EYEdentityOnline.com

Thanks to Mark Diodati for carrying on this discussion as I believe it is an important one and contrary to my apparent tone in my last post, I do think Mark knows what he is talking about. My frustration continues to be with the industry thought processes at large regarding secure authentication challenges as being too little, too weak and failing the customer.

I certainly agree that PKI is not a silver bullet for the authenticaion problem and that a multi-layered approach is necessary. I’ve addressed this at length in various posts covering: Fraud detection; Transaction authentication; Malware attack.

There are indeed a variety of attack surfaces at the client to compromise not only PKI (smartcard or not), but also biometrics. Once and for all, let’s all agree that we all agree there is no single hit, silver bullet solution. There are just a group of solutions that do different things along three primary axes: ease of use, cost and security. These three axes impact two primary communities: End-users and service / application providers. My main pain point is that not enough is being done to address the end-user’s security problems because of what I believe is a complete misperception and deeply held misperception and nearly religious industry tenet: users can’t / won’t deal with anything involving additional software download or hardware. This point is probably the only thing that Mark Diodati and I really disagree about on this entire topic.

We agree that:

• * There are no silver bullet solutions.
• * That “the only way to be totally protected against man-in-the-middle attacks is to use digital certificates or public key encryption” (Mark Diodati in referenced eWeek article).
• * Multi-layered approaches are necessary.
• * Smartcard deployments in the U.S. are dead on arrival for consumer adoption.
• * Traditional PKI is hard for users, IT departments, security practitioners and on top of that, very costly.

We mostly agree that:

• * U.S. FI’s are not yet prepared to deploy client or hardware solutions. I can’t completely agree with this as several have and continue to deploy several solutions that fall into this category, including TriCipher’s, but certainly the numbers are not overwhelming.

We don’t agree that:

• * “U.S. consumers don’t want” client or hardware solutions. Consumers have no problem downloading software that provides them value and do so by the thousands every day. While many will completely dismiss Javelin’s Consumer Online Banking Study because TriCipher helped sponsor it, even I was surprised that 62% of consumers said they would be likely to download software for improved security from their bank. I was thinking it might be say, 50%, but the findings were born out given that 69% of the study participants actually did download and use the software in conjunction with the web-study. How much higher would that number have been if it was offered by through their bank site? The number 1 and 2 most popular downloaded items at c/net’s download.com site are security related: anti-virus and anti-Spyware. It cannot be argued that users are not actively looking for and open to security solutions to use on their devices.

I merely agree with Mark that PKI is a solid, strong solution for authentication and beyond (signing, encryption, etc.). Consequently, PKI-based solutions should be more closely studied as part of the overall security solution space for authentication protecting against phishing, man-in-the-middle, man-in-the-browser and a wide variety of, but not all, malware. The main problem with PKI has always been in the implementation of getting keys to the user and managing them from there. “Pitch Alert”: This is what TriCipher has solved. Anyone that understands using an ATM card and a PIN without understanding Triple-DES, can get and use PKI properly architected and deployed in a practical manner. We even make it so that what the user wishes to use as their “ATM Card” is flexible and can even be left up to them, so they don’t have to be issued any purpose built hardware. Me, I use my MP3 player of choice as my 2nd factor. What would you use?

Time to move past mere “reassure the customer”, “feel good” solutions and move to something providing actual security and protections. I hope that clears things up a bit. Mark, we should put together a panel or roundtable on the topic of what consumers will and won’t put up with to get real security in their online lives.

To follow up on my last post, here’s the link to the password hardening Q&A with Mark Diodati. Per the article: ‘password hardening is that you do something extra to make the password harder to guess or spoof without actually distributing a piece of hardware or software to the consumer. That extra thing you do is like a second factor.’

So he’s claiming that BioPassword is able to perform their function using just the native bits of Flash that reside in the default Flash installation? Does that contain keyboard monitoring and patterning capture or does some new code need to be downloaded via Flash to pull this off (rhetorical, for those of you playing at home)? What prevents another keyboard logger from capturing the password and the patterning? This same patterning going to work on my Treo vs. or all of the 3 different keyboards I use in different postures (work chair, sofa, standing desk)?

Wouldn’t it be far better to ensure that capture of the password via any means or method, with or without any cutesy patterning capture, would gain the attacker nothing of use? What about the ability to protect against any kind of internal, total password file compromise? THAT’s password hardening! BioPassword do that? No.

As to the dancing on-screen keyboard entry stuff, that has been shown again and again to be vulnerable to screen / click capture malware. Doesn’t matter if the keys are in different places at each login, this only protects from a pixel grid attack not a screen capture attack that grabs the image surrounding the mouse at time of click so the attacker can see 3,5,9,4,A,m,r, etc. By the time you make the interface confusing enough to obfuscate the clicks, ‘Joe regular user’ is confused or irritated or picking an easy to enter and therefore guess, password. If this was all that and a bag of chips, Bharosa wouldn’t have had to move into fraud detection to support their weak, ‘pseudo-multifactor’ approach.

This stuff has been around for ages along with the ‘pick the faces you remember’ thing. Do ‘the kids’ today still use the word ‘lame’? It’s 2007 and folks are still dinking around with these kiddy toy approaches. I continue to be amazed at the half-measures being considered, let alone purchased and deployed.

Note the admission in the last answer that PKI is the only real answer. Funny how it keeps coming back down to that. Now if only there was a soluton that made PKI practical and scalable’¦ hmmmm, wonder where I might find one of those [sly, cat-got-canary grin]?

In an interesting article this week by David Berlind on why the Europeans have adopted true 2nd factor authentication vs. the U.S., David Berlind references a Q&A chain with Mark Diodati of Burton Group. The first article in the chain is on What is Multifactor Authentication? and I’d like to draw your attention to the second question: Many European security experts believe that multifactor authentication is essential for securing online consumer applications, but in the United States few banks or other financial institutions use it. Why is this?. Mark Diodati’s response is actually very interesting and not something of which I was aware.

I would however, suggest an additional idea: Higher European adoption could also be influenced by the difference in privacy laws and just general sensitivity to privacy in Europe vs. the U.S. Liability is a strong motivator. I’ve long held that U.S. institutions are concerned about protecting the transactions and hence, themselves vs. worrying about actually protecting the end-user. The end-user could be compromised and have their identities stolen or fraud perpetrated on them in a variety of ways due to a breach of an online account, but so long as the bank doesn’t incur a loss by reimbursing a customer for a $500 fraudulent transaction, the bank is satisfied. They are apparently managing this fraud loss ratio satisfactorily or they would definitely be pursuing more stringent mechanisms or having it forced upon them more explicitly than the weak FFIEC Guidance from 2005. This comes down to the difference between guarding against fraudulent transactions vs. the broader protection of user’s data; transactional, identity, etc.

Certainly there also appears to be a greater resistance by Americans to anything that smacks of inconvenience. The numbers are plain and straightforward that for every change you make to an online experience, users click away, stop and pick up the phone, etc. All things to be avoided if you’re trying to build an online channel and keep support costs low. Understandable.

However, like David Berlind, I’d be very happy to use a true 2nd factor authentication mechanism. In fact, I’ll change banks to get true strong authentication and move to doing much more online business ever after at that bank. I suspect that Mr. Berlind would put an OTP (One Time Password) into that category, but if you’ve read my blog or paid much attention to the reality of the man-in-the-middle threat, you’ll hold out for a true 2nd factor and not just another single factor (what you know). Remember that two passwords don’t make an actual second factor, even if one is only useful for a short while. Yes, I know that is a contentious statement and out of step with the mainstream view of OTPs, but I believe the realities of 2007 back it up.

By failing to offer stronger authentication and other security options and merely sticking with the bare minimum, U.S. institutions fail to capitalize on the opportunities for competitive advantage and increased online usage by a key target audience: The technology savvy early adopter. I haven’t looked up any recent studies on it, but I suspect this group comprises the mythical ‘influencers’ as well and probably have above average incomes, bank balances and credit card usage rates.

I’ll cover the next Q&A article in the chain with Mark Diodati in my next post. It covers password hardening.

Our CEO, John De Santis has an article posted over at Bank Systems & Technology. You can and should read it here or the response won’t make as much sense, eh?

While there note the three initial comments posted and my response to them is below for your review until such time as it clears moderation over at BankTech.

===================================

Thought I’d chime in here on John’s behalf and as TriCipher’s “evangelist”. I’ll address the three previous posts in order.

First, Ron Behanic, of course what we recommend is that you check out TriCipher’s novel approach and patented technology providing alternatives to cookie-based, friendly picture-based options. I’ve included some informational links at the bottom of this post to help you pursue the questions raised in John’s article.

Second, AlmostSecure, you are correct that the purveyors of cookie-based secure authentication (an oxymoron if ever there was one) also include backend checks. Our main point isn’t that these checks or fraud detection measures shouldn’t be done or don’t have value, but that they don’t actually protect consumers. Should I steal a user’s credential, log into their bank account browse around download all their transaction and personal data from the web account, what kind of havoc can I then perpetrate on that user? I won’t have set off any alarms as I won’t have done anything alarm worthy. However, I will have plenty information to perpetrate identity theft on-line and off in a variety of vectors completely ruining the consumer’s day to put it mildly.

Botnets are already being used to thwart IP Geolocation schemes and a careful scammer could readily compromise enough accounts and move enough small amounts of money without setting off any alarms to make it worth their while. We are strong proponents of fraud prevention in addition to fraud detection.

I’d also like to correct AlmostSecure’s statement that Server SSL certificates can stop MITM attacks. This is demonstrably untrue or MITM attacks would already be prevented and not a threat. SSL was always intended to be a 2-way mechanism where not only would the server authenticate itself to the user, but the client would authenticate with a digital credential to the server. ONLY when both parties perform both ends of the SSL protocol is the communication non-MITM-able (yep, I think I just made that word up, you read it here first ). SSL as used today is 1-way and useful to prevent sniffing of traffic, but does nothing to prevent MITM attacks. We’ve been demonstrating this for several years and these attacks are happening “in the wild” as we speak with readily available kits for any script kiddie to launch.

Malware may be the most sloppily used word in computer security. Malware is a category of attacks utilizing code at the client. Keyboard loggers, screen click capture, e-mail remailers, etc. all the way through to full device “ownership” fall into the bucket of malware. Sure, if a device is completely “owned” then game over. It doesn’t matter if you have a retina scanner, smart card and DNA analyzer all attached, the attacker merely waits for the user to authenticate and takes over behind the scenes. However, short of that level of compromise there is a lot that we at TriCipher provide our customers to protect their users credentials from being stolen / compromised by a significant portion of attack vectors falling into the “malware” group. We do this providing flexibility to match exactly the strength and cost of the credential type to the risk profile of the user, the application or the underlying data.

Third, mike’s post mentions “…Triciphers [sic] alternative is a PKI…”. Yup, we use PKI because it is the only technology shown to provide the properties necessary for strong authentication, digital signing, encryption, etc. Of course, everyone knows that PKI is nearly a dirty word and that’s why TriCipher’s patented technology results in a “practical PKI” with all the security properties of PKI, but without all the pain and fuss for end-users, implementers, security folks, etc.
Certainly self-serving of me to suggest it, but your really do owe it to yourself to swing by our web site and check out how we do it and how it can help your organization address your strong authentication and credential needs. Also, feel free to swing by my blog where I’ve addressed some of these issues and more. Also come share your thoughts and challenges at www.EYEdentityOnline.com.

Webcast: Consumer Authentication, Evolving Threats, and Countermeasures with Mark Diodati, Analyst, Burton Group http://www.tricipher.com/registration/consumer_authentication_webinar.html

Man in the Middle Whitepaper: http://www.tricipher.com/landing_pages/spotlight_offer.html

Man in the Browser Whitepaper: http://www.tricipher.com/threats/man_in_the_browser.html

Needless to say, I’ve been busy regardless the lack of activity here on on the blog. I’ve crisscrossed the U.S. several times and the Atlantic twice as well. Once on business and once more for pleasure.

For my first post after such a long gap, I’m going to chat quickly about two events I attended that tie most directly to this blog. The FTC: ID Proof Positive event in Washington, DC on April 23-24 and the Online Game Developers Conference in Seattle May 10-11.

The FTC event as you can imagine was a bit dry, but I’d like to share one positive line of thinking I heard and one negative.

First the positive. Several speakers actually reiterated an important point: The threat to user confidence is at least as, and probably more, important than the direct $$ losses to online attacks. There is a big disparity between speaking to user communities under constant assault from a dizzying array of attacks and press coverage of millions of user’s identities being compromised on one hand. On the other hand then speaking to financial institutions that point to their “very manageable fraud loss rates”. Indications from the past holiday cycle point out that while total spending was up, the number of folks doing that spending didn’t grow much. Looks like confidence is down except for those already “in”. But if loss rates are still low, there’s no incentive for anyone to get too concerned.

Really? Are we digital life people just so insulated from the rest of the real world that we believe everyone is on the e-bandwagon? Check around you. I’m constantly surprised by the number of people in high-tech sectors that won’t transact online on a dare. The majority of my non-high-tech friends also are very skitish about transacting online. Seems everyone on the e-field should be anxious to get those spectating from the stands to join us and bring their e-money.

Now to the negative. There was a panel late on the 23rd roughly titled “FFIEC 4 Months In”. I almost felt sorry for the FFIEC guidance representative on the panel. Clearly I’m not the only one who believes the latest guidance was so loose as to accomplish almost nothing for consumers, though admittedly it was a boon to us vendors . Here’s a couple interesting high points I noted:

1. When asked about what was and wasn’t actually suitable for online banking he indicated “anomaly detection alone does not satisfy the guidance” [undoubtedly a paraphrase, I’m not that great a note taker]. Wow. It will be interesting to get back with some banks that placed their entire guidance compliance in the hands of anomaly detection. While I am clearly a strong authentication kinda guy, am I against fraud detection? Of course not. I believe in defense in depth as much as any competent security practioner in the virtual or real world, but as the sole security layer of supposed multi-factor authentication, no way.
2. When asked about where things should then next head for MFA, he actually mentioned OTPs as the next big thing for moving up in security levels. Now I can understand why an FFIEC guy (or gal) wouldn’t be up on the cutting edge of security attack vectors, techniques and cracks, but doesn’t he read his own industry press? Citibank wasn’t the only publicly compromised OTP last year. Heck the FFIEC is mentioned specifically in this article, though don’t get me started on the non sequitur of the last line from Mr. Lam.
3. Given #1 and #2 above and that one smart tech guy on the panel had already rained on most of the rest of the FFIEC guidance items as broken and busted, I could hardly spit out my question, “So if this guidance is already full of measures that are compromised, when can we expect FFIEC-2?”. There was a lot of hemming and hawing, but basically the direct answer was, [paraphrased] “The FFIEC doesn’t want to create confusion and pain for the financial institutions. Our last note on these lines was in 2001, sooo…”. Seriously, I swear to you he trailed off. Clearly then it will be years before they step up, if the same gap holds true, they won’t come back with something till 2009. Will other regulators step in? Will they also seriously undershoot the already demonstrable threat level in 2009?

So now onto a more pleasant topic, online gaming. The OGDC was very interesting both from a professional and personal standpoint. When there weren’t direct security or infrastructure sessions, I sat in on a few of the more creative sessions. It was very interesting to listen to some “inside baseball” discussions from those that take technology, story and interfaces to deliver entertainment and that ever elusive “fun”.

Not as much to report there. Couple points pretty well sums it up.

1. Several sessions reported on a data showing that a compromised World of Warcraft (WoW) account is worth twice as much ($10) than a compromised credit card ($5) on the black market.
2. I chatted with a senior developer about his MMO’s need to strengthen authentication against phishing and other social engineering attacks that we gamers increasingly hear about. He indicated that his company preferred to deal with these theft cases as a customer support issue. Should a user’s account get compromised and they login to find all their hard earned loot sold out from under them, the support folks will investigate the logs and try to validate the “supposed victim’s story”. If the story seems true, the stuff can be reinstated. Good luck proving a customer did or didn’t share the account and just get taken by “friendly fraud”.

Now, that is certainly a feasible approach, but I’d be one irritated user as what would stop this from happening again? Especially if the attack was launched with a keylogger just waiting to do it to me again? Doesn’t seem like customer care to me, but then I’m biased, cuz I’m a vendor trying to sell the MMO something, right?. True enough, but doesn’t mean that as a gamer I’m not seriously peeved at this attitude.

Curious as to others thoughts about why a WoW account is so much more valuable than a credit card. My quick and dirty analysis is thus:
* Check the prices online for purchase of a top level character. Looks like starting prices are around $454 running up to $749 for some of the quick searches I ran on this site.
* What do you think will get the FBI or other law enforcement’s attention more: “Our merchant database of 200,000 credit cards was stolen” or “200,000 had all their Shadoweave Robes and other virtual stuff stolen”?

Seems like the old risk / reward equation makes this seem pretty self explanatory, but maybe I’m oversimplifying.

Both of you that read this blog thus far may be wondering what the picture in the upper right corner is, as it obviously isn’t a picture of me.  Also to the right in the Blogroll you’ll see a link to “Hahleq’s Hideout”, a web page of mine that generally is neglected, but does provide a few links to other interests of mine.  The picture of “me” is actually the picture I use associated with my Xbox Live persona.  Basically, except for business communications, if you want to find me on any forum just look for me as “Hahleq”.

So the obvious answer to the question posed in this post’s title is, Hahleq is my online alter ego.  So the next question is, why bring that into this forum?  The answer should be obvious and transparent.  This blog is about identity and Hahleq is one of my identities.  I have used this identity online now for over 10 years.  There a lot of people I frequently correspond with in various forums and across various interests that know “me” only as Hahleq.

Clearly, I’m not doing this to try and mask who I really am, as a couple quick links around and some use of Google would reveal that the “real world” identity of Hahleq is actually, Tim Renshaw.  Interesting to think however, that for many of those who know me only as Hahleq, what would the revelation of my real name really gain them?  What they think of me and how they relate to me is established by our historical interactions.  We generally refer to this as reputation. 

Sure, they might feel differently to find out my age, my career pursuit and background, my marital status, my geographic location, etc., but this is generally immaterial to the context in which I currently interface with them.  These relationships range from very shallow to relatively in-depth.  Of course, many of these folks also are known to me by their online nom de plume (sorry, as a blogger, I feel incented to occasionally use needlessly intellectual phraseology) or screen name.  This is where the idea of anonymity comes into play.

I’m obviously not revealing any novel or earth shattering concepts here, but these concepts lie behind so many discussions I’m having lately across so many seemingly disparate online venues, that I need to put some of these thoughts on a page.  Strong authentication, validated identity, reputation, anonymity, privacy, verifiable assertions, etc. across everything from the very business oriented forums such as online banking, brokerage, e-commerce payment, digital content controls to the seemingly less serious (that’s in the eye of the beholder or partaker, though, no?) community forums ranging from social networks of all types to online video gaming from the PC to the various consoles both handheld and in the home entertainment center.  You can check out my thoughts on how important identity is for me, and I suspect for many others over at my purely gaming related blog at GameSpot in this particular post.

What are your various online identities and how do you view their value (i.e. why use an avatar)?  Or do you forswear such schemes and use your real name everywhere?  If so, why?

Welcome. Let’s get right to it. Why are we here? You, I don’t know. Hopefully you are looking for the content we will build together here. Me, I’m here to blather about my thoughts on a wide variety of online identity, privacy and general online or digital life issues. Hopefully, this will very much be a two-way discussion where we kick around ideas started here or in other sites covering the same topics, so chime in.

Since this is my kick-off post, it seems there are a couple launch items we should get out of the way:

1. Who the heck is Tim Renshaw?
2. What is the affiliation with TriCipher, Inc. my employer?
3. What is going to be discussed here?

You can check out my bio here on the TriCipher, Inc. web site.  I am a married guy, no kids, two dogs, who has worked in the e-commerce space certainly since joining CheckFree back in 1998. My two main hobbies are electronic gaming of all kinds and on all platforms and fishing, you know for actual fish like bass, not phishing. We’ll get to that in due course :-). I have been involved in IT matters and technology as part of my career since the late 80s when PCs and networks exploded throughout the Bank enterprises where I worked.  As a result, I got sucked into technology and found it appealled to me much more than the actual banking business did.  A lot of hands-on hours later mucking around in the guts of PCs, networks and servers I ended up working in the audit department of Banc One, now part of JPMC, where I was exposed to not only being audited but what a good auditor and audit process accomplishes.

Needless to say, all along the way security has been a day to day concern, both for the user communities I served, and as everything increasingly came online to the larger world, concern for my own servers and systems.  Authorization and authentication issues were part of daily, real world management and implementation.  Walking the line of enforcing security and audit policy while trying to keep my support calls and general user unhappiness from escalating has been part of my daily thought process for years.  Additionally, while at CheckFree working on various bill presentment and payment products, the clear linkage between user authentication, account authentication and fraud relationships made a distinct impression.

Which brings me to my current employment / affiliation at TriCipher, Inc.  I joined the company, then called SingleSignOn.Net in 2001 after being introduced to their novel digital credential technology developed into a deployable product. I’m still with the company, now TriCipher, after 6 years because what I saw then as an effective and workable answer to the issues of strong authentication, reliable identity, federated identity, digital signing, personal data controls and privacy / anonymity issues are unfortunately, only now being seriously addressed in the internet e-commerce and emerging inter-social-blogo-web2.0-mobile-multidevice world.  All that being said, this is not going to be an ad site for TriCipher, however, I am also not going to try and mask the fact that I am a huge advocate for our technology or that I come from a pro-TriCipher technology point of view.  I don’t believe anyone can be completely objective about things they truly believe in and I believe in strong, easy to use, digital credentials and I believe TriCipher Armored Credentials are all that and a bag of chips.  The items posted here will be mine alone and by no means are to be taken as official TriCipher statements, policy or (insert your own typical legal CYA-speak here).  So there, that’s out of the way.

Last on my “first post list” is what are we going to be disccussing here?  Well if it hasn’t become clear at this point I’m going to be posting about issues loosely around: strong authentication, reliable identity, federated identity, digital signing, personal data controls and privacy / anonymity issues as well as how these relate to the things we like to do online:  shop, chat, game, blog, consume and interact with various digital media.  Roughly stated, I’m going to speak my mind on items relating to our ever emerging online life and the issues that matter to those of us that consider online as an important part of what comprises our overall lives.  Where it goes from there is up to you, the readers and hopefully posters.