Doug – Page 20

Last Four is Foolish

April 5, 2018 By Doug

I keep running across companies that still, in 2018, are using the last four digits of SSN or mother’s maiden name as an authenticator. We have 170+ million reasons why that’s a bad idea, and yet it persists. That’s beyond inertia, past laziness, and nearly into negligence territory. It’s time to end the practice of using easily discoverable information as an authenticator – especially those two, and especially to setup or validate new accounts. It’ll take everyone working together to kill off this terrible practice.

If you are a customer of a company that does it, ask to set a password on the account instead (then call later and check to make sure that they actually enforce it!). If they don’t allow you to do that, or fail to enforce it, then get on social media and shame them. One company I use will let you do it, but they’ve created a massive barrier – they let you create an insecure authenticator over the phone or line, but require a time consuming in-person visit to use a secure one!

If you’re a developer and asked to write code to implement SSN based authentication, push back. If you’re the business analyst who wrote that requirement, change it. If you’re the executive who approved the requirements, unapproved it. If you’re the QA engineer who tested a system that uses it, fail it. If you’re a security professional, launch a project to remove it from legacy systems.

If you’re an auditor reviewing a system that uses SSN like this, fail them. If you’re a regulator defining acceptable practices, ban it. If you’re a congresscritter, outlaw it. Everyone, everywhere, needs to push back on this outdated, dangerous and lazy approach to security.

For new account setup, knowledge based authentication (KBA) has issues (particularly after the recent breaches), but it’s still better than a raw SSN. For existing accounts, two-factor via SMS isn’t perfect, but it’s better than single-factor, or use out-of-band (e.g. US Mail) to send a 6+ digit random PIN code. Or one of many other alternatives that doesn’t use the single most targeted and compromised piece of personal information in existence.

Security is the poster child for continuous improvement – let’s make it better tomorrow than it is today. Retiring the ‘last four digits of your SSN’ is a darned good first step.

Friday Photo – Hound in the Snow

March 30, 2018 By Doug

We lost Truffles this week. He was our sweet springer spaniel, a two year old heart in a 13 year old body. Feisty and sweet, easy going and fierce. Our cats are sleeping on the dog bed, waiting for him to come by to snuggle, and our golden is running upstairs to find him (and then promptly forgetting about it and bringing down a shoe instead). I’ll miss him on the cold winter days when he’s not there to warm my feet under the desk. Rest in peace old friend, and don’t chase too many squirrels.

I’m shocked – shocked that Facebook sells data (not)

March 27, 2018 By Doug

There’s been a lot of commentary about Facebook selling data to third party companies over the past week or so. The distaste is understandable, but no one should be surprised. Just who do folks think Facebooks customers are?

There’s a common refrain the privacy community: if you’re not paying for it, you’re the product, not the customer. Or put it another way – follow the money. This article is posted to my blog, free for all, with no tracking. It’s tweeted about and also posted to LinkedIn, which both definitely track you (I don’t, but they do). If you’re reading it on the latter, you’ve probably been now ‘tagged’ as ‘Facebook, social media, privacy, LinkedIn’ and a bunch more. That information is sold to advertisers and data brokers – and that’s how those companies make their money. Both social media and credit agencies take as much care with your personal information relative to it’s value to them, not to you.

Social media is a powerful force, which is why I participate on certain platforms (selectively). It’s why I urge people to be very cautious about how and what they share – those platforms never really forget anything. Of course political campaigns want access to that information, and if they’re going to sell it to one side, they ethically need to sell it to both. Rhetorical question: would there have been as much outrage in the media if the data broker had been working with the Hillary campaign instead?

All that aside, no one should be surprised that this happened. That’s how Facebook, Google, Twitter, LinkedIn, and all the rest make their money. It’s also why I use Apple products when practical – while Apple collects some data, their business model doesn’t involve exploiting their customer’s data. I’m glad that the market gives me a choice – at least on the platform side. Right now though, there’s no option on the social media side. I’d like to see those platforms create a ‘paid private’ option, that allows access, but completely opts the user out from all tracking (even allegedly anonymized), but again, that’s their choice as a business.

I believe that information about a person belongs to that person, and that companies should only be custodians – not owners – of that information. If that were placed into law, it would then require affirmative opt-in consent before each and every time it was transferred or sold. Of course, that won’t really happen because it’d break the business model of most of the Internet. So what can we do? Something along the lines of GDPR coupled with a ‘plain English’ statement of how and where information is used and sold would go a long way, but even that will be hard. Maybe eventually our congresscritters will pay attention to the individual instead of the lobbyist. Until then, all we can really do is control what information we share, choose the platforms we participate in, and make sure you read the terms and conditions.

And don’t be surprised.