Banks issue 2 factor auth

There’s a story in today’s CNET about banks issuing authentication tokens (like SecurID cards) to customers to address customer authentication issues.

While these are useful, insofar as they will make phishing harder, they won’t stop it. Phishing will transform into an online, at the moment crime, which will be easier to catch, but work by Amir Herzberg and Ahmad Gbara or Ian Grigg demonstrates how to solve the problem. (Having the browser remember certificates could also help.) For what banks will spend to ship and support these id tokens, they could fix the browsers, and require upgrades, like they used to for 40-bit SSL.

If you’re going to use a token, its worth considering something like the WikID ones, which are mobile-phone based.

Oh, wait, I’m repeating myself. Dang.

More on SSNs and Risk

In writing about Delta Blood Bank earlier today, one of the issues I was thinking about was the unnecessary use of social security numbers, and how it’s an industry standard. One area where this is particularly evident is in the bifurcated market for cell phones. At one end are providers like Virgin and MetroPCS, who sell low-end, no-roaming plans. (Although, really, if you don’t need to roam, and can accept their poor network, MetroPCS’ $40 all you can eat nationwide is quite a deal.) At the other end are the nationals, such as AT&T or Tmobile, all of whom insist on doing a credit check and using your SSN as a password after they’re done. Now, these companies do offer pre-paid, no credit deals, but they stink.

I’m trying to figure out why companies don’t let you buy whatever plan you’d like, on whichever system you prefer. There are minor technical difficulties, like running out of money on overage, but the advantages, which I’ll outline shortly, seem to outweigh them.

The first advantage is in cash flow. If a customer prefers to pre-pay, the company gets their money 60 days earlier. They don’t have to borrow that cash, and can earn interest on it. If all a company’s customers switched to paying earlier, then it would save 1/6th of its annual interest payments, and get interest on about the same amount of cash. (Assuming that the company holds the cash until it delivers the service.) That’s not chump change. Now, the accounting treatment may be a little different. (This is based on a conversation with Samablog, who knows more about accounting than I ever hope to. Errors mine.) That’s because selling accounts receivable is somewhat easier if you haven’t delivered service yet. If you don’t deliver, the bank doesn’t collect, but it’s also not liable for delivering anything. So you get a slightly better rate for the receivable than you do selling your pre-paid income stream.

The second advantage is in liability. If you’re not loaning a customer money, you fall under fewer rules like GLB (FISMA) or SB 1836.

The third advantage would be in privacy, meaning here perceived ID theft risk–by not asking for this information, it’s clearly impossible to abuse it.

One disadvantage is you can’t sell your customer’s personal information so easily. Does that compensate? Are there others? If not, why is no one doing this?

Delta Blood bank

Delta Blood Bank sent a letter Friday to donors, warning them a computer that held their personal information had been stolen and advising them to take steps against identity theft and credit card fraud.

In addition to the letter…The blood bank will no longer require Social Security numbers from its donors…

No longer require social security numbers? Why were they required in the first place? Using social security numbers as an ID number (or password) has been a bad idea for a long time. As Chris Hibbert pointed out in 1994:

Database designers continue to introduce the Social Security Number as the
key when putting together a new database or when re-organizing an old one.
Some of the qualities that are (often) useful in a key and that people think
they are getting from the SSN are Uniqueness, Universality, Security, and
Identification. When designing a database, it is instructive to consider
which of these qualities are actually important in your application; many
designers assume unwisely that they are all useful for every application,
when in fact each is occasionally a drawback. The SSN provides none of them,
so designs predicated on the assumption that it does provide them will fail
in a variety of ways.

Of course, the costs of that the bad design were borne by customers, not the organization. Further, the SSN choice was a standard, and so hard to fight. Now, new rules like SB 1386 push some of the cost of that choice back where it belongs.

If your organization does business in California and collects, or over-uses SSNs, now would be a fine time to talk about bad PR and other costs of doing business that way, and push to make a liability-reducing change.


Ripping into ROI

Over at TaoSecurity, Richard Bejtlich writes:

‘ROI is no longer effective terminology to use in most security justifications,’ says Paul Proctor, Vp of security and risk strategies for META Group…

Executives, he says, interpret ROI as ‘quantifiable financial return following investment.’ Security professionals view it more like an insurance premium. The C-suite is also wary of the numbers security ROI calculators crunch.
‘Bottom line is that most executives are frustrated and no longer interested in hearing this type of justification,’ Proctor says. Instead, express a technology’s or program’s business value, cost/benefit analysis and risk assessment.”

Well, of course. ROI has enormous problems, including an assumption that technology works out, that there’s an infinite pool of free capital to draw on, etc. Techniques such as economic value add allow you to take some of these into account. But the biggest problem is that quantifying the cost of a breach is hard. Without knowing what the alternative is (to reserve or insure), its hard to justify much security spending. Computerworld has a good story “Where ROI Models Fail,” or see CIO’s “The Trouble With ROI” Roundtable for more on these issues.

Anti-American Nuts Unfairly Accuse Military of Torture

[DOD interrogators presented themselves as FBI agents and…] These tactics have produced no intelligence of a threat neutralization nature to date and CITF believes that techniques have destroyed any chance of prosecuting this detainee. If this detainee is ever released or his story made public in any way, DOD interrogators will not be held accountable because these torture techniques were done the “FBI” interrogators. The FBI will be left holding the bag before the public.”

Except this time the Anti-American nuts work for the FBI. Read the ACLU-released memos, or see what various news sources have to say.

The problem(s) with ID cards

Europhobia nails the link between privacy and economics in the UK imposes national ID cards stupidity:

But usually what gets them is “what? I’ll have to pay eighty-five quid for this thing?”

No, Europhobia, they’ll have to pay 85 quid for the card, and another 10 quid in taxes for the backend database. (Figuring 60% of the UK’s 60M people pay taxes, and the £415m price being bandied about is accurate.)

Mac Sysadmining: Find missing man pages

After upgrading to Panther and installing X-Tools, several people complained that some unix man pages, specifically section 3 (standard library), are missing. For example, if you try:
% man 3 strcmp
and get no man page, you need to follow procedure below:

  1. Remove /Library/Receipts/BSD.pkg/ (rename or delete)
  2. Insert Panther CD 1
  3. Install BSD package from Optional Packages directory

No reboot is required, and you will now have missing the missing man pages. Verify by trying man 3 strcmp again.

Stolen from Google’s cache of “”, because told me the page was gone.

Not Just A Good Defense

Michael Froomkin comments:

We vastly overestimated the speed with which non-techies would take up the toys; the growing and enduring dominance of one software platform that didn’t take up the toys; and especially the ability of the empire to strike back via both tech (trusted user) and law (DMCA and worse).

Some time about four or five years ago, somewhere around the Article 2B/UCITA fight, of necessity we switched to fighting defense instead of offense. And don’t get me wrong, that defense is important. But it’s still defense.

I’ve been mulling over this a little, and have several parts of an incomplete response.

The first part is that our decision cycle is shorter, and our actions are more diverse and challenging than those of the copyright cartel, who seem to choose a target, and sue them. And the reality is that, while those lawsuits are very annoying to those who are targeted, not a single type of technology has been suppressed by lawsuit. Napster’s gone, but a dozen replacements have shown up. DVD Jon is still releasing code. The Freedom Network is gone, but we have Tor and mixminion. Apple releases an update to iTunes to break the downloader, but there are a dozen others already out there, not affected.

Our side, the side of free speech, democracy, and creativity, has, you know, creativity on our side. People get ideas and build them. We have library-mobiles, Project Gutenberg, Google Library, Amazon search inside a book, and lord only knows what else. They have a well funded lobbying machine, but guess what? It’s only working inside the beltway. We have artists putting their songs on a Wired Creative Commons-licenced CD; we have fiction and non-fiction coming out under the CC, and remixes and mashups of it that cause the first authors to cackle with glee.

We have volunteer programmers creating the tools they want to use, and those tools are never going to go away. They have $400 an hour lawyers bilking them on a losing strategy. We have bit-torrent taking 35% of all internet bandwidth. We have thousands of web proxies left open, accidentally or intentionally, that let people around the great firewall of China. We have Google’s cache, the internet archive, and a million blogs to make content available to everyone who wants it.

Econ and Security papers

Ross Anderson has added three papers to his Economics and Security Resource page:

  • Fetscherin and
    Vlietstra’s DRM
    and music: How do rights affect the download price?
    shows that the
    prices of music tracks sold online are mostly determined by the rights
    granted to the purchaser – including the right to burn, copy or export
    the music – and also by the label and the location.
  • Felix Oberholzer
    and Koleman Strumpf’s The
    Effect of File Sharing on Record Sales — An Empiral Analysis

    examines the correlation between downloads and music sales. They show
    that downloads do not do significant harm to the music industry. Even
    in the most pessimistic interpretation, five thousand downloads are
    needed to displace a single album sale, while high-selling albums
    actually benefit from file sharing. (See also a press
    of a musicians’ survey.)
  • Yooki Park and
    Suzanne Scotchmer’s Digital Rights
    Management and the Pricing of Digital Products
    argues that DRM
    does not have to be perfect – the cost of circumvention needn’t be
    raised above the monopoly price; that technical protection may still
    yield more revenue than legal protection, as it may never expire; and
    that separate DRM systems may yield higher prices than a shared
    system, because of the greater incentives for, and effects of,
    circumvention. It also looks at how the structure of a DRM consortium
    such as the TCG might promote, or inhibit, collusive behaviour among
    content vendors.

The page is a wonderful resource, I just wish it were harder for Ross to keep up with the flow of new, worthwhile work. [Clarification: Because that would mean more good work was coming out.]

Three By Froomkin

Michael Froomkin has three nice posts today. First, Inside The TSA, we learn that power tends to corrupt:

This account of the goings-on at the MIA TSA branch, brought to you by the feisty local Miami New Times, is worse than not pretty. It’s pretty ugly: allegations of theft from passengers’ bags, sexual harassment (of other TSA employees), massive featherbedding, internal racism, and general incompetence.

Second, an article on Google’s library, and finally, a post on defense vs offense in the free speech wars, which I want to mull on a little before responding:

Back in the day — going on ten years ago — we thought the ‘net would change the world. We were right about that, but not in the ways we thought — we thought PGP and onion routing and an explosion of free speech meant an end to content control.

First They Came For The Jews

The normally insightful JihadWatch writes:

It sounds terrible: restricting their civil liberties. Until you read into the story and find that they’re talking about registration, profiling, and monitoring of mosques and Islamic organizations. Horrors! Registration may inconvenience some people, but after all, a lot of people were inconvenienced on 9/11; as with all these measures, if one is not doing anything seditious, one is unlikely to have anything to fear. Profiling? Unless you think our law enforcement tax dollars are well spent making sure that the FBI investigates an equal number of Methodist grandmothers and Muslim imams for terrorist ties, it’s just common sense. And monitoring mosques? This is something the American Muslim community should welcome, and aid in — if they really accept and value the free society in which they live.

I, myself, being a student of history, would fear being dragged to a internment camp, blacklisted, being subjected to 10 years of harassment by the FBI, being detained without access to a lawyer, or sent to Guantanamo bay for torture by Uncle Sam.

As to profiling, I’m all for it, as long as we include special forces vets, (actually, make that all vets), the Japanese, Brits, Californians, and hmmm, maybe this profiling thing isn’t such a great plan.

As I’ve pointed out in the past, we lack key abilities like translation. Until we can translate all the messages we’re intercepting, why impose a regime of fear and control on Americans?

Finally, Germany has mandatory registration, and it’s done them no good in preventing their Universities from becoming breeding grounds for Muslim extremists. (See the 9/11 commission report.)