Category: shared secret

ID: awesomeness / Password: yo

E-Girl (aka my teenage daughter) is your typical 21st century teenager with a bevy of gadgets and skills to match.  She has her own phone (of course), is a blossoming food blogger and has never owned music on physical media.

E-Girl is also the hockey pool organizer.  A quick trip to officepools.com, a round of poolster recruitment and she has a tidy collection of teams and picks entered and ready to go for the opening night puck-drop.

E-Girl is learning to be net-savvy and she has privacy awareness that belies her youthfulness.  (Yes, she’s endured a few privacy and Internet-safety lectures from me…)  For example, with the exception of email, she doesn’t use her last name online.

So it was with some surprise that I noticed a wee pink sticky note attached to her PC this evening… yes, a sticky note with her hockey pool login credentials on it for all to see.

You can read the damning words for yourself:

the sticky

It is shocking.

Mike

Credit Card Activation

I haven’t applied for a credit card in a while and so I wasn’t expecting this new identity proofing process from BMO MasterCard

I called the customer service number to activate the card.  In the past, you simply had to enter the 16-digit number and, assuming you are calling from a home phone number, the combination of the card number and phone number were sufficient to validate your identity.

Today, however, the system collected my card number and explained that I would need to participate in an identity proofing process based on my credit history.

After a few minutes on hold, the agent came online.  Here is the transcript, somewhat paraphrased:

Agent: Hello, Mike, we need to confirm your identity using information from your credit history.  We will ask you some questions and you can pick from three multiple-choice answers.  Do you agree to this process?

Me: Uh, Sure.

Agent: Okay, from the following list of credit unions, who have you banked with in the past five years? <she then listed three credit unions.>

Me: <name of credit union.>

Agent: That is correct.  Next, from the following apartment numbers, pick the one that corresponds to a previous residence.

Me: Uh, well I can’t recall the last time I’ve lived in an apartment…

Agent: Well… Let me list the numbers and see if you recognize any: 1101, 6A or 904.

Me: I’m not sure — is this my only option? The last time I lived in an apartment was 1987!

Agent: Well, we need an answer to this question.

Me: I can’t remember an apartment from 20 years ago… can you?

Agent: Uh, no, I see your point… but the credit bureau has this information…

Me: (sigh) I’m sure they do… and I’m sure it is accurate, but this isn’t much use to us if I can’t remember.

Agent: Well, if we can’t finish this process you can go to your bank in person with two pieces of identification to activate your card.

Me: I see.  Well, can I guess?  How about ‘1101’ ?

Agent: Yes! That worked; your card is now activated…

I’ve written about shared secrets and identity proofing before, and I knew that credit bureau information was a rich source of shared secrets.  In fact, these types of questions are likely what is driving the Equifax Over 18 I-Card implementation (used to prove age of user among other things).

So what is new and worth commenting about all this?

  • The questions are locked – the agent only had two questions and I had to get them correct on the first try to proceed.  She was surprised when I asked for an alternate question.
  • There were only three options to each question.  I actually guessed at the apartment number and was successful.  With only 2 questions and three options, my calculation is that a fraudster would have a 16.7% chance of guessing the right answer to both questions.
  • Because my call had to be from my home phone, the threat they are attempting to thwart is (presumably) ‘an intercepted card by someone in the same household (or someone with caller ID spoofing capability)’.  This is seemingly low probability occurance but it is obviously worth the bank’s efforts to implement this additional process.

My best guess is that they are having trouble with intercepted mail and caller ID spoofing.  I wonder if the additional shared secrets presented in a multiple choice format are sufficient to overcome a determined (or lucky guesser!) fraud artist given that they’ve already stolen my mail and know my phone number…

Mike

Identity Assurance — Registration Process

4th in a series [ <- previous ] [ <- first ]

Registration is the “process by which a person obtains an identity credential, such as a user name or digital certificate, for subsequent authentication.”  All users of applications supported by an IAM solution must be identified and be registered in order to create an electronic credential.

As I’ve blogged about a few times in the past, the identity proofing that takes place in the Registration Process is critical for sensitive transactions.  In the same way that real-world credentials, such as driver’s licenses, require rigorous registration processes, so too does identity proofing for establishing electronic credentials.

Of course, the strength of the identity proofing process must be in keeping with the overall Identity Assurance required.  For access to a blog or creation of an Instagram or Gmail account, the identity proofing standard can be quite low.  To register for systems that access health or other sensitive information, identity proofing must be much more stringent.

For this reason, the Pan-Canadian assurance model (left-most column) calls for different levels of registration depending on the degree to which an identity needs to be substantiated:

1. Low — Pseudo-anonymous.  Identity is registered with little or no verification of identity.  User supplied information is taken at face value.  If validation is performed, it is cursory.

2. Medium — Identity Validated.  Identity is validated to a moderate level of assurance, and registration is typically performed via an online registration process.  Shared secrets are exchanged to validate the identity during the process.

3. High — Verified Identity.  Identity is verified against information held by an authoritative party.  The process is managed and typically delivered in-person (e.g. a counter service).  A third-party physical credential (e.g. picture ID) may be presented and compared to an organization-held data source.

4. Very High — Corroborated Identity.  Identity is not only verified by an authoritative party via an in-person process, it is corroborated by a trusted third party.  The rigour of this approach provides the highest level of registration possible and is typical of critical process such as passport issuance.

The Pan-Canadian model notes that the identity proofing can be supported by either:

  • evidence supplied by the user (driver’s license, military service card, passport, etc.), or
  • by validating a shared secret that the user supplies and that can be retrieved for comparison from a trusted source (such as a government registry).

In assessing the quality of the identity proofing process, two aspects needs to be considered:

1. The Method of Verification.  In person verification is stronger than online verification; corroborated information is better than information supplied by the user alone; and, identity information verified by multiple sources is better than information that is confirmed by only a single source.

2. The Strength of the Evidence.  Quick — which is more trustworthy: a Canadian passport or a college ID card?   The identity evidence presented by people varies in quality and strength, and the registration process needs to be designed with appropriately strong identity evidence.

In Practice:

I’ve been involved with the design and implementation of dozens of identity proofing and registration processes over the past ten years, and each assignment required a careful review of identity proofing processes. (Note: There are different terms used to describe this functionality of an IAM system, including ‘Identification’ and ‘Enrolment, but for this discussion the general term ‘Registration’ will be used.)

The first step is to determine which of the four Registration levels are required.  If your solution will be enterprise in nature, or it is already known that a large number of applications will be integrated, then it is probably safe to assume that Levels 1, 2 and 3 will all be required.  (Level 4 registration is rare and, in addition, unworkable online).

Next, inventory the potential shared secrets your organization possesses.  What information do you have on file that your clients readily know or can easily look-up?  Account numbers, birth dates and formal names are examples.  It is quite possible that both Levels 1 and 2 can be supported by data you already maintain in enterprise databases.  Some organizations, such as government departments, have numerous shared secrets to choose from.  Others may not know much about the user before the registration process is initiated — in these cases, in-person registration (supported by paper credentials such as driver’s licenses) will likely be required for access to systems containing sensitive information.

Once you have a list of potential shared secrets and paper credentials that could be used, align them with each of Registration Levels 1, 2 and 3.  For example, a client account number might be suitable for Level 1, but on its own it may not work so well for higher levels.  You may find that a combination of good quality shared secrets can help you to achieve Level 2 — the account number plus current mailing address and a recently mailed one time access code might be sufficient.  At Level 3, you will want the assurance of in-person identity verification.  (Click here for a discussion on shared secret quality.)

Finally, for pan-Canadian’s Level 4 the information supplied (in most cases via in-person visit) needs to be corroborated by a trusted party via a separate process.  In practice, this would require verification of the presented identity evidence by a third party.

One way to support Level 3 and 4 regsitration is to first have the individual supply the evidence online.  For example, a physician could provide his college identification number along with his name and date of birth.  Once verified against a trusted data source, the information can be sent to an administrator that works with the physician.  This administrator can confirm the registration event with the physician the next time they meet face-to-face.  Optionally, the administrator could have the physician sign a usage agreement as well.  In effect, this is a corroboration of the registration information, and should satisfy the requirements for a Level 3 or 4 process.

Next: Credential Strength.

Secret strength

A while back, I wrote about the three keys to a quality process for using shared secrets in establishing an individual’s identity: quantity, quality and the degree to which a secret is shared.

The quality (i.e. relative strength) of a shared secret is critically important if it is to be used to establish a credential for access to government information.  Quick, rank the following in order of declining strength:

  • a provincial student number
  • your last federal tax return refund or payment amount
  • a randomly generated PIN that is mailed to you
  • your birth date
  • your mother’s maiden name

The student number is a common identifier for the education system.  It uniquely identifies students ‘in the system’ and, in most cases, is assigned at entry into kindergarten and used right through post-secondary.  It’s strength comes from its uniqueness, its ability to be independently verified, the authority that issues it (the government), and the strong processes they follow to issue and maintain the number.  However, student numbers are often displayed on report cards, certificates and countless other paper and electronic documents.  It is not difficult to find out a person’s student number.

Dollar amounts from federal tax returns are similarly unique to an individual (or, at least, the combination of the user’s name, perhaps their SIN and the dollar amount is considered unique).  The information is securely delivered to the individual’s household via Canada Post.  It is reasonable to assume that if you answer this shared secret correctly, you are the individual you claim to be — with one exception: others in your household have access to your mail and tax papers.

One-time PINs are useful in e-government applications when issued to individuals for identity assurance purposes.  Often the government will have good information on the identity of the user, have a reliable address and perhaps a request from the user to establish an electronic identity.  A PIN is created, mailed to the user and then provided by the user in a prescribed online credential creation process.  By having appropriate one-time and PIN expiry processes, the government can be reasonably assured that the individual is who they claim to be with one exception: others in the household may gain access to the correspondence containing the PIN.

Your birth date and your mother’s maiden name are both fairly common shared secrets that have the benefit of easy recall for the user, but suffer from overuse and low secret strength.  Genealogy sites, social networking sites and public records can easily be used to retrieve these ‘secrets’.  A large disadvantage to this type of secret is that it does not change — once compromised it cannot be reset to another value (unlike a password) and becomes useless.

It can be seen that none of these mechanisms allow for absolute assurance — and really, without a strong in-person verification there will always be gaps.  However, several online implementations have been successful by combining shared secrets of different strengths when establishing the identity and by notifying the user when the process was executed.  For example, you wanted to mail the user a PIN but there is concern that it could be used by someone else in the household, two mitigating processes could be used:

1. Send the user a follow-up notice (letter or email or both) when the PIN is consumed thereby alerting them if they had not performed the process themselves; and/or

2. Combine the PIN with additional shared secrets.  A student number and a PIN and one’s birth-date and a previous course mark is a difficult combination to crack, even by someone in the same household.

Striking a balance between the quality and quantity of shared secrets, and introducing a confirmation notice, are the keys to establishing workable online identity assurance solutions.

Mike

Security and Secrecy Quotes

On security:

Security is, I would say, our top priority because for all the exciting things you will be able to do with computers – organizing your lives, staying in touch with people, being creative – if we don’t solve these security problems, then people will hold back.Bill Gates.  Factoid: Gates and his teenage classmates were banned from using a PDP-10 timeshare computer after the operator of the system caught them exploiting flaws in the operating system to gain extra computer time…

On viruses:

“I think computer viruses should count as life. I think it says something about human nature that the only form of life we have created so far is purely destructive. We’ve created life in our own image.” Stephen Hawking.

On secrecy:

“The very word ‘secrecy’ is repugnant in a free and open society; and we are as a people inherently and historically opposed to secret societies, to secret oaths, and to secret proceedings.”John F. Kennedy, 35th US President.  Interesting that JFK’s administration was involved in a CIA overthrow of Iraq.

Identity Renewal

I lost my drivers license this week.  No, not from being reckless orspeeding — I lost the physical plastic credential that various authorities use to confirm that I can drive a car, open a bank account or have an adult beverage.

So, here in Alberta, when you lose this rather important identity credential you can turn to our very convenient registry office system to get it replaced.  Some years ago, our government privatized the customer service for all provincial registry services.  Today, there are over 220 locations around the province where you can get counter services for things like vehicle registrations, marriage licenses and so on.

There is a registry office across the street from where I work, and I paid them a visit yesterday afternoon:

Me: I have lost my drivers license.

Registry Agent: Oh. That’s too bad.  Maybe you should slow down or something…

Me:  No!  I lost the plasticized thingy.  Can I get another?

RA: Yes, of course!  Do you have a piece of picture ID?

Me: (handing over my oh-so-precious Canadian passport) Here you go. 

RA: Thank you.

At this point the registry agent glances at the passport picture, glances at me – yup, that’s him – and notes the passport number on an official form.

RA: Has any of your information changed? Hair – brown; eyes – hazel; height – 5′ 11″?

Me: Uh, no.

A few more particulars are exchanged.  Then the agent asks the shared secret question! (Only I could get excited about such a question!  And, at this point, I am positively bristling with excitement!)

RA: What is your home phone number?

What is my phone number?  My jaw drops.  I stop bristling.  Really, is that the best she could do?  I was hoping for some other nugget from the government’s mighty store of personal information.  How about the high school I attended?  Perhaps my health care number? Or my third child’s middle name?  PHONE NUMBER??? C’mon people, give me a challenge here.

Me: (mutters phone number)

RA: Hey, that’s just one number off of my phone number!

Me: Oh.

And that was about it.  I signed a few forms, she pecked a few keys and off the bits flew to the Canadian Bank Note company, the outsourced operation in Ottawa that prints and mails Alberta provincial drivers licenses.  I was given a temporary license until my new plastic-coated beauty arrived.

How does my experience compare with the government’s defined process?  It is based on ‘who you are, what you have and what you know.’  To confirm who I am, the agent uses their computer system to retrieve a picture of me from my last renewal.  So, they have a way of confirming I am who I say I am.  That’s good.

However, a few comments from this experience:

  • The agent forgot to ask me for secondary identification that further identified me and/or proved that I still live in Alberta.  I could have moved to BC or Zambia and the government process prescribes a way to catch this and confirm that I’m still a tax-paying Albertan.  An additional ‘what you have’, beyond my passport, would have strengthened the identity assurance.
  • The ‘what you know’ secret used in this case, my phone number, isn’t secret at all… I use it as my frequent shopper ID at Safeways, and blurt it out regularly in all kinds of situations.  Oh, and it is in the phone book, right next to my name…  I know that this was likely just a secret (among several possibilities) that the registry agent chose off the screen, but perhaps there should be less choice in the process to ensure stronger secrets are used.

There, in a nut-shell, are a few issues with the license replacement — an identity credential renewal –process.  But are these significant enough to be of concern?

Mike

Shared secrets for establishing identity

We are all familiar with the use of shared secrets for establishing our identity when we do business online or over the phone.  These secrets are things like account numbers, our mother’s maiden name or a dollar amount from a recent statement.

Shared secrets are very useful because they significantly reduce the chances that an imposter can gain access to our information by guessing the information being requested.  Shared secrets are also used when digital credentials are first established, and this is an area of significant interest in the public sector where potentially millions of users need to be efficiently enrolled into government services.

Further, both quantity and quality matter.  As governments strive to move more services online, the question of ‘who is at the end of the wire’ takes on more and more significance.  When digital credentials are being used to access confidential data, the impact of improperly identifying an individual can be catastrophic for both the public authority and the individual.

  • A single shared secret on its own makes a poor choice for identifying an individual.  In almost all cases, even those where non-confidential or low-value transactions are taking place, multiple shared secrets are needed to ensure appropriate identity assurance is carried out.
  • The quality of the shared secret is also critically important.  Using a secret that is relatively easy to obtain — e.g. a professional certification number that is displayed on a certificate in the individual’s outer office — is of less value in identity assurance than a secret that is known only to the user.

The best identity assurance schemes are therefore those that use multiple strong shared secrets — information that only the user would generally have access to and information that, typically, is not known by others.

This last point is somewhat critical.  Sharing of confidential information in a household is very common: spouses open each other’s mail; report cards and bank account statements are left in plain view; and personal details such as birthdates are commonly known throughout the household.

A well-constructed identity assurance process must therefore also consider the degree to which shared secrets are known amoung a household, workplace or other group of individuals.

Fortunately government organizations have a wealth of citizen information in their databases.  These stores of shared secrets allows a government system to select from a range of options when validating user identity.

An effective enrolment solution depends on carefully analyzing the strength and appropriate combination of multiple secrets in order to select the best ones for e-government applications.

Mike

Who are you?

Quick — what are the top IT security issues today?  A list might include things like uncontrolled wireless devices, organized e-crime, identity management and ‘the next big virus’.  It would be hard to discredit any on this list, but from a individual user’s perspective, identity management is becoming a very hot topic.  And identity management is certainly something that is of interest to large organizations, particularly those that are in government or regulated industries — which covers a lot of ground these days.

Identity management is critical to conducting e-business and for protecting sensitive information.  Practically speaking, if a company doesn’t know who is ‘at the end of the wire’ then it is very difficult to offer up anything significant in the way of business content.  And if that identity is not managed properly over time, the user can lose confidence in the relationship and even stop using the offered services completely.

So, how can you know who is accessing your site, web portal or business application? How sure can you be that they are who they say they are? It all starts with confirming the identity at the first interaction with the user, or what we like to call ‘identity proofing’.  This critical step can be difficult to design, build and operate.  Identity proofing requires good process, the type of process that businesses and governments use to support the issuance of identity cards in the physical world. When it comes to proving identity, electronic identities and physical identities must follow the same process to be effective.

Mike