Thursday, 25 September 2008

Security, data protection, proof of identity: daft questions, measures, implementation

You have to answer a raft of security questions when trying to manage your account at your bank, credit card company or other financial institution.

But, are they the right questions? And are they asked appropriately?

What about other "security measures" used or insisted upon by institutions - are they commensurate with the risks they're supposed to address, do they even make sense in some cases?

Insecure security policies

Security questions - too easy!

Tom Morris has written an excellent blog post on "How to fail at security". He looks at the security information his bank asks him to provide to verify his identity, i.e. prove that he is who he says he is - which is very much the same sort of security information that banks and financial institutions generally, and indeed other kinds of organisations or businesses, require: date of birth, first school etc

And he noted how easy it is for other people to find the information needed to answer most of the standard security questions (e.g. parent's first name) correctly so they can masquerade as you.

This point was brought home with a vengeance a few days ago when hackers got into the Yahoo! email account of Sarah Palin, Republican Vice President nominee and running mate of the US Republican Party's 2008 Presidential candidate John McCain. The incident was widely covered in the media.

The BBC reported that it seems the hackers managed to access her account by resetting her Yahoo! password (i.e. they used the "Forgot your ID or password" link), answering the security questions correctly because they had found out her date of birth, zip code and other personal information through Wikipedia and other online databases.

A recent BBC 3 documentary aimed at young people called "Mischief: Your Identity for Sale", which was made before the Palin email incident, also showed how much personal data people innocently and unthinkingly make available to the world (including bad guys) on Facebook and other social networking sites, which can then be obtained and used against them for nefarious purposes.

Even before all this, I've gotten into the habit of giving a different birthday date and zipcode / postcode to different sites that require the information when you try to sign up, and yes different mother's maiden name etc too. I figure it's none of their business, most of the time they don't need to know anything more than my login details and the fact that I'm over 13 (for US sites) or over 18 in most other places. And of course, this practice makes things more secure for me - though I have to ensure I remember or keep a secure note of what site has which info!

Even so, one of the banking sites I use just requires real name, postcode, birthday and mother's maiden name to login. (And a password, not even a PIN, which may not survive a dictionary attack for long.)

Now Tom had suggested that banks should use digital signatures and other, better, security measures.

I'm not sure how that would work when speaking on the telephone; plus, non-geeks seem to have a big knowledge gap where digital signatures are concerned, though they've been around for years.

I'd be the first to say I don't know enough about digital signatures yet. I'm only starting to use GPG, myself, and I think it's still too difficult and inconvenient for the vast majority of non-geeks to use. Possibly digital signatures are still to hard to use as they've not been implemented widely enough and their implementation is still not effective or user-friendly enough for the average consumer.

Indeed, more often than not just digitally signing a clear unencrypted email simply doesn't work, because of how email systems (like Outlook) handle the email; it claims the email's not been properly signed even when it has been. Which won't help persuade the average non-techie to trust its reliability, will it? Normally the whole email needs to be encrypted before a valid signature will definitely be considered valid.

Other security policies

Here are other examples of other security policies which are not exactly helpful or secure.

Password security. It's received wisdom that to create strong passwords that are less vulnerable to being guessed or discovered by bad guys, a combination of upper and lower case letters, numbers and symbols should ideally be used.

But what does a customer trying to sign up for "My T-Mobile" find?

That's right, they actually stop you from using special characters (e.g. a hyphen - ), i.e. they actually stop efforts to make your password more secure.

Who has access to your password? A financial organisation recently sent me some information in a document which they'd password-protected with the password they originally sent me for logging in to their site. Now that particular document would have had to be manually passworded, so that means someone there had to be able to look up my login password for their system in order to be able password protect that document!

While I'm pleased they thought about password protecting the document before emailing it to me, and I can only login to view my personal financial information (but not to carry out any transactions), I'm not sure that allowing staff such easy access to customers' login passwords (and information about their financial positions!) is really a good idea. (There's no way to let me change my password online either.)

Proofs of identity

As for the supposed "anti-money laundering" proofs of identification that some banks or credit companies force applicants to provide, why can't there be more consistency across the different financial institutions in terms of the range of acceptable documents, how recent they have to be, and whether they have to be originals?

F'rinstance, one credit card company insists on getting your original photocard driving licence or passport (old style licence has to be less than 12 months old, but hello, if it's old style it's not likely to be recent! And why must documents without a photo be more recent than ones with?). Are you really going to trust the post, or indeed the bank, not to lose such an important piece of ID?

Another organisation will accept a certified copy of your passport etc - but only if signed it's and stamped by a bank, solicitor, accountant, doctor or police officer. "Actually I'm not ill, doctor, just thought I'd drop in, now sign here please". "Hello ossifer, can you just stamp and sign here, thag u bery much". I think not!

And stamps can be easily forged, so why on earth insist on one? What's to prevent bad guys from looking up a doctor or finding a local solicitor etc, checking the name of the general practice or law firm they work for, then forging their signature and applying a rubber stamp that has the name of the practice or firm on it? How on earth would the financial institution known the signature is genuine, or that the stamp really is the official stamp of the practice or firm? Do they have a copy of all signatures and pictures of what official stamps look like for every GP, solicitor, accountant etc? Again, I think not.

Council rent books or tenancy agreements or benefits documents are fine for some, but the middle income person is shafted again if they don't rent from a council and aren't on benefits.

Some firms accept e.g. a letter from your insurance or pensions company, but some won't. It's nice (or something...) to know a certified copy of a shotgun licence or firearms certificate is good enough for others, though!

Council tax statements are usually only issued annually so you can only provide one that's dated within the last 3 months for 3 months of the year. If you're applying for a credit card or bank account during the other 9 months, you can't use your council tax bill.

As for bank or credit card statements, are you kidding? My bank transactions and purchases are none of their business. And I'm not going to put my original bank or building society passbook in the post to them either! I'm only prepared to send them a gas or electricity utility bill, so thank goodness for quarterly bills. ("Letter from county court" is funny though - what about a court letter demanding payment of your hugely overdue debts, would that do?!)

With security questions and the like, there's sometimes the opposite syndrome too of "too much (unnecessary) security", when employees of banks, call centers etc insist on full "security details" even when they're completely irrelevant to the question you're trying to ask them because you're not wanting personal information or account information, you just want general info about the company or its service. My rant about that is in a separate post!

No comments: