There's still not enough clear thinking about the nature of personal information being traded and lost online. Not all information is the same!
In examining the terrible trend in personal information losses, Tower Group remarks that "While greater access to customer data is key for businesses to improve customer relationship management and business processes, there will always be repercussions,
including the possibility of personal data landing in the hands of the wrong parties ... ". Yet this blurs the boundaries between different types of information. Too much customer data is used for multiple purposes, in ad hoc stop-gap fixes for security
problems.
We really should be differentiating between:
Biographical information, like name, address and DOB, needed by a bank or service provider to establish and maintain a relationship with distinct customers
Identifiers, like bank account numbers, that serve as a proxy for biographical data to manage different customers.
[BTW I contend that the major Internet security and privacy problems would be remedied if pure identifiers could be relied upon, so we didn't need to ask customers for piles of corroborating details.]
Authentication data, like passwords, PINs and biometric templates, whether static or one-time, used to establish the legitimacy of someone claiming to be associated with biographical data or an identifier [Note that the CVCs started out as authenticators
but now they're so widely divulged and leaked that they're really just identifiers. Asking for CVCs over the web is frankly inane, symptomatic of sloppy ad hoc security; we might as well move to 19 digit credit card numbers].
Service history, like account balance and transaction details, which are private between the customer and the service provider, and in the case of banking actually represents the entirety of the product.
And all the other personal information (family details, telephone numbers, work details, preferences, affiliations ...) that accumulates, and which can be used for good (like tailoring customer service, or cross-selling with consent) or evil (cross-selling
without consent, spamming, surreptitious linking across different domains, identity theft etc).
The report went on to say that "companies should assume that traditional account information such as name, address, date of birth and account balance are useless as authentication factors. Instead they should consider using knowledge-based authentication
and one-time passwords delivered via SMS". Yes indeed, biographical data and service history are now useless as authenticators. But they should never have been used as such in the first place. It might have seemed clever at the time to use "shared
secrets" like account balance on an ad hoc basis to authenticate customers, but as a weapon against identity theft, it's precisely like putting out fire with gasoline.
So when I hear talk of "knowledge-based authentication", I shudder. This is often more of the same -- more ad hoc re-use of personal data to double check someone's authenticity, data which inevitably will leak out into the black market. Privacy suffers the
more so because regular data becomes attractive to thieves when it re-used in authentication. And customer convenience deteriorates as each service takes its own idiosyncratic approach to knowledge-based authentication, and what's worse, keeps changing its
own approach in the cyber crime arms race.
So what we really need is properly robust authentication data! Sending SMSes is cute -- they're in a second channel, and they're more difficult to fake or inject into the channel compared with current Internet authentication data. But there downsides are
large: inconvenience, cost (who's really paying for all these messages?) and unknown reliability. Crucially, the GSM standard provides no service level benchmarks for the Short Message Service;
it doesn't even guarantee that any SMS will ever be delivered. SMS was never engineered as a security service and for that reason alone, should be approached with caution (has anyone checked with the lawyers?).
The best long term solutions involve restoring reliability and pedigree to authentication data in-channel. We wouldn't need second channels if the main channel was tamper resistant. A solution for the Internet is close to hand: we can easily make identifiers
tamper resistant via digital signatures, which "bake in" authentication data. We could use EMV cards to sign and authenticate account numbers and transactions, to imbue them with pedigree and render transactions non-replayable.
For the time being, the mobile channels appear more inherently robust, but one wonders how long it will be before organised crime follows the mobile money and mounts sophisticated attacks in and around the telephone networks. I hope that this time round, in
the early days of a new banking channel, we do something proactive to ensure the pedigree of personal data sent over the air. Perhaps using the public key cryptography built into SIMs and available in many handsets.
Stephen Wilson,
Lockstep Technologies.