A while back I was at a conference where a question to a panel got me thinking. If ever there was a good question during a panel, the best are the ones that stump the panel and make everyone think. The participant basically acknowledged all the testing and best practices aren’t working because our software is still insecure. The statement was made that we are doing security all wrong and asked when are we going to realize this and change. He then asked ‘What can we change to get it right?’
The panel were respected authorities on programming and platforms and all were well versed in handling hard questions without inserting foot in mouth. Thus most of the immediate answer focused on testing and best practices. The moderator made a good point about a recent hack of an insurance company that exposed personal information. The statement was made that we should trust them for insurance, not for identity.
Occasionally there is a comment made that sticks with me permanently. This is one. After spending two days on identity authentication it was easy for me to come to the conclusion that the fundamental flaw in security is trusting the wrong people with the wrong thing. Also, are we really taking it seriously enough when we provide identity services ourselves?
We should not be trusting every random site with our personal identity. Do we really want or need to trust social networks with identity? This reminded me of one of my favorite quotes:
FYI man, alright. You could sit at home, and do like absolutely nothing, and your name goes through like 17 computers a day. 1984? Yeah right, man. That’s a typo. Orwell is here now. He’s livin’ large. We have no names, man. No names. We are nameless! – Cereal Killer – Hackers (1985)
If only this were the case with the Internet at large. If we were nameless to the Internet. Then they would not have the opportunity to mishandle our identity. It seems to me that reasonable anonymity is possible now. Some credit cards have even toyed with temporary Credit Card numbers.
It also seems to me that anonymity would not even harm retailers who depend on statistics and tracking. Why does anyone need with my real name? What about guys named Bob Smith? What value does that name really have? In this time of near instant flow of information aren’t there better ways of identifying people than names or any other personal information? You have to reason that tracking a person requires some sort of arbitrary identity anyway.
I feel like there is an issue with attitude regarding this. I used to listen to a technology buzz podcast. What made me stop listening was a particular episode where all of the participants were ostracizing a listener because they didn’t want to give their real identity to a particular social network. They made grandiose statements about how they are celebrities and that they don’t have trouble with identity theft and their identity is all over the web.
Today there are many sites that push hard for concrete personal information. Many of them prompt for a cell phone number every time you login until they get it. They all want your date of birth and then require security questions like ‘What is your mother’s maiden name?’ Individually they mean little. Together in the right hands they could be quite handy.
The other attitude that seems to prevail when it should not is about trust. “Do you trust site X to keep your identity safe?” is the wrong question. The real questions are: What do they do and do I trust them with that? When they are compromised (yes ‘WHEN‘ not ‘if’) how will it affect me? Are they required to provide restitution, and of what? If your social network leaks enough information to compromise your identity and credit, I doubt it has a plan for restitution.
We, as creators of software, need to start the change. If your startup thinks that it needs my reall name address and cell number in addition to my email address I can say ‘you are wrong’. I will be correct in nearly all circumstances. Identity should be left to specific trusted entities. Also we need to stop treating our programmers like they are the only point of security failure.
Stop and think: What is the quickest route to PCI compliance? Don’t store or transmit credit card numbers, ever.
To illustrate: have you ever tent camped where you need to be bear safe? The easiest way to be safe is to not try to defend food and trash out in the open. You let the camp facility keep it from the bears by placing your trash in the proper receptacle and simply leaving food locked in your car. You don’t advertise bacon by pouring your bacon grease in the grass near your tent. You don’t leave trash in the fire ring and expect to chase animals away when they come. Yet this tactic seems all too common in eCommerce.
By asking your users for all their personal information you are sleeping with a slab of bacon on your chest.
When was the last time you got an email from a company that said ‘We got hacked, but we don’t store any information about you so you are safe. Just wanted to let you know.’ How refreshing that would be.
How far are we from just being a number? Not close enough, because we are doing security all wrong.