Analytics
9/29/2013
03:50 PM
Mike Rothman
Mike Rothman
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Commerce In A World Without Trust

The trust model underlying online commerce has been threatened by the constant attacks on information providers used to authenticate consumers. Is the Internet as secure as it needs to be anymore?

Trust is kind of a squishy concept. If you refer back to the definition from our pals at Merriam-Webster, trust is the "belief that someone or something is reliable, good, honest, effective, etc." Reliable? Honest? Sounds great, right?

Our world of increasingly frequent online commerce is based on trust. Your merchants need to trust that you are who you say you are. You trust you're dealing with the legitimate merchant/vendor that you think it is. Ultimately the entire process depends on trust that your transaction will be accepted and that, at some point, you'll receive goods or a service in exchange for your payment.

Of course, fraud has existed since the beginning of time. Identity theft makes it difficult for merchants to know who is actually buying something. Site scraping and phishing make it difficult for consumers to know whether the site they are using is legitimate. A third party emerged to bridge the gap and provide financial protection to both sides of the online transaction -- credit card brands (and their associated issuers) vouch for a consumer to the merchant and protect the consumer from a fraudulent merchant. For their 2- to 3.5 percent transaction fees, both merchants and consumers are _protected_ from fraud. As long as the card brands don't suffer more loss than they make in transaction fees, the system works.

But what happens when we hit the tipping point -- when we don't know who is who, and online fraud is so rampant that the models the financial institutions use to make sure they don't lose money on transactions become obsolete. If those models break down, then transaction fees could skyrocket. Or maybe they would bottom out as aggressive financials look to gain market share (we've seen that movie before). No one knows what would happen.

After reading Brian Krebs' totally awesome investigatory piece, "Data Broker Giants Hacked," we may be closer to that point than we wanted to believe. I mean, we always knew fraud was rampant, but reading about the SSNDOB service that traded in personal data takes it to another level given the recent trends in authentication technology.

I know, you're probably thinking, "What's the big deal?" ChoicePoint got popped over 10 years ago, and this is the same thing, right? Well, not so much. It turns out that many organizations (especially financial organizations) use adaptive authentication to reduce the risk of their transactions, which involves asking personal questions to validate a consumer's identity depending on what they are trying to do.

If the attackers have access to many (if not all) of these standard questions, then you can be as adaptive as you want -- you still can't be sure who is on the other end of a connection. Even better, many of the new health-care insurance exchanges rolling out in the U.S. heavily use this kind of adaptive authentication to validate citizens and offer services. Soon enough your dog may be online buying health insurance from one of these exchanges (though I'm not sure if there will be checkbox for ringworm on the medical history page).

If we live by the old adage that the Internet is as secure as it needs to be, we need to question whether we're getting to the point where we have to reset expectations of security. Do we have to fundamentally rethink our dependence on personal information for authentication, knowing full well that this data is easily accessible and not really a secret? Remember the old days when the Social Security number was a primary unique identifier and something you had to protect at all costs? Pete Lindstrom was early to point out the misplaced reliance on the SSN since it's neither unique nor hard to get for an attacker. It turns out he was right, and now we should be asking the same questions about all of this other personal information. Are your previous addresses and mother's maiden name becoming as useless as the SSN?

If you think about alternative technologies, we've learned that biometrics will be a tough sell, as evidenced by Apple's TouchID technology, so we'll need to expect pushback about centrally storing biometric information. Do the financial institutions just jack up their shrinkage estimates and adjust transaction fees accordingly? Do consumers become more aware and go back into brick-and-mortar stores? Although it's not like personal data captured in the physical world has proved any more secure.

Some days I wish my crystal ball were back from the shop. If I had to bet, I'd bet on Mr. Market gradually adjusting transaction fees until it's too expensive to do online commerce, and that will result in a wave of new security/authenticity technology to make the Internet once again "as secure as it needs to be" and restore balance to the Force that is online commerce. Until then, monitor the crap out of your financial accounts because you can't trust anyone or anything nowadays.

Mike Rothman is President of Securosis and author of the Pragmatic CSO Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
10/3/2013 | 1:09:04 PM
re: Commerce In A World Without Trust
there are a few thing you have to get straight before you can discuss the issue.
first off the majority of computer crime is accomplished using un-authorized programming. rats, trojans, sql injection, xss, and the like, 'computer virus' in common terms.

substitution of biometrics for passwords won't affect the business of computer virus: hackers use the victim's credentials to do their mischief -- after the victim has supplied their credentials and logged on . all that it will accomplish is to reduce anonyminty -- which is a separate issue. there's a time and a place for it just as there is a time and place for actual identifications ..

as a result it is necessary to get better control over computer updates -- and particularly -- the activities of programs that access the open internet. you might think this is only your browser, but think again. you download an e/mail and the attachment - e.g. and office document -- can contain an infection embedded in a flash object or as a script. music players often connect to the net to get art and lyrics

programs accessing the internet -- under the authority of your logon credentials -- generally -- have unrestricted access to all your documents, music, pictures, and videos, correspondence, and other libraries. unless you have applied a program such as apparmor onto the application against this hazzard.

computers generally have been developed using old manual paper and pen based processes as their model. this is not appropriate in the new network based environment -- where there are no homes, offices, or file cabinets which can be secured.

the computer industry has rushed us into this new network environment with little thought or concern for its many implications . only for how fast they can grab the almighty dollar .

now we have to fix it. and that starts with a clear picture of the actual situation.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4725
Published: 2014-07-27
The MailPoet Newsletters (wysija-newsletters) plugin before 2.6.7 for WordPress allows remote attackers to bypass authentication and execute arbitrary PHP code by uploading a crafted theme using wp-admin/admin-post.php and accessing the theme in wp-content/uploads/wysija/themes/mailp/.

CVE-2014-4726
Published: 2014-07-27
Unspecified vulnerability in the MailPoet Newsletters (wysija-newsletters) plugin before 2.6.8 for WordPress has unspecified impact and attack vectors.

CVE-2014-2363
Published: 2014-07-26
Morpho Itemiser 3 8.17 has hardcoded administrative credentials, which makes it easier for remote attackers to obtain access via a login request.

CVE-2014-2625
Published: 2014-07-26
Directory traversal vulnerability in the storedNtxFile function in HP Network Virtualization 8.6 (aka Shunra Network Virtualization) allows remote attackers to read arbitrary files via crafted input, aka ZDI-CAN-2023.

CVE-2014-2626
Published: 2014-07-26
Directory traversal vulnerability in the toServerObject function in HP Network Virtualization 8.6 (aka Shunra Network Virtualization) allows remote attackers to create files, and consequently execute arbitrary code, via crafted input, aka ZDI-CAN-2024.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.