A lesson in transitive trust

CybercrimeGrowing up in the New York area in the 1970s, one never really paid attention to all the crime that occurred.  There just was so much of it.  Even when I lived in California, while a murder would make the local news, it wasn’t something that would shake the community.  A murder in the Zürich area, however, is rare.  Maybe it’s because everyone has a gun, as my friend Neal might say.  Who knows?  The point is that people here are not inured to that level of violence.

Now we are discovering the online version of that.  When last we left our situation, we were trying to figure out how best to protect ourselves from evil bad guys by limiting the damage dumb passwords can do.  Since then, it has been widely reported that 10,000 Hotmail account passwords were stolen.  But they weren’t the only ones.  Many of the people who use Hotmail accounts also have GMail and Yahoo! accounts, and many of those passwords are the same.  Why?  Because humans don’t like having to remember lots and lots of passwords.  And of course, if you were one of those people who used the same password between both and linked your Yahoo or GMail account to Facebook, that means that your Facebook account could have been compromised as well.  And that means that your friends may have been attacked, as we previously discussed.

How could this be worse?  Let’s add Paypal into the mix.  If you use the same password for eBay as you used for Yahoo!, now all of a sudden, you have invited someone to empty your bank account.  Had Paypal implemented an OpenID consumer for login, an attacker wouldn’t even need your password.

Now let’s aggregate all of the people who do that.  The popular OpenID providers include Google, Yahoo, and Verisign.  As the number of providers increases, the concentration of risk of any one single failure decreases.  Concentration of risk is a fancy way of saying that one is putting all of one’s egg in one basket.  On the other hand, from the perspective of a web site that uses OpenID or some other federated mechanism such as SAML, the information received from any random Identity Provider (IdP) could reasonably be considered suspect.

This leads to a few conclusions:

  • A large number of Identity Providers will require a service that provides some indication as to the reliability of the information returned by a given IdP.
  • The insurance and credit industries can’t manage concentrated risk.  We’ve seen what happens in the housing market.  The Internet can reproduce those conditions.  Hence, there will be limitations on transitive trust imposed.

Conveniently, you are not without any protection, nor are the banks.  There are large federated market places already out there.  Perhaps the two biggest are eBay and Amazon.  Amazon has the advantage of requiring a physical address to deliver to, for most goods, the exceptions being software, soft-copy books and downloadable movies.  In each of these cases, the transaction value tends to be fairly low, and the resale value of most of these items is 0.  It’s the resale value that’s important, because the miscreants in this business don’t want 150 copies of Quicken for themselves, nor can they really sell off an episode of House.

Paypal is another matter.  If someone has broken into your Paypal account, here is what they can do:

  • Empty it of any credit it might have;
  • Charge against your credit cards; and/or
  • Take money from your bank.

If you’re paying attention and act quickly, you might prevent some of these nasties from happening.  But first you will have to read a tome that is their agreement.  In all likelihood you have no recourse to whatever final decision they make.  If you’re not paying attention, your account and those associated with it become an excellent opportunity for money laundering.  What does it mean to pay attention?  It means that you are receiving and reading email from paypal.com.  That means that they have to have a current email address.  When was the last time you checked that they do?  Assuming that they do, it also means that you have to read what you are receiving.  Now- I don’t know about you, but I’ve been spammed to death by people claiming to be PayPal.  Remember, how this posted started by talking about being inured to crime?  Well, here we go again.

Can The Industry Stop break-ins on Facebook?

FacebookAfter my last post, a reasonable question is whether we in the industry have been goofing off on the job.  After all, how could it be that someone got their account broken into?  Everyone knows that passwords are a weak form of authentication.  Most enterprises won’t allow it for employee access, and we would string a bank CSO up by his or her toenails if a bank only used passwords to access your information. They use at a bear minimum RSA one time password tokens or perhaps Smart Cards.  So why are the rules different for Facebook?

They would say, I’m sure, that they do not hold the keys to your financial data.  Only that may not be true.  Have you entered credit card details into Facebook?  Then in that case maybe they do hold the keys to your financial data.  Even if you haven’t entered any financial data into Facebook?  Are you using the same password for Facebook that you are for your financial institution?  Many people are, and that is the problem.

Passwords have become, for want of a better term, an attractive nuisance.  It’s not that the concept itself is terrible, but they are increasingly difficult to secure, as the number of accounts that people hold continues to skyrocket.  Yes, the problem is getting worse, not better.  My favorite example is the latest update to the Wall Street Journal iPhone app, where the upgrade description says, “Application Enhancements to Add Free Registration & the Ability for Subscribers and Users to Login”.  What a lovely enhancement.  Right up there with enhancing the keyboard I am typing on to give me electric shocks.

Facebook is at least making a feeble attempt to get around this problem by offering OpenID access in some limited way (I tried using it from this site, and FB is broken, even though I can get into all sorts of other sites, including LiveJournal).  Still, it probably works for you if you are a Google, Yahoo!, or MySpace user, but for better or worse those sites themselves do not accept OpenID.  (The better part is that no one can simply break into one account and gain access to all of these other sites.  The worse part is that if you have some other OpenID, you can’t use it with these sites.)

OpenID has lots of problems, the biggest of which is that there is no standard privileged interface to the user.  This is something that Google, Yahoo!, and MySpace might actually like, because it means that they provide the interface they want to provide.  Unfortunately, programs, or more precisely the authors of programs, might find that a little irritating, since OpenID is so closely tied to the web that it is difficult to use for other applications (like email).

SAML and Higgins to the rescue?  OAUTH?  Blech.

And so now I’m on Facebook

FacebookHaving staved it off for years I’ve finally joined Facebook.  Here are a few initial thoughts:

I was disappointed that the only authentication method offered was old fashioned passwords.  We are still as an industry struggling with making the leap to a better means.  And it’s not like there are none out there.  OpenID and Infocards can no longer be considered new.  A question for a future blog entry might be why these technologies are not succeeding.  Indeed just this week SlashDot.Org ran a story about how OpenID is losing ground.

There is a whole different set of social rules on Facebook, and I don’t know what they are.  For instance:

  • One of my friends wanted to add detail about my previous employment experience, which is something I wasn’t prepared to do myself.  And so I refused.  Have I offended him?  I don’t know.
  • My initial “note” indicated that I don’t do much with FaceBook, and that people should see my blog.  This elicited a long discussion, not involving me.  If I don’t reply, have I offended?

Why is Facebook even necessary?  Isn’t this what we want the Internet to be in general?  Why should this form of communication be limited to one site?  For one, people are tired of spam on the Internet and so they are looking for an email replacement.  Beyond that, having one’s own web server is a royal pain in the ass.  But moreover, the comment I got more than once was that a blog is isolating.  Why is that?  What makes this blog isolating as compared to Facebook?

How Much Do You Value Privacy?

People in my company travel a lot, and they like to have their itineraries easily accessible.  My wife wants to know when and where I will be, and that’s not at all unreasonable.  So, how best to process and share that information?  There are now several services that attempt to help you manage it.  One of those services, TripIt.Com, will take an email message as input, organize your itinerary, generate appropriate calendar events, and share that information with those you authorize.

The service is based in the U.S., and might actually share information with those you do not authorize, to market something to you- or worse.  If the information is stolen, as was the case with travel information from a hotel we discussed recently, it can be resold to burglars who know when you’re way.  That can be particularly nasty if in fact only you are away, and the rest of your family is not.

But before we panic and refuse to let any of this information out, one should ask just how secure that information is.  As it happens, travel itineraries are some of the least secure pieces of information you can possibly have.  All a thief really needs is an old ticket stub that has one’s frequent flyer number, and we’re off to the races.  In one case, it was shown that with this information a thief could even book a ticket for someone else.

So how, then, do we evaluate the risk of using a service like TripIt? First of all, TripIt does not use any form of encryption or certificate trust chain to verify their identity.  That means that all of your itinerary details go over the network in the clear.  But as it turns out, you’ve probably already transmitted all of your details in the clear to them by sending the itinerary in email.  Having had a quick look at their mail servers, they do not in fact verify their server identities through the use of STARTTLS, not that you as a user can easily determine this in advance.

Some people might have stopped now, but others have more tolerance for risk.

Perhaps a bigger problem with TripIt is that neither its password change page nor its login page make use of SSL.  That means that when enter your your password, the text of that password goes over the network in the clear, for all to see.  It also means that you cannot be sure that the server on the other end is actually that of TripIt.  To me this is a remarkable oversight.

For all of these concerns, you still get the ability to generate an iCal calendar subscription as well as the ability to share all of this information with friends and family.  Is it worth it?  One answer is that it depends on whether you actually want to enter the information yourself, whether you care about security concerns, and whether you like using calendaring clients.  It also depends on what other services are available.

Another service that is available is Dopplr.  It also attempts to be a social networking site, not unlike Linked In.  Dopplr allows you to share you itineraries with other people, tells you about their upcoming trips (if they’re sharing with you), and it lets you create an iCal subscription.

Dopplr also has some security problems, in that they do not use SSL to protect your password.  They also do not use SSL for their main pages.  They do, however, support OpenId, an attempt to do away with site passwords entirely.  I’ll say more about OpenId in the future, but for now I’ll state simply that just because something is new does not make it better.  It may be better or worse.

And so there you have it.  Two services, both with very similar offerings, and both with almost the same privacy risks.  One of them, by the way, could distinguish themselves by improving their privacy offering.  That would certainly win more of my business.