ID: awesomeness / Password: yo

E-Girl (aka my teenage daughter) is your typical 21st century teenager with a bevy of gadgets and skills to match.  She has her own phone (of course), is a blossoming food blogger and has never owned music on physical media.

E-Girl is also the hockey pool organizer.  A quick trip to officepools.com, a round of poolster recruitment and she has a tidy collection of teams and picks entered and ready to go for the opening night puck-drop.

E-Girl is learning to be net-savvy and she has privacy awareness that belies her youthfulness.  (Yes, she’s endured a few privacy and Internet-safety lectures from me…)  For example, with the exception of email, she doesn’t use her last name online.

So it was with some surprise that I noticed a wee pink sticky note attached to her PC this evening… yes, a sticky note with her hockey pool login credentials on it for all to see.

You can read the damning words for yourself:

It is shocking.

Mike

Credit Card Activation

I haven’t applied for a credit card in a while and so I wasn’t expecting this new identity proofing process from BMO MasterCard…

I called the customer service number to activate the card.  In the past, you simply had to enter the 16-digit number and, assuming you are calling from a home phone number, the combination of the card number and phone number were sufficient to validate your identity.

Today, however, the system collected my card number and explained that I would need to participate in an identity proofing process based on my credit history.

After a few minutes on hold, the agent came online.  Here is the transcript, somewhat paraphrased:

Agent: Hello, Mike, we need to confirm your identity using information from your credit history.  We will ask you some questions and you can pick from three multiple-choice answers.  Do you agree to this process?

Me: Uh, Sure.

Agent: Okay, from the following list of credit unions, who have you banked with in the past five years? <she then listed three credit unions.>

Me: <name of credit union.>

Agent: That is correct.  Next, from the following apartment numbers, pick the one that corresponds to a previous residence.

Me: Uh, well I can’t recall the last time I’ve lived in an apartment…

Agent: Well… Let me list the numbers and see if you recognize any: 1101, 6A or 904.

Me: I’m not sure — is this my only option? The last time I lived in an apartment was 1987!

Agent: Well, we need an answer to this question.

Me: I can’t remember an apartment from 20 years ago… can you?

Agent: Uh, no, I see your point… but the credit bureau has this information…

Me: (sigh) I’m sure they do… and I’m sure it is accurate, but this isn’t much use to us if I can’t remember.

Agent: Well, if we can’t finish this process you can go to your bank in person with two pieces of identification to activate your card.

Me: I see.  Well, can I guess?  How about ’1101′ ?

Agent: Yes! That worked; your card is now activated…

I’ve written about shared secrets and identity proofing before, and I knew that credit bureau information was a rich source of shared secrets.  In fact, these types of questions are likely what is driving the Equifax Over 18 I-Card implementation (used to prove age of user among other things).

So what is new and worth commenting about all this?

• The questions are locked – the agent only had two questions and I had to get them correct on the first try to proceed.  She was surprised when I asked for an alternate question.
• There were only three options to each question.  I actually guessed at the apartment number and was successful.  With only 2 questions and three options, my calculation is that a fraudster would have a 16.7% chance of guessing the right answer to both questions.
• Because my call had to be from my home phone, the threat they are attempting to thwart is (presumably) ‘an intercepted card by someone in the same household (or someone with caller ID spoofing capability)’.  This is seemingly low probability occurance but it is obviously worth the bank’s efforts to implement this additional process.

My best guess is that they are having trouble with intercepted mail and caller ID spoofing.  I wonder if the additional shared secrets presented in a multiple choice format are sufficient to overcome a determined (or lucky guesser!) fraud artist given that they’ve already stolen my mail and know my phone number…

Mike

Identity Assurance — Registration Process

4th in a series [ <- previous ] [ <-- first ]

Registration is the “process by which a person obtains an identity credential, such as a user name or digital certificate, for subsequent authentication.”  All users of applications supported by an IdM solution must register in order to create an electronic credential.

As I’ve blogged about a few times in the past, the identity proofing that takes place in the Registration Process is critical for high-value or confidential transactions.  In the same way that real-world credentials, such as driver’s licenses, require rigorous registration processes, so too does identity proofing for establishing electronic credentials.  Of course, the strength of the registration process must be in keeping with the overall Identity Assurance required.  For access to a blog or creation of a Hotmail account, the identity proofing standard can be quite low.  To use systems that access health or other sensitive information, identity proofing must be high.

For this reason, the pan-Canadian model calls for different levels of Registration depending on the degree to which an identity needs to be substantiated:

0. No Identity — Anonymous Identity.  No Registration is required.

1. Low — Pseudo-anonymous or Unverified Identity.  Identity is registered with little or no verfication of identity.  User supplied information is taken at face value.

2. Medium — Verified Identity.  Identity is verified against information held by an authoritative party.  The process is managed and proves the identity by either validating electronic or user-held ‘evidence’.

3. High — Corroborated Identity.  Identity is not only verified by an authoritative party, it is corroborated by a trusted third party.  The rigor of this approach provides the highest level of registration possible.

The pan-Canadian model notes that the identity proofing can be supported by either evidence supplied by the user (drivers license, military service card, passport, etc.), or by validating a shared secret that the user supplies and that can be retrieved for comparison from a trusted source (such as a government registry).

In assessing the quality of the identity proofing process, two aspects needs to be considered:

1. The Method of Verification.  In person verification is stronger than online verification; corroborated information (e.g. by a person in a position of trust) is better than information supplied by the user alone; and, information verified by multiple sources is better than information that is confirmed by only a single source.

2. The Strength of the Evidence.  Quick — which is more trustworthy: a Canadian passport or a college ID card? Your provincial student number or your movie rental card number?  An email address issued by a well-recognized employers or a Hotmail address?  The identity evidence presented by people varies in quality and strength, and the registration process needs to be designed with appropriately strong identity evidence.

In Practice:

I’ve been involved with the design and implementation of multiple registration processes over the past six years, and each assignment required a careful review of identity proofing processes. (Note: There are different terms used to describe this functionality of an IdM system, including Identification and Enrolment, but for this discussion the general term ‘Registration’ will be used.)

The first step is to determine which of the four Registration levels are required.  (Frankly, Level 0 is not relevant to the implementation of an IdM system and can be ignored.)  If your solution will be enterprise in nature, or it is already known that a large number of applications will be integrated, then it is probably safe to assume that Levels 1, 2 and 3 will all be required.

Next, inventory the potential shared secrets your organization possesses.  What information do you have on file that your clients readily know or can easily look-up?  Account numbers, birth dates and names are examples.  It is quite possible that both Levels 1 and 2 can be supported by data you already have in databases.  Some organizations, such as government departments, have numerous shared secrets to choose from.  Others may not know much about the user before the registration process is initiated — in these cases, in-person registration (supported by paper credentials) will likely be required for access to systems containing sensitive information.

Once you have a list of potential shared secrets and paper credentials that could be used, align them with each of Registration Levels 1, 2 and 3.  For example, a client account number might be suitable for Level 1 (in fact, it probably exceeds the requirement for Pseudo-anonymous Identity), but on its own it may not work so well for the other levels.  You may find that a combination of good quality shared secrets can help you to achieve Level 2 — the account number plus current mailing address and a recently mailed one time access code might be sufficient.  Or, you may want the assurance of in-person identity verification.  (Click here for a discussion on shared secret quality.)

Finally, for pan-Canadian’s Level 3 the information supplied (in most cases via in-person visit) needs to be corroborated by a trusted party via a separate process.  In practice, this would require verification of the presented identity evidence by a third party.

One way to do this is to first have the individual supply the evidence online.  For example, a physician could provide his professional identification number along with his name and date of birth.  Once verified against a trusted data source, the information can be sent to an administrator that works with the physician.  This administrator can confirm the registration event with the physician the next time they meet face-to-face.  Optionally, the administrator could have the physician sign a usage agreement as well.  In effect, this is a corroboration of the registration information, and should satisfy the requirements for a Level 3 process.

Next: Credential Strength.

Secret strength

A while back, I wrote about the three keys to a quality process for using shared secrets in establishing an individual’s identity: quantity, quality and the degree to which a secret is shared.

The quality (i.e. relative strength) of a shared secret is critically important if it is to be used to establish a credential for access to government information.  Quick, rank the following in order of declining strength:

• a provincial student number
• your last federal tax return refund or payment amount
• a randomly generated PIN that is mailed to you
• your birth date
• your mother’s maiden name

The student number is a common identifier for the education system.  It uniquely identifies students ‘in the system’ and, in most cases, is assigned at entry into kindergarten and used right through post-secondary.  It’s strength comes from its uniqueness, its ability to be independently verified, the authority that issues it (the government), and the strong processes they follow to issue and maintain the number.  However, student numbers are often displayed on report cards, certificates and countless other paper and electronic documents.  It is not difficult to find out a person’s student number.

Dollar amounts from federal tax returns are similarly unique to an individual (or, at least, the combination of the user’s name, perhaps their SIN and the dollar amount is considered unique).  The information is securely delivered to the individual’s household via Canada Post.  It is reasonable to assume that if you answer this shared secret correctly, you are the individual you claim to be — with one exception: others in your household have access to your mail and tax papers.

One-time PINs are useful in e-government applications when issued to individuals for identity assurance purposes.  Often the government will have good information on the identity of the user, have a reliable address and perhaps a request from the user to establish an electronic identity.  A PIN is created, mailed to the user and then provided by the user in a prescribed online credential creation process.  By having appropriate one-time and PIN expiry processes, the government can be reasonably assured that the individual is who they claim to be with one exception: others in the household may gain access to the correspondence containing the PIN.

Your birth date and your mother’s maiden name are both fairly common shared secrets that have the benefit of easy recall for the user, but suffer from overuse and low secret strength.  Genealogy sites, social networking sites and public records can easily be used to retrieve these ‘secrets’.  A large disadvantage to this type of secret is that it does not change — once compromised it cannot be reset to another value (unlike a password) and becomes useless.

It can be seen that none of these mechanisms allow for absolute assurance — and really, without a strong in-person verification there will always be gaps.  However, several online implementations have been successful by combining shared secrets of different strengths when establishing the identity and by notifying the user when the process was executed.  For example, you wanted to mail the user a PIN but there is concern that it could be used by someone else in the household, two mitigating processes could be used:

1. Send the user a follow-up notice (letter or email or both) when the PIN is consumed thereby alerting them if they had not performed the process themselves; and/or

2. Combine the PIN with additional shared secrets.  A student number and a PIN and one’s birth-date and a previous course mark is a difficult combination to crack, even by someone in the same household.

Striking a balance between the quality and quantity of shared secrets, and introducing a confirmation notice, are the keys to establishing workable online identity assurance solutions.

Mike

Security and Secrecy Quotes

On security:

“Security is, I would say, our top priority because for all the exciting things you will be able to do with computers – organizing your lives, staying in touch with people, being creative – if we don’t solve these security problems, then people will hold back.” – Bill Gates.  Factoid: Gates and his teenage classmates were banned from using a PDP-10 timeshare computer after the operator of the system caught them exploiting flaws in the operating system to gain extra computer time…

On viruses:

“I think computer viruses should count as life. I think it says something about human nature that the only form of life we have created so far is purely destructive. We’ve created life in our own image.” – Stephen Hawking.

On secrecy:

“The very word ‘secrecy’ is repugnant in a free and open society; and we are as a people inherently and historically opposed to secret societies, to secret oaths, and to secret proceedings.” — John F. Kennedy, 35th US President.  Interesting that JFK’s administration was involved in a CIA overthrow of Iraq.