While we have all been enjoying a life online, an awkward truth threatens to wreck everything. It is this: a password is the same irrespective of who enters it. This means that when an organisation asks for passwords or other ‘memorable’ information for verification purposes, it is unable to tell the difference between their customer and an impostor.
So why do organisations persist in asking their customers to do something that a fraudster can also do?
Since ancient times passwords have played a role in keeping the enemy from the gates and telling friend from foe. The first use of passwords in the context of computer logins was in 1961 for an early multi-user computer system developed at MIT. Fast-forward to today, and people have to use passwords to interact with just about every supplier, government department and service on offer. Indeed, the way businesses verify customers has barely changed in over half a century.
The problem is that the dominant method of verifying people – testing their knowledge – was flawed from the outset, and it still is.
How we’ve lost our way
Given that passwords cannot distinguish between customer and fraudster, you might hope that this flaw is benign. But it’s worse than useless. By using knowledge-based authentication (KBA), organisations expose their customers to risk.
Knowledge-based authentication drives fraudsters to obtain data by whatever means they can, and then either use it to malicious ends themselves, or trade in it. Vast markets have opened up on the dark web where personal information is being bought, sold and collated, patiently tended in databases like shadow credit reference agencies. The value of this data to criminals lies in the fact that, armed with this data, organisations can be easily fooled. Let’s not forget that KBA is responsible for every phishing email that’s ever been sent.
The reality is that wherever access to a bank account, email account or indeed any online resource at all is controlled with a password, if you know it, so can the fraudsters. All knowledge can be shoulder-surfed, discovered, leaked, hacked, intercepted and (ahem!) guessed.
I believe that passwords persist in part because they give people the sense they have a secret. Until, that is, an organisation gets fooled and customers are left to deal with the resulting mess. They call it identity fraud, but really it’s corporate negligence on a global scale. We live in this Kafkaesque world where we all must jump through hoops to “prove who we are”, while the practice is widely known to be little short of a complete waste of time.
It’s time to change habits
The world is in desperate need of a way to tell the good guys from the bad guys. If it’s not knowledge, then what? What if we could find a means of differentiation that is already present in the population?
The assumption has always been that you cannot see your customer online. As the famous cartoon in the New Yorker had it – on the internet, nobody knows you’re a dog. However, in the past decade this assumption is no longer valid. For the first time nearly everyone has a camera phone with internet connectivity. Therefore it is now possible to draw upon the tried-and tested mechanism of visual identity, and the innate ability of people to recognise one another.
To harness visual identity is to build upon a foundation laid down over several millennia of human evolution. Using this powerful natural capability goes with the grain of everyday experience as opposed to against it. Visual identity is practised by around 7.2 billion people every day, and it manifestly works. Also, there’s no need to distribute anything – no secrets, no special hardware, or even documents.
After many attempts at fixing the problem by adding layers of complexity, we are about to turn full circle. Going back to our roots promises to make the job of the fraudster much harder, while making life much easier for the true customer. There’s an old saying, “People are the weakest link in security”. As ever, it depends on what organisations ask them to do.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.