Will Facebook Break The Bank(s’ Authentication Methods)?
Posted on November 27, 2007
Filed Under Data Protection |
The recent loss of personal details on 25m people by HMRC has certainly raised the public profile of data protection and identity theft. Lots of coverage from the events themselves, to how people were personally affected, to its impact on the government’s proposed identity cards, even the standard of journalism over the issue.
One of the posts on the subject that particularly caught my eye was “Information As Money” on Chuck’s Blog. What did I find interesting?
The potential of severe consequences, understood up-front, has a way of getting people’s attention.
The problem of course is that word “understood”.
While there have been numerous lapses in data protection over the last year from businesses, on the whole I think business does understand the importance of data protection better than the average individual, even when dealing with their own information.
In “Phacebook?” I commented on how compromising the information in social networking sites could be and suggested people should be careful what information they gave to such sites.
Who Was I Kidding!!!
People still surf the web with ActiveX enabled, without firewall or anti-virus and blindly clicking OK on any dialog that pops up without reading it, despite the number of articles devoted to such subjects over many years. People are not going to take any care over the details they add to social networking sites. They’ll put it all in (including family relationships, pets and other common “authentication” questions) and if they’re really careless (and believe it or not many are) they’ll even be using the same password as they use for every other site including their online banking. One breach of this information and it’s one instantly drained bank account.
Of course, one of the reasons that this information is sufficient for ne’er-do-wells is the prevalance of what has been nicknamed wish-it-was-two-factor authentication. This is where, rather than provide more expensive, more complicated to implement two factor authentication i.e. something you know (a password) and something you have (a token that provides a new unique code every minute), companies simply ask for more somethings you know such as mother’s maiden name, first pet etc. Effectively this is simply a stronger password.
Companies are in a position to mitigate the effects of the potential data protection disaster of a hacked social network site. They should:
- Implement proper two factor authentication. Build the cost of the first token into the service. If customers lose them then charge them for replacements. This might help customers to understand the consequences the way the company does.
- Stop storing passwords. Any company that can email your password to you is not taking protecting your data seriously enough. Companies should store a one way hash of your password. Yes, the fact that they can only send you a link to reset your password is a (very) minor inconvenience that might put off some customers but it can also be used to show that a company is serious about protecting their customers’ data where their competitors may not be.
- Insist on a minimum length for a password and, where the consequences of a data breach merit the extra inconvenience e.g. banking ask for characters from the password rather than the whole thing. But understand that this is merely a holding action. If there is a clever keylogger on the system a hacker will eventually get the whole password. Hopefully though it will slow hackers down and allow security bods to close down the command and control system before too many people are affected
- Ecommerce sites should give customers the option to have their credit card details stored. Note that the option is to have them stored, you should have to opt in to extra risk not opt out. Personally, I’d be quite happy for no online stores to store my credit card details and to have to re-input them every time.
Comments
Leave a Reply
