I just received news that a company received the OK from the UK to govern their government verification. I read the article and am both impressed and relieved that there are entities out there that seem to be thinking out of the conventional security box to provide a more secure way to get into government sites. The thing that scares me the most is that Estonia had a very large and expansive tech system to access government associated information and services was hacked, with the consequences being a large segment of the population not being able to conduct business until the recovery was complete. I have not heard anything more about this (it happened years ago) so I am sure that the country has put into place a more secure method of access. The elements that I just read about the UK seem promising, but I still think that the most important weakness that exists is something that no technology can defeat – the innate laziness of the user.
I am lazy, I admit it. I want to access information with the simplest method possible. However, I try to do the most secure method possible also, which sometimes is counter-intuitive. I am concerned that giving the ability for people to develop their own security is one that has it downsides more than its upsides. For computer security people, we lover to develop our own security since it gives us control. Unfortunately, others that are not reading computer security flaws, fixes, and failures do not stay awake at night wondering if their bank account will be there in the morning.
The first flaw I see is the self-assigning of the PIN that many security applications are using, especially if it is under 8-12 characters. If I were a hacker, I would check FACEBOOK or another social site, find the birthday and try that first, then any phone number that the user might have (especially if it is a seven or 10 number PIN), along with any other birthday I can find. I would also see if I could access anything with a Social Security Number and try that, and then their address if it had a number. After that, if I do not get the “three strikes you’re out” I would close my browser and try again, especially if I know that there will be no email sent to the real user that says someone is trying different PINs and “we suggest that you change yours.” The reason I picked the 8-12 number is the “Shannon’s Entropy” theory and application to making the PIN as difficult as possible to guess. Claude Shannon understood the complexity of information security and the theory is still used today in some US government circles.
The second flaw I see if the “verification” of the “verification.” What happens if the person forgets their PIN? I understand the “something you know” can be misplaced, but how do you verify that information? If there are security questions, those have to be stored somewhere, taking up capacity, and those have to be kept somewhere in the system.
The final flaw I see is the “something you have” and the “something you are” not taking up separate space. Some companies are using a downloaded token as part of the “something you have” and having the downloaded token on a home PC or laptop to cover the “something you are.” Unless those hardware devices are chained to you, they will become misplaced and now the hacker has access to your site, guessing the PIN to be your birthday and they are in!
This article is not meant to be negative at all, believe it or not. I see great strides in the security of people’s information considering the many on-line services available today. I also see young people who are trusting of others to the point where they share security information with their “best friends” (that could change every hour). What type of recommendations would I make? Probably those that are already in the works, including more biometrics that are not invasive but extremely different such as EKG or EEG which can be baselined and used as a “something you are.” No one has to remember their EKGs or EEGs and there are interfaces that can be pattern checked against these indicators. Another recommendation would be that the verification questions be used from a credit bureau’s own database, which could help eliminate saving them on the access server. I am very impressed with these credit check questions since they are something that I would remember, even if the data is 10 years old.
The bottom line in this article is that I applaud the efforts of public service security efforts. After working for the Federal Government in a variety of capacities, I am very pleased that there are companies that are taking this security aspect very seriously. Please keep up the good work!
PS I kept the company’s name out of this article for anonymity purposes. Hey, at least they are trying folks!