Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification.[From How Apple and Amazon Security Flaws Led to My Epic Hacking | Gadget Lab | Wired.com]
This is what the geek’s geek, the Woz, says about it:
I say the more we transfer everything onto the web, onto the cloud, the less we’re going to have control over it[From Steve Wozniak: Cloud Computing Will Cause ‘Horrible Problems In The Next Five Years’ – Business Insider]
Control is the key issue here, at least to me, because my mental model of privacy is largely about control. Controlling who can or can’t see your data is what privacy is, isn’t it? And if it is, then the mechanism for control, and the security that goes into that mechanism, is fantastically important. If someone cracks this, they are really on to something.
There are some cost savings that are immediately apparent. With the cloud there is no hardware or software to install. If your cloud vendor insists on buying either one, then they are not a true cloud provider.[From Are the Costs of Cloud Security Too Good to Be True? | Cloud Computing on Ulitzer]
No hardware? No, I don’t buy that. The cloud doesn’t need hardware, but cloud security does. The mechanism for controlling your data in the cloud has to have a certain minimum level of security associated with it, and to me that means somewhere in the loop there has to be some tamper-resistant hardware. Like the SIM in a mobile phone.
Now, the mobile platform has all the right attributes to make safe the next generation of consumer payments. In particular, NFC devices come with “Secure Elements”: certifiably secure tamper resistant chips in which the crypto-magic happens, and where the mission critical apps run.[From Now is not the time to go soft]
There’s a whole other blog post to be written here, about SIM- vs. Handset- vs. External Secure Elements (SEs) and the myriad ways in which the manufacturers and mobile operators have messed up this potentially revolutionary infrastructure, but that’s not the point I wanted to make here. Note that I am not saying that mobile security is perfect. I know that it isn’t, partly because of the risk analysis work we do for clients in the mobile transactions space and partly because of the Ph.D research on the topic that Consult Hyperion has been sponsoring at the Univeristy of Surrey.
banks must assume that what used to be a primary layer of defense through out-of-band authentication — the mobile phone — is now compromised.[From How to Protect Mobile Banking from Fraud – Bank Think Article – American Banker]
This is true. The current generation of mobile phones are vulnerable to certain kinds of attack and while the attacks might not be too scaleable right now, they might be in the future. As an aside, I should point out here that in the regions with the biggest volume of mobile payments (e.g., Kenya) it is clear from the figures that when frauds occur they occur because of human failures or collusion, not because the mobile device is attacked. Nevertheless, there are certain things that are risky with mobile phones, such as putting passwords or PINs in the them (because of the potential for key loggers). This won’t be true for too much longer because of the arrival trusted processing in standard handsets (such as the Trusted Execution Environment, TEE, from ARM).
The level of risk doesn’t mean we shouldn’t use start using phones for two-factor authentication immediately – they are way, way better than passwords – just that the system needs to have realistic controls and management. Actually, I think there’s more of an imperative. We need to get people used to authenticating using the handset because the handset is going to become, as Peter Vander Auwera noted, an identity remote control for the cloud.
A mobile experience that truly represents your identity — in a way that both resembles and enhances an in-person conversation but still affords you control over how you portion out your attention and provides context — could tie the knot for the myriad communication channels available.[From The First Company To Build Your Identity Into Your Phone Wins The Next Decade | TechCrunch]
I don’t think I agree with Rebekah about what identity is, exactly, but I do strongly agree with the spirit of her argument. The device formerly known as the mobile phone is the transparently obvious place to store and manage your identities (whatever they are). The imminent arrival of better handset security (the TEE) and, especially given Apple’s acquisition of Authentec, the imminent arrival of convenient biometric authentication will mean a fundamental change in the structure of our and other industries. Stuff will go to the cloud, and we’ll remote control our stuff from our secure devices.
What this all boils down to is that we might as well start now and begin the migration. We are still using passwords when there’s simply no excuse for doing so. Software cannot protect us: unless we have tamper-resistant hardware to store our identities, we cannot realise the full benefits of the cloud. When it comes down to, given the state of technology, secure electronic transactions need chips — software just isn’t good enough — as well as convenient interfaces so that applications can work simple, securely and efficiently.
What would happen if our data was stored (encrypted) in the cloud and attached to identities that were actually secure? Imagine choosing your default identity on your phone and then going about your day, accessing all of your data without even realising that it was being pulled down from the cloud and decrypted on the fly. Sounds pretty good. But who is going to put that identity into your phone? Who is going to provide the infrastructure, the identity providers and the attribute providers? You’d think it would be, for example, banks. Or maybe even mobile operators themselves. Who knows. But they ought to get moving, because other people aren’t standing still.
But all of this may change thanks to social networking. The forcing function that allows distributed identity to flood into the enterprise may be a simple side effect of the solution that we use to share information between Facebook and Twitter. It’s a testament to the massive soft power wielded by such companies that they may indirectly change how corporate America does IT forever.[From The Next IT Revolution: Bring Your Own ID – Forbes]
If my Twitter ID was a secure, then surely it would save my employer money to let me use that ID rather than create and manage a new one. And why wouldn’t I use that same Twitter ID to access my bank account? Is it too late? We’re already at the point where people are beginning to prefer using their Facebook and Twitter identities over site- or service-provider specific identities. I’m pretty sure most people would be happy to use these identities in almost all circumstances – if they sure that they were secure.
According to data collected by Monetate, 41 percent of shoppers prefer logging into an eCommerce platform through a social media account rather than a separate login — up from 28 percent just a year ago.[From Social Commerce – Consumers Love Shopping Through Facebook — But Expect To Be Compensated | PYMNTS.com]
Of course, as I explained back in 2007 in the noted tome “Digital Identity Management“, we already have the technology to make all of this work. Tamper-resistant SIM chips, PKI and biometrics. We can build an architecture that separates my virtual identities from my digital identities and binds them to my physical identity. To establish control over my part of the cloud, I select an identity on the phone and then use it to give access. So there is an authentication (lets say biometrics with passphrase and challenge/response fallback) that connects me to my digital identity and then there is a connection between one of the virtual identities bound to that digital identity and the data in the cloud. Simple, really.
These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers
The hackers walked through Amazon and Apple’s security, took over his Twitter account and deleted all his emails, contacts, documents and photographs from his iPad and iPhone. There was no backup — his “digital identity”, as Mr Honan put it, was irretrievable. So much for cloud computing.
You open with a reference to Mr Honan’s experience, Dave, and then go on to make cloud computing sound inevitable and desirable if only tamper-resistant SIMs are added and PKI.
Tamper-resistant SIMs are used in mobiles and yet Kenya still suffers frauds in its mobile payments, as noted by you.
PKI would help but, as you noted in an earlier post, it is too hard to implement end-to-end, you and your clients couldn’t anything through the anti-virus defences.
And biometrics. Again. Their unreliability has been proved over and over again and brought to your attention over and over again but you still cleave to them — why?
Given the behaviour of Google and Facebook over the years, you must know that there is no hope that individuals will be able to maintain control of their identities. These organisations and others have no understanding of privacy and/or no respect for it. You know that.
There are only two organisations who could possibly agree with what you have written. G-Cloud, the Whitehall civil servants who continue to promote the benefits of a government cloud. And GDS, the Government Digital Service, the Whitehall civil servants who are trying to get Francis Maude to hand over identity assurance to Google and possibly Facebook.
You are in the company of G-Cloud and GDS. The reductio ad absurdum of your extraordinary post.
[Dave Birch] Thanks for the thoughtful response David. A few quick points:
The M-PESA fraud is nothing to do with the SIMs, as you point, but the reason that the fraud is so low is because of the SIMs, if you see what I mean.
I do think PKI could work if it was under the hood. Some years ago we built a prototype for such a system for a Japanese IT company and it worked well.
I’m not proposing the use of biometrics for identification but as a convenience technology for authentication.
I’m not as completely pessimistic as you about GDS. I think private sector AP in a NSTIC-style framework would be workable.
I’m not proposing the use of biometrics for identification but as a convenience technology for authentication.
The trustworthy experts in mass consumer biometrics – e.g. Professor John Daugman – are the first to agree that the technology cannot deliver identification. Not if that means using it to ensure that there is a one-for-one correspondence between people and the unique template of their biometrics stored on the population register.
How would you prove uniqueness? One way and another, you’d have to compare each template against every other template on the register. How many comparisons would that be? nCr, where n is the population size and r is 2. Say the UK population is 60,000,000. You’d have to perform 60000000 X 59999999 / 2 = 1.8 X 10^15 comparisons.
Suppose the equipment used was reliable enough to make only 1 mistake in every 1,000,000 matches. That is, once every million matches it wrongly considers the two templates to match. Then you would have 1.8 X 10^9 false matches to investigate and resolve manually.
How long would it take to resolve 1.8 billion false matches? Too long. It would never be done. Today’s mass consumer biometric technology can’t prove uniqueness, it can’t deliver identification and only snake oil salesmen pretend that it can.
Which leaves us with “authentication”, as you call it. That job is millions of times easier. You just have to prove that the fingerprint, or whatever, whose template is stored on the population register, matches the fingerprint of the person conducting the financial transaction. It’s a one-to-one test, not a one-to-many test.
All trials suggest that the false non-match rate for fingerprints using today’s flat print fingerprinting technology is about 20%. About 20% of transactions would fail. It may be millions of times easier than identification but it still doesn’t deliver a usable banking system. You can’t have 20% of transactions failing.
Flat print fingerprinting is quite reliable compared with face recognition. For get face recognition, it’s a bad joke.
Iris scanning is more reliable than flat print fingerprinting when it comes to authentication. The false non-match rate is about 4% for able-bodied people, 9% for the disabled. That’s still not good enough for a banking system. And there is an additional problem. About 10% of the able-bodied can’t register their iris scan in the first place. They would be excluded from banking. And that figure rises to 39% for the disabled.
There are no known trial results for large-scale tests of voice biometrics.
Combining several biometrics to make one composite biometric doesn’t help.
Forget mass consumer biometrics for the moment and concentrate on passwords/phrases and PINsentries, because that’s all we’ve got.
2. Identity providers
GDS talk about creating a new market in identity assurance. Where are these identities to come from? They don’t say. We are left to guess – the banks, the phone companies, the utility companies, … And we are left to look at the references they make, principally Google, to whom we might add Facebook and Twitter, as you do.
Google, Facebook and Twitter are all used by most people for free. Which tells you that there’s something up. We users are not paying. We are not in control. We have no recourse.
You have yourself pointed out the importance of control when it comes to a person’s identity. Google, Facebook and Twitter fail the control test.
You ask: If my Twitter ID was a secure, then surely it would save my employer money to let me use that ID rather than create and manage a new one. And why wouldn’t I use that same Twitter ID to access my bank account? You know the answer.
Once again: this is nothing to do with identification. While I agree with you about the problem of uniqueness, it is not material this discussion, which is only about authentication. When you pick up your iPhone, your finger on the home button will authenticate you as the authorised user of the iPhone, and that is all. The iPhone doesn’t care who you are.
If my Twitter ID was guaranteed to be linked to my iPhone and my iPhone is linked to me by my fingerprint, then why wouldn’t I use it to log in to the DVLA? Neither Twitter nor the iPhone would know my DVLA identity, and the DVLA would know only that a particular Twitter ID links to a particular DVLA identity. I don’t see a problem with this.
DVLA would know only that a particular Twitter ID links to a particular DVLA identity.
I’m not sure if you’re talking about a possible future world here, but as things stand now DVLA know exactly which cars, if any, are registered in your name, they have your postal address and possibly your email address, they ask for your mobile phone no., which you may or may not give them, and even if they don’t have your debit/credit card details from when you pay your road tax, they know a man who does. They check whether your car is MOT’s and, if it is, they will know where you had it done. They also check whether your cars are insured and, if so, when the premium is due – they may discover at the same time who your insurance company is. In your scenario, they will also know your Twitter ID.
[Dave Birch] Indeed. So therefore I should be able to log in using Twitter and the DVLA need not waste money on an e-ID single sign-on of whatever.
I assume that you broach this DVLA use case to demonstrate some benefit. What is the benefit of adding Twitter and your iPhone and your fingerprint to the recipe? You don’t see a problem (see below), but I don’t see a benefit.
I agree with your assertion. But only for very large values of “only”.
I don’t see a problem with this.
You’ve identified one problem yourself, in the opening paragraph of your post – the experience of Matt Honan.
As to the fingerprint, we are agreed and have both asserted from the start that this is not a matter of identification. The question is, can today’s mass consumer biometrics technology supply authentication?
No. Not if you try to keep the false match rate (FMR) as close to zero as possible. Because in that case flat print fingerprinting has a false non-match rate (FNMR) of about 20%.
How come matching doesn’t fail 20% of the time on your iPhone? Because the matching threshold has been lowered from the high security requirements of applications like police work, border control and … banking.
With the threshold lowered, the FNMR falls but the FMR rises – the two are inversely proportional.
The downside of a low FNMR is that more and more impostors could pass themselves off as Dave Birch. They would be able to authenticate payments to their friends drawn on your bank accounts and all authenticated by the watered down security provided by today’s mass consumer biometrics.
That’s no way to run a payments system.
Especially not if we’ve got PKI in the mix and, thus, non-revocation.
Indeed. So therefore I should be able to log in using Twitter and the DVLA need not waste money on an e-ID single sign-on of whatever.
Matt Honan’s Twitter account was taken over and used to broadcast homophobic and racist comments in his name. Why would you want to log on to DVLA using an insecure Twitter account?
DVLA don’t offer SSO to us consumers. You are solving a non-existent problem.
Why would DVLA accept a Twitter ID? Only if they had first issued a credential authorising that ID to use certain resources. But having done that, why bother to involve Twitter at all, DVLA have already done the access control work themselves?
With DVLA, the use case one’s mind lights on is paying road tax. AML aside, DVLA probably don’t care who pays them for a tax disc as long as someone does.
What about cases where government is paying money out, as opposed to receiving it? Will DWP pay benefits to a Twitter ID? Under what circumstances would that be a responsible way to spend public money?
Do you want the social networks to become part of the UK Constitution? Why?
That’s what would happen if their IDs were used for public services. As seems all too possible if you watch what G-Cloud and GDS are up to at the moment.