Shostack + Friends Blog Archive

 

Choicepoint Won't Benefit from Bank of America Leak

I wasn’t going to blog on BofA‘s little kerfuffle. But then Ian went and blogged about it, and I think he gets it partially right and partially very wrong. His actual conclusion is spot on:

In order to share the information, and raise the knowledge of what’s important and what’s not, we may have to get over the finger pointing. That may mean we have to go through several ChoicePoints, if only so that it can become routine and not scandalous. Bank of America is thus timely and expected; although I don’t think anyone else is likely to see it that way.

Ian is right about this: We need more routine disclosure of security incidents. We need to know what caused them, what mechanisms were used to get in, and how they were detected, so we can learn from them. This will be a slightly painful transition, but most companies with security issues are not facing a Choicepoint-scale scandal.

There’s an important reason that Choicepoint and BofA are different in the consumer’s mind. Everyone affected by this is carrying a BofA card in their wallet. They understand that BofA knows about them. In contrast, most of the stories on Choicepoint had to start out by explaining that this company exists, to spy on Americans, and oops, they can’t keep track of their own customers. Choicepoint has also managed to totally mangle their public relations because of their orientation and world-view. I’ll say more about that shortly.

Therefore, Bank of America, Maxxpay PayMaxx, and anyone else who’s releasing their 1386 notices this week aren’t really going to draw heat from Choicepoint. They’re still going to be the focus of the story.

[I have lots more on Choicepoint, visit the main page, or the February archive.] [Update: I said Maxxpay, because I hadn’t had enough coffee when I wrote this.]

14 comments on "Choicepoint Won't Benefit from Bank of America Leak"

  • Iang says:

    I don’t mind being wrong on that point 😉

  • Bank of America loses 1 million customer records

    How secure is you information? You would think that banks would have strict security measures, but aparantly Bank of America doesn’t pay attention.

  • As I understand the BofA ‘scandal’ they shipped backup tapes and were lost in transit. Makes me wonder if they were encrypted and how serious this problem really was. (I suspect the worst in this case however.)
    I see the long term solution to this problem in making the exposure of this personal information irrelevant. As an industry we need to devote more effort into this area rather than trying to put out the fires as a result of our broken model.

  • adam says:

    I agree that we need to stop firefighting, but I think we need to get there by not storing personal information, rather than making it’s disclosure ‘irrelevant’ somehow. Privacy is important for reasons which go beyond the practical business issues. See http://www.emergentchaos.com/archives/000799.html (for example), or Schoeman’s work on privacy and autonomous thought.

  • No disagreement from me. The personal information I am referring to is the stuff that enables identity theft.
    The private or personal stuff is a different matter (exposure can be embarassing or even disastrous for us, such as resulting in loss of livelihood).
    As users and consumers we need to be wary of what we expose – things like SSNs should be unimportant to us. Things we are passionate about and controversial or damning… (makes me wonder about revealing tools like de.lici.ous)

  • adam says:

    I’m going to be pedantic for a moment–my SSN doesn’t enable identity theft. The decision of businesses to accept poor authenticators does. That decision is enabled by the (strange) assignment of liability to those who aren’t involved in the transaction, which we term identity theft.
    We should think clearly about such things, because we’re about to see laws passed.

  • There have been few (if any) good alternatives in the US to using poor authenticators.
    When some readily available good authenticators hit the market businesses should flock to them.
    Our difference may be in the definition of identity theft. You call it assignment of liability. I consider it a lack of proper identity credentials which can be recognized nationally or internationally AND electronically. My identity can be stolen in this country because it is very easy for people to assume my identity with small bits of trivial information.
    SSN was never meant to establish identity. Licenses at best prove that you are certified to drive a car in some state. Passports are the closest we have and don’t work well online (yet?).
    Perhaps it is fruitful to think of this philosophically – what is my identity? It is me in the flesh (and legally probably only when I am of sound mind). So if we use something like our DNA as a ‘primary key’ – then nothing else really matters when it changes… I can change my name, my appearance, my gender, my driver’s license, my SSN, my passport. Once I have an identity card with my unique signature – then I could go to a clinic to bind that signature (DNA sample) to an electronic signature (digitial cert) which I can have revoked if compromised (or SSNs, or licenses, or passports, or credit cards).

  • Great thread… stuff keeps popping up when I read your comments…
    On privacy – artists needs to make the same choices – how much of themselves do they want to reveal? In a painting, in a poem, in song… opens them up for devastation.
    So having mechanisms for protecting anonymity within a secure system are important. I like where the Freenet project is going (see sourceforge) people can choose to publish in complete privacy. Or we should be able to conduct transactions with complete authentication.

  • My kids' Dad says:

    How are we identified?

    I wrote a post on three security incidents and want to elaborate a little on the differences between the three. First the ChoicePoint scandal wasn’t a technical hack, it was a disclosure of personal information as a result of business

  • Adam says:

    First, let me say that I hate what you’re making me do, which is to whip out my security curmudgeon card. Making identity-centric infrastructures work is really, really hard. At the same time, the human brain seems to be hardwired to think in terms of identity and people, so making identity-free infrastructures work is even harder. (Stefan Brands at IDCorner offers some ways to untie this knot.)
    I leave DNA everywhere, in hair, skin flakes, and perhaps other ways. (Saliva?) Duplicating that DNA will be cheap and easy, if its not already. Anyone with your DNA must be you. It’ll be the SSN problem, cubed.
    I pretty firmly come down on the side of we all have lots of identities, and that those identities are mostly cheap and easy to forge. “The Stu whose kids my kids play baseball with” is a great identifier, as is “The Mike I play poker with on Tuesdays.” Both work for what I need them to work for (which is examples in a comment.) Neither is secure. Neither is valuable to spoof. The more you make a system rely on any identifier, the more valuable it is to spoof.

  • Didn’t mean to get you so worked up…
    I am trying to explore different options, since the same old tired ones seem to consistently yield the same results.
    (Make laws which can’t keep up with technology, then complain about how bad the laws are.)
    DNA seems to be both an ideal identifier (about as unique as needed and permanent) and a perfect authenticator (I am my DNA).
    I don’t doubt that the work involved in creating infrastructure to support this is difficult, but it also seems that a lot of the backend work (the science of encryption, PKI, smart cards, etc) is well developed.
    Just possessing a scrap of my DNA is not an adequate authenticator and systems should not be built around that concept. I am in no way suggesting that we use a biometric reader to check DNA to authenticate a transaction.
    Let me give you a scenario that will better describe what I propose:
    1) You possess a credit card sized ID card with a smart chip that has your “digital signature”. The digital signature is a combination of your numeric representation of your DNA and a digital certificate issued to you.
    2) You go to the store and offer your ID into a card reader that validates it’s authenticity by ensuring that the digital certificate has not yet been revoked. The hash of your DNA ‘number’ identifies you.
    3) If you lose your card, you revoke the digital certificate and reissue the card with a new digital certificate.
    At this point we no longer care what your name is – you can use any name, or many names or none.
    You are able to spoof my “DNA number” but once the issue comes to light it is a simple thing to go to a ‘certified’ clinic and prove that I (the complete human breathing body) am the true holder of that DNA. Just having my DNA would not be enough to establish credentials, the certification process pairs up my identity with my credentials.
    Help me understand why this is not a good model.

  • Pete says:

    “The more you make a system rely on any identifier, the more valuable it is to spoof.”
    I think you are saying “the more systems that rely on the same identifier, the more valuable it is to spoof.” Sure, but it is not the reliance that provides the spoof value. (Think of information portals that federate identity for hundreds of sites to constantly serve up content that is heavily-reliant on the pseudonym I have created vs. a single system with $1,000,000 credit line.)
    No, the reason the identifier is more valuable to spoof is because of the value it provides access to, which is why authentication is so important. the reason a common consumer identifier for financial transactions is so useful is that it provides a credit history. Otherwise, you are stuck in a “Memento”-like world of first impressions and higher rates. More valuable to spoof, sure, because it provides more value to you as well.
    Your examples are great if you are promoting a National ID card (you aren’t are you? ;-)). Because they don’t actually work unless/until the person reading this blog knows Stu, his kids, your kids, and where the baseball field is; and has attended your poker games and met Mike or was introduced specifically to him by you.
    But we lose all that online, right? So, in the physical world they may be fine under these restrictions, but they are worthless online.
    re: Identity-centric infrastructures are hard? Better tell every single organization in the world with computers, because ALL of their infrastructures are identity-centric.

  • adam says:

    Actually, the point of those examples is that we identify people in some very localized ways very regularly. As far as I recall, Stu and I have never met.
    As to ID-centric infrastructures, if your claim was correct, I’d login to each system the same way. I’d have an identity and an authenticator, and I’d use it for intranet, mail, ERP, and my local unix login. Unfortunately, I have a bunch. Which is why, at RSA, there were all sorts of identity management systems vendors. Since there were lots of them, its clear to me that there are lots of systems, each of which has its own version of my identity, and they’re fragmented.
    Now, I’ll agree that that makes an argument for a single ID system being a nice thing. I’ll also agree, and hope you will, that that argument is superficial, and that the tradeof we get is that a single attack can’t own all those systems with my password. (Which is Tinkerbell.) Each attack requires guessing a username and password. Also, all that fragmentation is within an organization. Making the organization more, err, organized, is a fine goal, and makes more sense than trying to organize the entire country along a single system.

  • @Adam
    We haven’t met but I will say hello when I get the opportunity to have the pleasure to meet you. 😉

Comments are closed.