July 26, 2009 at 10:33 am
Comments posted to this topic are about the item The Danger of Algorithms
July 27, 2009 at 6:19 am
If codes and algorithms can be created, they can be reverse engineered. We need to recognize there is no perfectly secure method, and never will be.
As well, though we might be savvy computer users, we must recognize that most of the computing public is not. I will wager there are more users who simply and mindlessly hand out their SSN to web sites than there are those whose SSN is "figured out" by some algorithm.
Though not a solution, I personally would like to see better enforcement of existing laws. If the US extradites people around the world for drug dealing and this kind of thing, why not for computer scams? If someone in this country can go to jail for 10 to 20 years for buying a bag of pot, why do we simply slap the wrists of those who steal data, and run scams? Although I dont advocate drug use, surely computer scammers are doing far more damage than pot-smokers!
As a person who has had two credit card ripoffs in this lifetime, I dont have as much faith as you in banks - again, they are not 100% secure - nothing is - hence, I tend to think tougher and more strict enforcement is a better answer.
When you try to outsmart Hackers, you simply challenge them to work harder. When you throw a Hacker in jail for a few years without a computer, well... which would you choose?
July 27, 2009 at 6:32 am
"Credit card companies, banks, and other institutions often have complex rules for how they handle and process data. I think this more of their secure methods of handling data should be published and taught so that other companies can better learn how to build more secure applications."
Um, no. Just no.
Banks and credit card companies (Visa, I'm looking at you) have elaborate rules for managing all sorts of things--and believe me you can drive a truck through some of the security holes in their procedures. Don't get me wrong, they *try*. But they have fundamental issues when deciding how to make things secure.
Let's take the SSN for example. The problem is it's being used incorrectly. It's *supposed* to identify you to the Social Security Office, and it's supposed to be used to track income (for the Social Security Office). That's all well and good.
The problem comes from using it as a "secret decoder ring ID". :p
That's just stupid, from a security standpoint. You have a critical identification ID that is *also* being used as a password. How does that make any sense? The SSN's dual role lies at the heart of most kinds of identity theft. Why does a credit reporting bureau need your SSN? I mean, think about it. Are they reporting your income to the Social Security Office? No? Then they shouldn't use it!
The problem isn't just SSN related. It's the underlying assumption that only the person themselves know certain information and that that information can therefore be used to authenticate the person is who they say they are. This idea is deeply broken. Yet it makes intuitive sense so people keep doing it. *facepalm*
Two factor ID is better, but still not perfect. People forget passwords, they lose token generators. Biometrics are just as broken as SSN and other "secret" info. Worse, you can't change your fingerprints once they've been used for ID theft.
Banks and Visa do not have a clue. They pretend otherwise, but having worked with Visa PCI security standards I can tell you they're a bad joke. The very complexity of the schemes often leave lots of room to hide bad actors and their actions. If you doubt me just look at all the data breaches Visa's had to deal with. It all comes down to using a flawed idea as the basis for securityl.
So please don't hold the banks and credit card companies up as shining examples of How It Should Be Done.
I may not know a better way, but I can see a swiss cheese defense when confronted with it.
July 27, 2009 at 8:23 am
The fundamental problems are that there is not a unique identifier for a person (US citizen or not) (whether accurate or not), nor is there a universal way to authenticate identity (whether accurate or not).
It's clear that many government and private entities started to piggy back on a system which started to be universal in the US - the Social Security System, and was a tempting and good candidate to base their person identification on. It was obviously a poor choice in hindsight.
I'm not sure that a universal system can come into being any time soon, with issues of civil liberty and privacy always waiting to come into play. Faced with that, there will continue to be a hodge-podge of systems for the foreseeable future. Each will have to address the risks and security necessary for their applications.
I also don't think that looking at banking/credit cards for security is a panacea, but their successes and failures can be educational.
There is not really a single concept of "security". Security is a process as well as an actor in a set of tradeoffs with functionality. It is true that a secure (to some level on some scale) system which also is usable (to some level on some scale) and functional (to some level on some scale) is not always possible.
July 27, 2009 at 8:32 am
Think it's interesting now? The current national health care bill in the US House includes a mandatory National Health ID, and the federal government is supposed to have real-time access to personal financial data in order to verify insurance data. Issues with SSNs are going to be nothing compared to that, if it goes through.
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
July 27, 2009 at 8:44 am
The idea of a system to uniquely identify people is both scary and comforting. I get mistaken for other people regularly, so I'd like to differentiate. However, I also like my privacy. We need a double-blind way to verify things somehow. Let them verify without details.
As far as banks and VISA. They do make mistakes, but they also have procedures and ideas about security. They get attacked, and maybe if they had to disclose more, we would all have more of an idea what does and does not work. Maybe they could disclose changes after 1 year so we'd know the problems with the old system?
It's a strange balance.
And I agree with blandry. We need to enforce laws, not just make more of them.
July 27, 2009 at 9:15 am
[p]The problem, in this particular case, is that the Social Security number was never designed to be a secure identifier. It was designed just to disambiguate "John Smith" of 10th St, MyTown, form "John Smith" of 12th St., MyTown. By assigning an account number to each covered worker, they could easily do this.[/p][p]Unfortunately, since the 1950's, the SSN has been massively misused. Some people believe it uniquely identifies an individual, but the reality is that it does not. Both the Social Security Administration and the Internal Revenue Service use the SSN plus part of the person's name to uniquely identify an individual. Also, many schools, courts, local governments and the US Military used the SSN as an ID number, frequently PUBLISHING it in various documents, many of which are now available on-line.[/p][p]We need to get back to the basic use - identifying a person to the Federal government. All other uses should be outlawed, with significant penalties imposed. Absolutely FORBID financial institutions from using the SSN for any purpose other than IRS filings.[p]I believe this is the only way to prevent the SSN from being further misused.[/p]
July 27, 2009 at 9:47 am
Agree with the group, SSN misuse and abuse is a huge problem. University I attended used it for student IDs on everything, so I just assume that someday I'll be screwed.
---------------------------------------------------------
How best to post your question[/url]
How to post performance problems[/url]
Tally Table:What it is and how it replaces a loop[/url]
"stewsterl 80804 (10/16/2009)I guess when you stop and try to understand the solution provided you not only learn, but save yourself some headaches when you need to make any slight changes."
July 27, 2009 at 9:58 am
I recently read an interesting argument in favor of publishing all SSNs publicly, and removing them from all security systems. Not sure I agree, but it should be considered.
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
July 27, 2009 at 10:18 am
Convenience and Security do not go hand in hand. Convenience is having a single universal number for identifying and tracking a person. Security demands that we have multiple numbers for each type of information source and no direct links between them. Unfortunately any single number that is linked to all of a person data, no matter how many bits associated with that number, is a point of vulnerability. If you have a sequence of numbers and I manage to break one of them, I should only be able to access one part of your information not use it to access all.
Recently my mother had charges made to all of her credit cards, one of which she hasn't used in over a year. She checked they were all in the drawer where she always kept them (she only carries one). This indicates a hack and a pretty good one, since the one card she never uses, has never been used in an online transaction. Visa and Mastercard, told her point blank they had no idea what to do. They just sold her credit protection and went on their merry way.
July 27, 2009 at 7:22 pm
Credit card companies, banks, and other institutions often have complex rules for how they handle and process data. I think this more of their secure methods of handling data should be published and taught so that other companies can better learn how to build more secure applications
I worked at a bank there is a separate security department and data team does not do OS there is a separate system admin team. And I think Microsoft consulting handles most access with the SQL Context account. All employees are added manually with Windows account.
The only place online I use that uses date of birth is Hotmail I wanted to cancel the account but in August 2001 all MCP needed a passport account back then only Microsoft sites were accepted as passport.
The solution is actually simple if you ask for date of birth and SSN online the text box should be encryption required.
Kind regards,
Gift Peddie
October 24, 2009 at 11:34 am
Steve Jones - Editor (7/27/2009)
As far as banks and VISA. They do make mistakes, but they also have procedures and ideas about security. They get attacked, and maybe if they had to disclose more, we would all have more of an idea what does and does not work. Maybe they could disclose changes after 1 year so we'd know the problems with the old system?
Banks that issue credit cards, visa, and master card are all pretty hopeless at security and they all regularly lie about the security of their systems - they would rather have their customers screwed by thieves than either admit that their systems are insecure and take the hit themselves or go to the expense of building genuinely secure systems.
Getting them to disclose what their systems actually do might be a good idea - because then people like Ross Anderson (Cambridge University) and Dorothy Denning (Naval PostGrad School) will be able to write nice academic papers pointing out the stupidities and gotchas in their laughable security architecture. Of course Ross has already loosed off a few broadsides about the ludicrous implementation of chip and pin that we have in the UK.
Tom
Viewing 12 posts - 1 through 11 (of 11 total)
You must be logged in to reply to this topic. Login to reply