EYEdentityOnline.com

I would like to pick up the thought thread from my Feb 23, “Pictures and fraud detection” entry, you may want to scroll down there, read that and come back.  Tying into that thread are two news items from last week that you should also read or at least scan before continuing:

1. Tracking the Password Thieves by Brian Krebs / Security Fix
2. Thieves raid online accounts in penny stock scam by Kathleen Pender / San Francisco Chronicle

So what’s special about two more “people got ripped off online” stories?

First tie-in to my Feb 23 posting is the fact that this is just another in an ongoing line of similar stories and regardless of whether they indicate some new attack vector or not, these add up to an ongoing drumbeat to many consumers that they should continue to avoid the online channel.  This of course has immediate impact on e-commerce bottom lines as revenue is lost and profit margin and productivity gains remain unrealized.

Second tie-in to the previous post is that the seven affected brokerage firms spent roughly $300k each “attempting to make their customers whole”.  Being a vendor in this space I can pretty confidently assert these seven firms could have purchased “a product” on average for no more than that and it would have prevented this attack.  Note the attackers logged in as the victims.  Simple password theft, though the method of password obtainment is not mentioned in the pump-n-dump article. 

• Unbelievable to me that John Reed Stark of the SEC indicates the thieves “did not penetrate the brokerage firms’ infrastructure or security systems”.  If I were one of the 30 - 40 victims, I would certainly be taking issue with that statement.  The thieves make off with $732,941, the brokerages spend $2,000,000 making victims whole (no, the math doesn’t make sense to me either, must be some “hush-type” money involved, eh?), the attackers likely have lots of personal identity information on these same victims and there wasn’t a penetration of the security system?  Really?!  Or is he saying this is how they designed their security system to work?

Third tie-in, fraud detection is a great thing, but it is lousy all alone as a security system.  Did you only install motion detectors in your house when you installed your security system?  Didn’t think so.  Time to add truly strong perimeter, i.e. strong authentication, to your defense-in-depth strategy.

These are all obvious things really, but the last and actually most important thing I’d like to tie-in here is:

Can we please quit playing the “educate the end-user” card?  This can no longer be proffered by serious security professionals as a prominent part of a security plan.  I would actually argue it is exactly the lack of a plan that leads to this being plied as a significant e-commerce security component.  I’m reminded of my favorite line from my favorite B-movie, Tremors.  While running for their lives from the monster, Kevin Bacon asserts “I have a plan”, to which Fred Ward replies, “Running isn’t a plan, running is what you do when a plan fails!”.

Please go back and revisit the list of victims in Brian Krebs piece on Password Thieves.  So only one of them is a computer security professional from IBM, but these aren’t exactly Ma & Pa Smith online bankers either.  Do I have anything against Ma & Pa Smith?  Of course not.  On the contrary, Ma & Pa Smith are the realization of the adoption being sought.  Get everyone to the presumably low cost online channel, once you quit paying “make customer whole” settlements, anyway.  If we can’t provide an environment where even arguably “educated” consumers, such as these, can safely and confidently transact, what hope is there to get the timid, the paranoid or just plain “newbie” to come join us?  By the way, at this point, aren’t they only showing properly rational behavior given the identity theft and account compromise coverage they see and hear daily?

We need to give our current and would-be customers a security environment that protects them not only from the thieves, but from themselves and the complexities of their computing environment.  Customers shouldn’t have to maintain associates degrees in computer security and maintain a “25 best practices” list to get online and get something done.  We need to give them secure tools properly designed to be “user-proof”, attacker thwarting and still simple to use.  I know that for me, this is the starting point of all design discussions in my particular arena, strong authentication and digital credential issuance.  How about where you ply your trade?

 
 

Both of you that read this blog thus far may be wondering what the picture in the upper right corner is, as it obviously isn’t a picture of me.  Also to the right in the Blogroll you’ll see a link to “Hahleq’s Hideout”, a web page of mine that generally is neglected, but does provide a few links to other interests of mine.  The picture of “me” is actually the picture I use associated with my Xbox Live persona.  Basically, except for business communications, if you want to find me on any forum just look for me as “Hahleq”.

So the obvious answer to the question posed in this post’s title is, Hahleq is my online alter ego.  So the next question is, why bring that into this forum?  The answer should be obvious and transparent.  This blog is about identity and Hahleq is one of my identities.  I have used this identity online now for over 10 years.  There a lot of people I frequently correspond with in various forums and across various interests that know “me” only as Hahleq.

Clearly, I’m not doing this to try and mask who I really am, as a couple quick links around and some use of Google would reveal that the “real world” identity of Hahleq is actually, Tim Renshaw.  Interesting to think however, that for many of those who know me only as Hahleq, what would the revelation of my real name really gain them?  What they think of me and how they relate to me is established by our historical interactions.  We generally refer to this as reputation. 

Sure, they might feel differently to find out my age, my career pursuit and background, my marital status, my geographic location, etc., but this is generally immaterial to the context in which I currently interface with them.  These relationships range from very shallow to relatively in-depth.  Of course, many of these folks also are known to me by their online nom de plume (sorry, as a blogger, I feel incented to occasionally use needlessly intellectual phraseology) or screen name.  This is where the idea of anonymity comes into play.

I’m obviously not revealing any novel or earth shattering concepts here, but these concepts lie behind so many discussions I’m having lately across so many seemingly disparate online venues, that I need to put some of these thoughts on a page.  Strong authentication, validated identity, reputation, anonymity, privacy, verifiable assertions, etc. across everything from the very business oriented forums such as online banking, brokerage, e-commerce payment, digital content controls to the seemingly less serious (that’s in the eye of the beholder or partaker, though, no?) community forums ranging from social networks of all types to online video gaming from the PC to the various consoles both handheld and in the home entertainment center.  You can check out my thoughts on how important identity is for me, and I suspect for many others over at my purely gaming related blog at GameSpot in this particular post.

What are your various online identities and how do you view their value (i.e. why use an avatar)?  Or do you forswear such schemes and use your real name everywhere?  If so, why?