbers].

Service history, like account balance and transaction details, which are private between the customer and the service provider, and in the case of banking actually represents the entirety of the product.

And all the other personal information (family details, telephone numbers, work details, preferences, affiliations ...) that accumulates, and which can be used for good (like tailoring customer service, or cross-selling with consent) or evil (cross-selling without consent, spamming, surreptitious linking across different domains, identity theft etc).

The report went on to say that "companies should assume that traditional account information such as name, address, date of birth and account balance are useless as authentication factors. Instead they should consider using knowledge-based authentication and one-time passwords delivered via SMS".   Yes indeed, biographical data and service history are now useless as authenticators.  But they should never have been used as such in the first place.  It might have seemed clever at the time to use "shared secrets" like account balance on an ad hoc basis to authenticate customers, but as a weapon against identity theft, it's precisely like putting out fire with gasoline.

So when I hear talk of "knowledge-based authentication", I shudder.  This is often more of the same -- more ad hoc re-use of personal data to double check someone's authenticity, data which inevitably will leak out into the black market.  Privacy suffers the more so because regular data becomes attractive to thieves when it re-used in authentication.  And customer convenience deteriorates as each service takes its own idiosyncratic approach to knowledge-based authentication, and what's worse, keeps changing its own approach in the cyber crime arms race.

So what we really need is properly robust authentication data!  Sending SMSes is cute -- they're in a second channel, and they're more difficult to fake or inject into the channel compared with current Internet authentication data.  But there downsides are large: inconvenience, cost (who's really paying for all these messages?) and unknown reliability.  Crucially, the GSM standard provides no service level benchmarks for the Short Message Service; it doesn't even guarantee that any SMS will ever be delivered.  SMS was never engineered as a security service and for that reason alone, should be approached with caution (has anyone checked with the lawyers?).

The best long term solutions involve restoring reliability and pedigree to authentication data in-channel.  We wouldn't need second channels if the main channel was tamper resistant.  A solution for the Internet is close to hand: we can easily make identifiers tamper resistant via digital signatures, which "bake in" authentication data.  We could use EMV cards to sign and authenticate account numbers and transactions, to imbue them with pedigree and render transactions non-replayable.

For the time being, the mobile channels appear more inherently robust, but one wonders how long it will be before organised crime follows the mobile money and mounts sophisticated attacks in and around the telephone networks.  I hope that this time round, in the early days of a new banking channel, we do something proactive to ensure the pedigree of personal data sent over the air.  Perhaps using the public key cryptography built into SIMs and available in many handsets.

Stephen Wilson, Lockstep Technologies.

Comments: (7)

Nick Collin
Nick Collin - Collin Consulting Ltd - London 18 June, 2009, 10:47Be the first to give this comment the thumbs up 0 likes

A very thoughtful article!  Like you, I'm doubtful about mobile solutions.  Remote Chip Authentication leveraging the security embedded within the EMV infrastructure looks like the best long term solution.

A Finextra member
A Finextra member 19 June, 2009, 01:11Be the first to give this comment the thumbs up 0 likes

Nice little article Steve.

I have no doubt that everyone will follow the mobile path. I remember my first discussion years ago with Chris Skinner, who initially thought little of the potential of a mobile solution, probably because I was too far ahead of the pack, but he didn't take long to understand that if the security was right and it was easy enough of a process for customers, then it would be the end game. It is.

We were looking at offering internet banking without logons and passwords, and we may still, however we have realised that our customers will not even need to do internet banking at all - ever. Not in the sense that the banks are currently doing it.

We have some really fun surprises in store. Mobile ID is the foundation for the neatest little trustworthy natural language personal assistant you ever met, independent of your level of technology, ie any phone or device.

Retail Banking such as it stands is obsolete, history. Done and dusted.

As a process think of the Veyron passing the Austin...we're in the Enterprise watching from above. Done and dusted.

 

Heinrich Mautner Markhof
Heinrich Mautner Markhof - WebLookOn Inc. - Austria 24 June, 2009, 12:02Be the first to give this comment the thumbs up 0 likes

Dear Steve, I fully agree with you that we must discuss how to handle our personal (traffic) data (credentials, etc)  on- and offline. It isnt that easy any more since we have invented the internet. We also made a thinking mistake by believing that online business must not work the same as offline business. People do not understand how the internet works itself. They dont have a glue of it. But when you discuss with them how they would see a value chain in the web, they will always take the offline one as the model. Leaving ones traces in the net is the same as leaving traces on a muddy street. But in the web we have to remind that life on- and offline is mixed togehter. - thats the difference!

The most important issue in a world where you cannot see your visàvis and most contacts or business are made between man and machines is to use strong authentication (the funny thing is that in german language there are several terms for this: authentication, authentification). 
And what kind of authentication is used in the web? It is mainly (99%) the password/username method - this is the reason for more than 70% of misuse, fraud, identity theft, phishing, botnet attacks etc. nowerdays.
Why?  Its very simple.
What do you think a criminal is looking for ? He looks for data that he can use for criminal acts.
So, compare it to offline life. What would such a criminal do, when he wants enter your house?
He will start an observation/investigation  to find out more about your habits....
And what do we all know about passwords? they have to be at least 13digits long, they have to be build of meaningless letters, numbers and &/_§ signs, must never be used twice , must be changed every month, etc. etc. And what do we all do in reality? We all use one and the same password for different webaccounts; be it a bank or be it a facebook account. Once a password is typed in by keyboard it is´nt any more ones own secret. This is just terrific. You know that the expenses for security solutions of banks is propably higher than of a social network site or another website. So our criminal just needs to observe/get our password (s) It rather be singular because we all use the same for everything (there are many studies on this). The rest is just done with google....and then continued by phishing, man in the middle, hacking, etc. Its very easy.
So what could be the consequences?
- Get rid of the PASSWORD authentication method
- EU, US, etc. countries should issue a decree that every website having a login MUST offer at least TWO different authentication methods
- EU, US etc. regulatories should enlighten the weakness of password methods.

What are the alternatives?
Currently there are about 3,6 Billion people using the web. There are about 280 million active websites. There are about 28 Million websites that have a login. Akamai counts about 50 Million visitors /minute on observed sites.... I guess that there are many (password) logins/minute....
So a solution should primerly be knowledge based for this amount of users. It also should be free for use and no additional hard or software should be installed..... Just have a look at WebLookon.com  and you will get another point of view...... Have fun

A Finextra member
A Finextra member 25 June, 2009, 10:59Be the first to give this comment the thumbs up 0 likes

Nice site Heinrich but the the concept has some difficult issues to overcome.

Not to worry - no log-on, no password for any site including internet banking will get rid of all the hoohaa and make it a lot harder for the bad guys won't it? Coming soon.

Heinrich Mautner Markhof
Heinrich Mautner Markhof - WebLookOn Inc. - Austria 25 June, 2009, 14:19Be the first to give this comment the thumbs up 0 likes

You tell it ! Of course it is not that easy to convince this mass of people  to leave their passwords and from now on use pictures and symbols instead.
Many people we deal with just say they will never be able to remember a secret based on pictures and symbols. But when I tell them that we all recognize and remember pictures from the beginning of our life, then they got it - they try it - and they like it (Writting comes later!)
We have many issues to overcome - it true. But with this service we bring in a lot more functions, utilities etc. to both - the user and to the content provider being our customer. The user can check his login statistics worldwide (time, date, ip, domain, failed logins, pos. logins, etc) Today we can never know where and who is misusing our login data. With WLO you know it and it will stand up in court. WLO will develop to a single Sign-on portal that will in addition offer pre-paid and charge card functionalities and ATM solutions just by using/providing the WLO authentication service to banks, etc. The moment a user is authentified, he can go right to his dashboard where he can adjust, enable and disable a lot  of other functionalities. Content Providers can not only be 99,9 % sure that it really is the customer logging into the site. CPs can reduce their password and identityManagement costs as well as insurances premiums (online business).
But the smashing thing is that no one needs to install anything- neither the user nor the content provider. Implementation takes 10 minutes........best regards

Andrew Churchill
Andrew Churchill - Technology Strategy - London 27 June, 2009, 10:45Be the first to give this comment the thumbs up 0 likes

Stephen,

A good piece, and I agree with your conclusion that we wouldn't need a second channel if we could make the main channel tamper resistant (and unable to be actively intercepted or passivley monitored). Not sure how on earth one proposes to do that in a workable manner, though!! So I think we're stuck with multiple channels as the way forward, as everything else ends up boiling down to single factor 'what I can intercept' and pass on.

Lots of work underway on securing mobile data transfer at the moment, in particular because of the advent of mainstream mobile payments and the subsequent interest to organised crime.

I must admit I do like Heinrich's WebLookOn, and think it could catch on. Not as a security solution, mind you, as it fails for the same reason as all the other OTP generating systems, but as a new super-fiendish Su Doku. Too many of the grid based systems coming through at the moment are far too easy to find the known secret and just aren't fun to crack. As the site says 'have fun' and I'll confess I did  - it took over an hour to find the secret given three data sets (though if you wish to play at home you'll have to get a friend to set it up, else you'll know the images you're after), but I've got bored of all the Su Doku Ken Kens in the newspapers, so this was a breath of fresh air (though, if I'm splitting hairs, from the initial 'select the picture of a reptile' I'd point out that a frog is actually an amphibian).

Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney 27 June, 2009, 14:10Be the first to give this comment the thumbs up 0 likes

 

A single channel can be made secure by digitally signing (asymmetric cryptography) each transaction, using a private key in a tamper resistant store, invoked from a host machine hardened against Man In The Browser attack.  The key store is easy -- use a smartcard and connected reader, or equivalent (e.g. WPKI enabled mobile device)  Hardening against MITB is a bit harder but there are plenty of obfuscations that make life hard for the attacker, and the Trusted Platform may be gaining traction which ought to thwart all forms of malware. 

So I suggest we should put our collective energies into elegant, robust, long term architectures, and not awkward multi-channel compromises. 

 

Stephen Wilson

Stephen Wilson

Managing Director

Lockstep Group

Member since

24 Apr

Location

Sydney

Blog posts

34

Comments

174