Who Are You, and Who is that Woman?

Written by

A few weeks ago I found myself in the rather odd position of not being able to prove who I am. At the time I was talking to a company of which I had been a loyal customer for the better part of fifteen years. And they didn’t believe me when I said I was me.

Unsurprisingly it was a credit card company. They’d (helpfully) flagged recent transactions on my card as being suspicious because I’d gone from buying gas in my usual location one day to buying groceries on a small island some 1,500 miles away the next day.

And boy did it take a long time to convince them that it really was me. The usual question and answer session “Mother’s maiden name? Zip code? etc.” did nothing to help – in fact it wasn’t until my wife vouched for me that they finally relented. 

(Note to credit card thieves everywhere – have a credible female partner.  Apparently it works wonders.)

A few days later I spotted this interesting news piece coming out of Black Hat in which the BBC reported on a proof of concept approach to spoofing iris scanners. The fact is that proving we are who we say we are is getting hard and harder. And it’s also clear that current approaches probably won’t scale to meet the challenge, or will simply become unusable over time.

My experience with the credit card company is a perfect example of the creaking, duct-tape nature of identity approaches.

The whole basis relies on that fact that there are certain things (mother’s maiden name, social security number, my pet hamsters favorite color, etc.) that are known only to me.  Except, of course, they aren’t.  Because if companies/organizations want me to prove myself to them, then they need to know the anwers to these security questions too.  And the more people who know them, the less secret they become.

I can’t guess how many databases store “secret” things about me already.  Nor how many people have access to them. And this is pushing online authentication to ask for ever -more esoteric facts such as the color of my first car, or favorite teacher in first grade. “Color of my first car?  Favorite teacher in first grade?”  Even the very things that make me physically unique, apparently, such as the 5,000 data points that define my iris, are entirely up for grabs.

The problem we face, and it’s a problem we must come to terms with quickly, is that without some authoritative source of proof of identity, everyone is duplicating the same effort, and frankly, headed at full tilt down the same dead-end street. Businesses already face this challenge with their own employees – trying to manage an increasingly mobile, interconnected, and distributed population of people, systems and services. As most discovered, the only way to do it was to bite the bullet, centralize and automate the management of identity, and enforce some kind of process to keep it all aligned. The real question, though, is how does that scale out to the chaotic and occasionally corrosive public internet?

I need to prove I am who I say I am if I want to do business with you. But if the very process of setting up that trust relationship reduces the value of that trust (by further proliferating the very secrets that are supposed to be, well, secret) then anyone can see something has to change, and fast. Managing the trust between two parties is central to the very idea of commerce, and yet is implemented in an entirely ad-hoc manner on the primary vehicle for business transactions – the internet.

Perhaps the only answer is to have some central, authoritative organization step in and control the whole thing – some supra-governmental body that owns and defines identity wherever it exists.

Then again, maybe that’s even worse.

What’s hot on Infosecurity Magazine?