Category: Who or What Do You Trust?

Identity Compromise as a Service

Chief Pixie

Yet another report of a massive leak of personal data by a large service provider in the news. No longer surprising and no sign of legitimate mitigations on offer – other than ‘be vigilant – keep on the lookout for unexpected uses of your personal information’.

Many of the posts in this series have focused on the evolution of digital service models in which consumers pay the price of attention, management oversight, and data entry effort on behalf of service providers. In addition, consumers also agree to provide personal information as a prerequisite to accessing a service to ‘authenticate’ the consumer and make it easier for the supplier to provide services through digital interfaces.

Historically we have encouraged diverse ecosystems of suppliers to ensure competition and incentivise innovation. An owner’s experience can be enhanced with a greater choice of service providers and product suppliers – particularly if our ‘relationship’ begins and ends when we enter or walk out the door. In this early digital era, we enter into a ‘relationship’ with every supplier through consensual access to our personal information as a prerequisite to receiving the product or service.

My personal information is held by thousands of suppliers who have no incentive to care for that information in the way I would. Redundant and outdated copies of my data are spread across countless data stores – I’ll never know where and most of my ‘trusted’ service providers don’t know where it is either.

In the Business to Business space, it would be ludicrous for a company to keep the corporate information of every one of their customers. A tax file number, maybe bank account or payment intermediary details – that’s all. In the Business to Consumer space, gathering as much data as possible about customers has become the norm and exploiting that data to push more sales the goal.

The much vaunted 2-factor authentication does nothing to limit the policy of consumer data scraping. It does, however, move us to the point where we’ll need to use a combination of user, password and mobile phone code every time we want to access a service – more work for the consumer and no responsibility being taken by the service provider. Passive data harvesting and analysis is still a very rewarding activity and does not require 1 or n factor user authentication.

The only way this situation will improve is for providers to accept and consumers to adopt a personal authentication agent that provides approved interface keys and negotiates and records all data exchanged with each provider. While an individual’s data can still be hacked, the damage is limited to one individual. The same hack on today’s providers damages millions of consumers.

Knock knock…

Chief Pixie

Most consumer digital service providers assume that if someone interacts with them using a particular digital key, they must be who they say they are. In the purist view of crypto, this artifice has been dropped, and interactions occur between keys – regardless of who or what is holding the key. Neither approach affords a natural bridge for people living at the intersection of the digital and physical worlds.

This week I signed up for a new digital service and at the end of the registration, the provider sent an SMS with a code to the phone number I’d provided. I entered the code on the provider’s website and got the message – “that’s great, now we know it’s you, we can get started”. They “know it’s me” because the inputs and outputs on the other side of their digital interface satisfied their software rules. All they know is that there’s another piece of software that has responded to their interface – and this sets the scene for the way they think of their customers.

Physical key technology has served us pretty well for a few thousand years but does have some well-known drawbacks – they are easily copied or stolen. You might not know which of your friends (or friends friend’s) have been lent keys. You have to change the locks and keys when a lock is compromised. Over time you end up with quite a collection of keys on your key ring – sometimes forgetting what they were for etc.

In most situations, we don’t think of a physical key as a way to authenticate who we are. Just because someone opens my front door with a key doesn’t mean that I trust them without question to have open access to the house. Imagine being blindfolded with earplugs in and assuming that anyone with your front door key must be trustworthy. Yet that is precisely what many digital service providers are doing – not because they think you’ll ransack their website – but because they don’t put a value on the real human being that holds the key.

We have willingly entered into a dysfunctional arrangement whereby we do all the work to manage an ever-increasing number of unique digital keys and door addresses in order to access services where the provider doesn’t value our individuality.

Digital keys come in many different forms; passwords, SMS message codes, codes generated by apps authenticated by other keys and more recently cryptographically verifiable codes.

We all knew that the password key approach became a mistake as soon as we needed to open more than seven plus or minus three digital doors. For many of us, our digital “key ring” has hundreds of keys, most of which look the same and we spend a lot of time fumbling in the dark, trying to find the key that fits the lock to access a digital service. If you try the wrong key too many times, you have to change your own lock and cut yourself a new key – remembering to remove the old key from the key ring.

Authentication that uses a phone number like SMS codes assumes that it must be you if a digital response is received from a digital request. This is just lazy. The much-vaunted ‘two factor authentication’ approach is only useful if the two factors use different contexts, including, ideally, something that is directly connected to a human experience.

Biometric device-based digital key mechanisms offer some improvement by assuming that if you can access your device, then the device maker can be trusted to know it must be you – or at least someone who has your finger or face. None the less, until we get the implants, it’s impractical to require you to have your phone or watch at all times to access a digital service.

Cryptographic keys cut the human out entirely and simply trust the computation of the input and output. Being “digitally native”, they also have the additional functionality of being a piece of software that can be used in association with other algorithm software to encode and decode digital content. Kind of like a physical key that changes a door into a window when turned in a lock.

The “beauty” of cryptographic keys and associated safes is that, for all practical purposes, they resist all currently known safe cracking techniques and don’t require any other human intervention – the pieces of software are either compatible or they aren’t. If they are, then the key opens the lock. This is great for all of you algos out there – not so compatible with a society predicated on exchanges between humans.

So how do you keep your digital keys safe? You put them in another software or even a physical box with a different key. You might make this box hard to find or access. Maybe put it in a bank vault where you will need many more forms of identity than just holding a key.

Like a physical key, anyone with a copy of a digital key can open the lock. Unlike a physical key, if you lose a digital key (and all copies) the lock will never open again.

Does this really sound like a huge leap forward for civilisation?

Like the other themes in these posts, digital authentication approaches are failing because they expect people to operate interfaces designed for digital things. And like other themes, new digital approaches tend to carry forward design concepts from the physical world without appreciating the unique aspects of a blended digital and physical environment.

To live happily and securely in a blended physical and digital world, we must adopt new attitudes and blended approaches for authentication and trust. These new approaches won’t succeed by requiring service consumers to become cryptographic locksmiths. The only choice is for us to foster a deeper and more secure relationship with a trusted digital gatekeeper designed to serve human consumers and participate in digital-to-digital interactions on our behalf.

Who or what do you trust #1?

Chief Pixie

Despite some technology hype, there’s no such thing as ‘trustless’ transactions between humans. Just because I have a valid key doesn’t make me a trustworthy key holder and if my digital credentials are invalid it doesn’t necessarily mean that I am untrustworthy. Digital security and trust, like other themes explored in this blog, are evolving in ways that are often incompatible with a world that increasingly relies upon the blending of electrons and humans.

I recently visited my elderly parents who live in a beautiful semi rural area in the US where many of the people are holiday makers or retirees. The area has all the modern conveniences as well as some vestiges of the land that time forgot – including a local internet service provider that has aged along with many in the community.

This ISP offers email services and bandwidth that’s about a tenth of the speed and capacity at a similar price to national competitors. It also offers extraordinary customer support that reflects the community they support.

Soon after I arrived, both of my parents began having issues with their email. Their first thought was that I might have broken the home wifi due to my excessive (ie that of an average digital participant) data consumption through multiple concurrently connected devices (crazy stuff!). Looking into it, I saw that the ISP plan they were on offered very low speeds but the modem and router were working albeit slowly. As a trusted intermediary I asked them for their passwords so I could look at the ISPs email account setup and was given a collection of coloured post-it notes with three or for passwords on each marked with uncertain notes like ‘pc’, ‘ipad’, ‘apple’, ‘nokia’, ‘old’, ‘lulu’, ‘new’, ‘newer’ etc.. None of these seemed to work – not even the blue ones – and they suggested calling the ISP. I said that the ISP wouldn’t be able to help because their passwords were encrypted and we’d have to reset them – no, we need to call Mike or Lulu.

So I called, and the phone was answered in 2 rings (!) by Mike, who spoke to my Dad and got him to guess what parts of the correct password might be – I think it has this or that number in it – yes, says Mike, and there’s a short word before the number – what might that be? No, not that one, yes, that’s the one. Password (unencrypted on Mike’s end) confirmed – first problem solved, but my cyber security sensibilities were in meltdown.

Mike and I could then establish that my parents had thought that every email client had its own password (totally reasonable for those who became digital aliens around 1998). Each time a device was turned on (because of course you don’t want to wear out your mobile phone and tablet by leaving them on all the time) it would try to connect to the email account with a different (out of date) password and lock the account after three failed tries.

After an hour or so of deducing all this, everything was sorted – fixed the email set up on the pcs and portable devices and Mike and I tested each connection with me on the clients and his observation on the server. During all this time Mike had to stop and take other calls and then called me back!

Some of you reading this would have paused at the point where Mike was clearly looking at my parent’s unencrypted passwords and reading their email to see if test messages were getting through. Without this level of service though, my parents simply wouldn’t be able to reliably manage their email access on a day-to-day basis.

My parents trust Mike and his employer and Mike trusts that my parents are who they say they are – and that’s pretty easy because they have some consistent, unique and sometimes pretty frustrating analog characteristics. They have a human trusted relationship and a service arrangement that is ‘old fashioned’, and simply unavailable through ‘modern’, secure and less expensive competitors.

Thanks for your care and patience Mike – a pixie in human form.