HP Spying on Their Board
If you’ve not been paying attention, HP’s Chairwoman hired private investigators who lied their way to the phone records of board members and journalists. HP then lied to the SEC about why Silicon Valley eminence Tom Perkins resigned from the board, and Mr. Perkins, being a standup guy, called them on it. If you haven’t read “Tom Perkins’ Letter to The Directors of the Hewlett-Packard Company,” it is worth doing so, and noting the bit on page 3, where AT&T explains that the last 4 digits of Mr. Perkins’ SSN were useed to authenticate some caller impersonating him.
One of the neat things about working at Microsoft is the steady stream of very smart people who happen to wander by my office. Friday, Niels Ferguson dropped by, and we had an interesting conversation about the case. In the course of it, we happened onto this topic, and through the conversation, got to the question, was AT&T negligent in using the last four digits of the SSN as an authenticator?
As Pete Lindstrom enjoys pointing out, hundreds of thousands of people have access to your SSN in their jobs. AT&T, who used to employ one or two competent security people, ought to have known this, and done better. That’s clear to any security professional whose neurons are firing. The question I’d like to ask is, would a court be convinced?
It may not be necessary for a court to be convinced. It may be sufficient for the FCC to be convinced. The FCC is talking to AT&T now and asking some pointed questions about how this happens.
Last night on Marketplace, a law professor (sorry, I forget whom) said that the solution may be to notify people by snail mail and email when their basic parameters change. Other industries do this, and it’s an effective way to create hard-to-beat detection.
His other good point was that this was wire fraud, and should be treated as such.
Think of it this way: if it was a small-nothing-nobrand company doing it, and someone lost their job and privacy was breached and all that sort of stuff, then, yes, they would be negligent, they’d be sued, wire fraud and all.
Because it’s AT&T, people aren’t likely to call them on it. The same thing happened in the recent Sony case — too big to be treated as a wrongdoer. And, that’s what the Chairman was relying on, HP being too big to be wrong.
Perkins presumably called the HP board on it because of his need to preserve his future employability on boards, but he isn’t likely to sue AT&T for their part. The only reason the FCC is interested now is that it hit the papers. Every security player in the business has been building these systems forever, but they know which side their bread is buttered on.
The clients pay the bills, so they are innocent. AT&T is a client and a victim. Anyone else is a suspect.
Until there’s a law on the books that says you’re not allowed to require people to authenticate themselves by supplying an SSN, this is going to happen again and again. I doubt that’s going to happen, though, because people constantly confuse identification (telling one individual apart from another) with authentication (validating who they say they are for the purposes of granting them access to something). The default has been to use the SSN for both purposes rather than separating them. Companies can’t stop using it. If they feel bad about using it, they convince themselves that just limiting it to the last 4 digits isn’t so bad — and that’s how you get to where AT&T is now.
I just posted a reply on my blog, its a bit long for a comment. I don’t think that a case against ATT would be likely to work given how widespread the practice is.
The question I would like to see an answer to is what other controls were in place. Where were the records sent out to? Was a letter sent to the original billing address to provide notification that it had changed?
We could do the usual thing here and just gripe about ATT but what could be done to eliminate the problem? Telephones do provide a fairly good means of authenticating a line user. Its not like there is nothing to work with here.
http://dotfuturemanifesto.blogspot.com/2006/09/more-hp-fallout.html
Phill,
Since I need an account to respond to your blog, I respond here:
The cost of an effective control is low: Mail me a password with the first physical mail you send me. Require it for future action. If I don’t have it, mail another one. Optionally, fedex it at my expense.