IS_A_PERSON

[Dave Birch] I have explained before why, of the many credentials that might be associated with a digital identity as part of a commercial, sustainable business model, the IS_A_PERSON credential might be the trigger for the evolution of a more comprehensive infrastructure. Once again, a news story comes along to back me up.

The defendants, however, worked with computer programmers in Bulgaria to develop a technology that allowed a network of computers to impersonate individual visitors to online ticket vendors. The ticket vendors did not immediately recognize the purchases as computer-generated, so these “CAPTCHA Bots” let Wiseguy Tickets to flood ticket vendors as soon as tickets went on sale and purchase tickets faster than any human.

[From Four Indicted in CAPTCHA Hacks of Ticket Sites – Reviews by PC Magazine]

I’m in favour of making ticket agencies illegal and forcing all events to sell all tickets by auction on eBay, the appropriate market-clearing mechanism, but that’s a separate point. The problem that the services providers are wrestling with is that they don’t know whether they are dealing with a person or a bot, and that’s an important problem to solve in a wide range of applications. Commerce, games and even blogs have this problem.

If you have a blog where it is important that people, not bots, contribute then you might well demand to see a certificate with the IS_A_PERSON credential, even though you don’t actually care which person it is.

[From Digital Identity: Talkin’ bout my reputation]

An anonymous virtual identity with the credentials IS_A_PERSON and IS_OVER_18 would serve most people for most purposes most of the time, including buying tickets from Ticketmaster: Ticketmaster could cost-effectively and efficiently issue me with a Ticketmaster virtual identity with their own credentials once presented with my “real adult” identity and associated payment details.

One way that service providers might try to determine that it is really you at the keyboard and not a piece of malware is to require the use of some kind of token, such as the 2FA authentication tokens used by some companies, banks, games and so on. When you go to log in, you press a button on your keyring or run an application on your phone and it gives you a number to type in. For example, Blizzard, the people who run World of Warcraft, have a very novel means of incentivising the use of 2FA, opting for the carrot over the stick (although in time I can see that non-2FA will get phased out).

World of Warcraft players who use Blizzard’s authenticator gadget to secure their accounts are being gifted with a two-headed fire dog

[From Blizzard Authenticator Spawns Two-Headed Dog – World of Warcraft – Kotaku]

The authenticator device costs $6.50, but players don’t need to buy this if they don’t want to because they can also downloaded free 2FA software for smartphones (including Blackberrys and iPhones). Now, the Department of Work and Pensions, BBC and British Airways don’t have anything as interesting or useful as a two-headed fire dog by way of reward, but they must have other means for incentivising the use of better authentication for some time before they move to 2FA-only services. BA can give you air miles for using a 2FA log in, but I’m at a bit of a loss as to what to suggest for the DWP!

So is this the solution? No, it isn’t. These kinds of 2FA devices, though, are actually more vulnerable to attack that you might imagine because the service provider still doesn’t know that the number is definitely coming from you. There are already well-known attacks against them.

instead of data being broadcast directly to Blizzard when trying to log in to your account, that data is being broadcast to a third party via this malware. This includes your authenticator code. Rather than you logging into your account, the hacker on the other end does so. They log into your account, clear out your characters, and move around virtual funds to fulfill orders from players buying gold. This method of circumvention has been theorized since the release of the key fobs, but it has only now started to actually happen

[From Man in the middle attacks circumventing authenticators]

This is why we need the right infrastructure. The messaging that transports the credentials and establishes identity needs to use proper digital signatures infrastructure involving tamper-resistant hardware (eg, the SIM that everyone already has). When Blizzard send a message, it should be encrypted using my public key and signed using theirs and decoded inside secure hardware (which, in practice, means the SIM) so that no men-in-the-middle can even read the messages let alone alter or forge them.

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]