It's the security, stupid

I've commented a few times on just how bad customer authentication is in the UK's banks, but hadn't got around to blogging about it. Now that the UK government's managed to achieve one of the greatest confidential leaks of modern history, it might be worth doing so.

So, for those outside the UK, or who might, for other reasons, not have heard about this story:

Two computer discs holding the personal details of all families in the UK with a child under 16 have gone missing.

The Child Benefit data on them includes name, address, date of birth, National Insurance number and, where relevant, bank details of 25m people.


From http://news.bbc.co.uk/1/hi/uk_politics/7103566.stm


Now, NI numbers (approximately equivalent to US Social Security numbers, although much less widely used or risky) are definitely sensitive data. Bank account numbers, while not an explicit risk by themselves, become a very useful target for identity theft when coupled with, for example, full names, dates of birth and addresses. The extra security information you tend to need are your Mother's maiden name and some sort of signature or PIN. Online and phone banking systems sometimes only ask you for two digits of passcode (sometimes from as few as four) to gain full access. And, to start a standing order, or direct debit, little more than the above data seems to be required.

There also seems to be an incredible superstition held by banks that your mother's maiden name and your date of birth (and sometimes place of birth) are mysterious and unknowable. One has to assume from this that banking security experts are lonely people whose friends never remember their birthdays, and to whom they never talk about themselves. In particular, none of them are amateur genealogists, as their insistence on making such family data dangerous to share is a downright nuisance to anyone wishing to trace their family tree.

These data are, frankly, not secure, and nor should they have to be. Part of the essence of a good password is that it is hard to guess. Another is that it can be changed when required. A third is that it has no external meaning. Personally fixed data like this are therefore about the worst things you can use as a password.

A signature's not much better, as the growth of chip-and-pin cards attest. They are (comparatively) easy to copy, and no-one ever really checks them anyway.

And these authenticators are only useful if they're fully checked anyway. Often enough banks staff and so on seem to assume that, if you ask for something belonging to someone, then you must be that person. Defence against social engineering is shoddy at best, and staff, if they follow procedures at all, just tend to go through the motions without understanding what they're doing or why they're doing it. There needs to be a wholesale revision of the methods of, and approach to, data security in this country.

But, as yet, the data that's escaped should not be enough to access bank accounts without either serious extra work, extremely braze social engineering, or guessing of passwords. As in, it's hard - not impossible.

Of course, since many people use their children's names or birthdates as passwords (remember War Games?), that may not be so difficult.

The highest risk at the moment seems to be that of extremely convincing phishing attacks. Currently my various banks authenticate emails by addressing them to my full real name, and including some part of my account number, or my postcode.

In fact I'd also expect an opportunist wave of unsophisticated "To protect your data after this leak" phishing - which doesn't even require the data to be in bad guys' hands.

But, do the bad guys have it? The police and government "reassure" us that "There is no evidence that this data has fallen into criminal hands". This is one of the most astounding pieces of weaselling that either party has ever acheived. One might also ask, since no-one knows where the data is (and recall that, even encrypted, it can be infinitely duplicated), what evidence there is that it has *not* fallen into criminal hands.

There's also considerable doubt about the security measures placed on the data - according to government sources it was "password protected but not encrypted" - which is complete nonsense, and therefore probably wrong. If the data is not encrypted, it should all be assumed to be in the wrong hands. If weak encryption was used, data criminals have large enough botnets of infected, hijacked machines to make short work of it. If strong encryption was used - and given the complete lack of other security considerations taken, this seems unlikely - then perhaps we are more justified in just crossing our fingers and hoping for the best.

And that's what most people seem to be doing anyway, taking the approach that "nothing bad will happen to them". This might be pure fatalism; it may be trust of government (and bank) weaselling, or it might just be a complete unawareness of what can be done - as noted above, most of this data cannot be changed. I suspect that, under these circumstances, I'd be strongly considering changing bank, or at least getting them to re-assign my account number - which would admittedly be a massive nuisance. We have to give our bank details to so many people that re-providing it would be as complex as changing address when moving house - more so in fact, as there would be no realistic possibility of assisted notification or redirection services without further compromising security.
Posted by parsingphase, 2007-11-21 22:41

Anonymous user

Login

Blog

Contact

I'm currently available for contract work in London as a Senior PHP Developer. Contact me for a CV, rates, or a chat.

Twitter @parsingphase
Email richard@phase.org
Github parsingphase
LinkedIn Richard George
Flickr parsingphase