April 10, 2005

Penny Chat

I hadn't noticed this before but PGP's new beta version 9 of their product includes AIM chat protection. I guess this means that even though PGP Inc people don't agree with me that email is dying, a hedge isn't a bad thing.

Mozilla security is back in the news again with a $2,500 bounty for Firefox flaws. I think this is a good idea. Research I'm working on indicates a dramatic need to improve information (as opposed to acquiring information from asymmetrically informed parties, which I reject) and this is one way to do it.

Speaking of paying for stuff, it seems that the top price for your social security number (if you are an american) is $45. That sounds high to me, there are obviously going to be deals for bulk work.

It's $35 at www.secret-info.com. It's $45 at www.Iinfosearch.com, where users can also sign up for a report containing an individual's credit-card charges, as well as an e-mail with other "tips, secrets & spy info!" The Web site Gum-shoes.com promises that "if the information is out there, our licensed investigators can find it."

"The current system has the worst of all worlds," Solove said. "Anyone can easily find it [the Social Security number] out . . . It's used everywhere, and it's really hard to change if it falls in the wrong hands. How could you come up with a worse system?"

Yes, I'd agree. In fact if we all sat down and tried to design a worse system, I'm not sure we could. Why is that?

An unusual claim: are people naturally doing mental double entry bookkeeping? An article suggests that they are. I'm not so sure I'd go that far, but it is food for thought. Note that the article does not list any primary research, and the site for the interviewee has older papers listed only:

In closing, more research saying "you should buy our 2-factor doobelackie."

Published: 01/04/2005 00:41:00

Banks urged to act on Net security fears

Banks must act "urgently" to tackle Net user security fears if they are to
retain and attract customers to cheaper online channels says Forrester

In a survey of more than 22,000 Europeans, Forrester found that just 30% of
Internet users are confident of the security of personal financial
information, like credit and debit card numbers, when used to make
transactions online. Two-fifths of the European Net users who don't use
online banking say they don't because they worry about security.

Benjamin Ensor, senior analyst, financial services at Forrester says:
"Consumers' deep-seated security fears remain one of the biggest barriers to
online banking use in Europe, particularly in countries like Italy, France,
and the UK, where two-factor online banking authentication is rare or
unknown. The more confidence Net users have in security, the more likely
they are to bank online."

The analyst group says that banks should look to educate Net users about
security precautions, not let usability fears compromise security, deploy or
strengthen two-factor authentication "urgently", and collaborate rather than
compete on security.

Finextra Research 2005

It is amazing what research you can buy in an open market.

Posted by iang at April 10, 2005 09:37 PM | TrackBack

Biometrics are even harder to change than your social security number. If you're looking for a system which is worse, biometrics look very promising.

Posted by: Florian Weimer at April 9, 2005 04:01 PM

The problem with the SSN is not that it's out there or that it's hard to change it. The problem is with treating it as though it is secret, when it is not. Your name is out there, and it's pretty hard to change it, but that is not considered a security problem. Imagine if banks would make loans to someone just because they claimed to have a particular name. Would everyone suddenly focus on names as the problem, and talk about how important it was to keep them secret? No, the problem is with a policy of making loans and opening accounts based on treating public information (the SSN) as though it is private.

Biometrics are completely different. They are public and unchangeable, true. But the point is that they are much harder to fake. Anyone can recite someone else's SSN or name. But to fake someone else's biometric is hard, especially if it is being done in front of a human observer. Properly constructed, biometrics do not have the dangers of information-based identifiers like SSNs.

One problem with biometrics is that they can't be reliably used for online identification. The technology is not there, and may never be there, to create an unfakeable remote biometric sensor. This means that any identification which requires biometrics must be done in person. But that's fine. That's reality. The physical world is fundamentally primary and the information world is secondary. We should recognize that reality in designing our information security systems.

Posted by: Cypherpunk at April 11, 2005 02:01 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.