Security Via Surrender
A new approach to protecting data and identity
Cropped from src1, src2
David Sanger and Julie Davis are reporters for the paper of record—the New York Times. Their recent article starts:
WASHINGTON—The Obama administration on Thursday announced what appeared to be one of the largest breaches of federal employees’ data, involving at least four million current and former government workers in an intrusion that officials said apparently originated in China.
The compromised data was held by the Office of Personnel Management, which handles government security clearances and federal employee records. The breach was first detected in April, the office said, but it appears to have begun at least late last year.
The target appeared to be Social Security numbers and other “personal identifying information,” but it was unclear whether the attack was related to commercial gain or espionage. …
Today Ken and I want to suggest a new approach to data breaches like this.
Before we explain the method let’s just say that it looks pretty grim for protecting data. If the White House cannot protect the emails of the President, and if the Office of Personnel Management cannot protect federal employees Social Security numbers, then perhaps it is time to give up.
We know huge sums are being spent on solving the security problem; many groups, centers, agencies, and researchers are working on it; countless conferences have their focus on this problem. But attacks occur, and we still lose information.
Perhaps it is a fundamental law of complex software systems that they will never be secure—that bad actors will always be able to break in and steal data. Perhaps this problem is unsolvable: not just hard, or expensive, or difficult. Perhaps it is as impossible to solve as trisecting an angle with only a ruler and a compass, or as impossible as the Halting Problem. Perhaps.
If this is the case, then we have a suggested approach to security that stops trying to solve the stealing-data problem. The approach is quite different and we will now explain it.
Jigoro Kano, the founder of the martial arts discipline Judo, once wrote:
In short, resisting a more powerful opponent will result in your defeat, whilst adjusting to and evading your opponent’s attack will cause him to lose his balance, his power will be reduced, and you will defeat him. This can apply whatever the relative values of power, thus making it possible for weaker opponents to beat significantly stronger ones.
Judo allows a “weaker” opponent to beat a “stronger” one. The idea is based on not resisting directly, but rather resisting indirectly. We believe that this principle can be used in security.
Our application of Judo is based on looking deeper at just what it means to steal some information such as your SSN. A SSN is only useful because there are transactions that are based on using it. The same goes for almost all the information that is being stolen. The information is only valuable because it can be used in some transaction that we wish to stop.
Thus the surrender idea is to assume that the data is going to be compromised. Perhaps we will make it even public? But we will start to protect the transactions in a way that does not rely on the false assumption that certain data is secret.
Our suggestions are far from new—indeed, they are being used all the time, and importantly, their safety and success have held up. Our point is to build a framework whose philosophy is not to do more than this, and to change expectations for the end-user experience. Here are some common examples:
- You forget your password—and even your username too—at a website but are easily able to click to have an account-reset sent to your registered e-mail address.
- Your credit card provider calls or texts you to verify a large or unusual transaction.
- Your bank or a government agency asks you a challenge question you provided last year.
- Your bank has you register all machines/IPs from which you access their website, asking you challenge questions for any new or not-recently-used one.
- Your access patterns are recorded and pattern-matched for self-similarity.
- Your health insurer, operating under the Affordable Care Act, must be able to demonstrate that its policies did not depend on knowledge of a pre-existing condition that was disclosed.
What we sacrifice under the Judo philosophy is the “Swiss Bank” expectation that one golden key unlocks access with no questions asked.
Lessons From Tax Refund Hijacking
Electronic filing of tax returns ought to be the most secure online transaction that most people partake in. Unlike electronic purchases, this happens just once a year, the partner is the U.S. Government, and the safeguards can embrace the whole of your identity with the government. Yet for each of the past few years there have been over a million cases of thieves filing false returns with stolen genuine personal information before the real person files, in order to hijack the refund.
Safeguarding details of your return is of course desirable, but it is off the point of safeguarding the refund transaction. Hence we say one shouldn’t rely on the same solution for both problems. Instead our attitude on the latter is that we should be prepared to just give up on the former—even if we have to be like Hillary Clinton or Mitt Romney.
What we believe needs to change is not what’s under the hood but rather what’s on our dashboard. We must forgo the passivity of thinking all one has to do is wait for the IRS message of deposit. There must be some validation of the destination that is interactive, such as asking a challenge question that you—the real you—provided last year.
It Had to Be You
The planted challenge question idea is an example of the static kind of knowledge-based authentication (KBA). There is also dynamic KBA, in which the questions are synthesized from information that the provider already has. These can be questions such as, what was the color of the car you bought in 2002? Both kinds of KBA are increasingly used against tax fraud.
Dynamic KBA can be used when there has been no prior interaction. There are further issues about how the provider gathers data for the questions. This Vermont government source notes issues with the use of public records. In keeping with our “surrender” motif, we don’t see how to stop this access—rather, we look to controls on how the access is used in transactions.
The Vermont source moves on to the idea of recording and analyzing patterns of keyboard use, which may be even more fraught. We wonder instead about a good way to blend KBA ideas with what we’ll call “access-based authentication” (ABA). Generalizing from the simple instance of using your e-mail to authenticate, the idea is to set up domains that only you have access to in their entirety.
To be sure, hackers might also gain access to your e-mail account used for validation, such as to roger a message about the destination of a tax refund. It won’t do for you to create a separate e-mail account used only with the IRS—rather we think such things play into hackers’ hands. Instead, your e-mail can safeguard the reality that only you use it. One idea is having a machine on which you are always logged in to your e-mail. This way any other activity shows up as supplementary.
The bad news in all of this is that assuring one’s identity is becoming a battle and there seems to be no simple way to assure victory. Our point is favor approaches that move the battle into areas an individual controls, opposed to ones controlled from outside.
Do identity protection and integrity of data use need a consistent paradigm more than new schemes?