Analytics
9/29/2013
03:50 PM
Mike Rothman
Mike Rothman
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Commerce In A World Without Trust

The trust model underlying online commerce has been threatened by the constant attacks on information providers used to authenticate consumers. Is the Internet as secure as it needs to be anymore?

Trust is kind of a squishy concept. If you refer back to the definition from our pals at Merriam-Webster, trust is the "belief that someone or something is reliable, good, honest, effective, etc." Reliable? Honest? Sounds great, right?

Our world of increasingly frequent online commerce is based on trust. Your merchants need to trust that you are who you say you are. You trust you're dealing with the legitimate merchant/vendor that you think it is. Ultimately the entire process depends on trust that your transaction will be accepted and that, at some point, you'll receive goods or a service in exchange for your payment.

Of course, fraud has existed since the beginning of time. Identity theft makes it difficult for merchants to know who is actually buying something. Site scraping and phishing make it difficult for consumers to know whether the site they are using is legitimate. A third party emerged to bridge the gap and provide financial protection to both sides of the online transaction -- credit card brands (and their associated issuers) vouch for a consumer to the merchant and protect the consumer from a fraudulent merchant. For their 2- to 3.5 percent transaction fees, both merchants and consumers are _protected_ from fraud. As long as the card brands don't suffer more loss than they make in transaction fees, the system works.

But what happens when we hit the tipping point -- when we don't know who is who, and online fraud is so rampant that the models the financial institutions use to make sure they don't lose money on transactions become obsolete. If those models break down, then transaction fees could skyrocket. Or maybe they would bottom out as aggressive financials look to gain market share (we've seen that movie before). No one knows what would happen.

After reading Brian Krebs' totally awesome investigatory piece, "Data Broker Giants Hacked," we may be closer to that point than we wanted to believe. I mean, we always knew fraud was rampant, but reading about the SSNDOB service that traded in personal data takes it to another level given the recent trends in authentication technology.

I know, you're probably thinking, "What's the big deal?" ChoicePoint got popped over 10 years ago, and this is the same thing, right? Well, not so much. It turns out that many organizations (especially financial organizations) use adaptive authentication to reduce the risk of their transactions, which involves asking personal questions to validate a consumer's identity depending on what they are trying to do.

If the attackers have access to many (if not all) of these standard questions, then you can be as adaptive as you want -- you still can't be sure who is on the other end of a connection. Even better, many of the new health-care insurance exchanges rolling out in the U.S. heavily use this kind of adaptive authentication to validate citizens and offer services. Soon enough your dog may be online buying health insurance from one of these exchanges (though I'm not sure if there will be checkbox for ringworm on the medical history page).

If we live by the old adage that the Internet is as secure as it needs to be, we need to question whether we're getting to the point where we have to reset expectations of security. Do we have to fundamentally rethink our dependence on personal information for authentication, knowing full well that this data is easily accessible and not really a secret? Remember the old days when the Social Security number was a primary unique identifier and something you had to protect at all costs? Pete Lindstrom was early to point out the misplaced reliance on the SSN since it's neither unique nor hard to get for an attacker. It turns out he was right, and now we should be asking the same questions about all of this other personal information. Are your previous addresses and mother's maiden name becoming as useless as the SSN?

If you think about alternative technologies, we've learned that biometrics will be a tough sell, as evidenced by Apple's TouchID technology, so we'll need to expect pushback about centrally storing biometric information. Do the financial institutions just jack up their shrinkage estimates and adjust transaction fees accordingly? Do consumers become more aware and go back into brick-and-mortar stores? Although it's not like personal data captured in the physical world has proved any more secure.

Some days I wish my crystal ball were back from the shop. If I had to bet, I'd bet on Mr. Market gradually adjusting transaction fees until it's too expensive to do online commerce, and that will result in a wave of new security/authenticity technology to make the Internet once again "as secure as it needs to be" and restore balance to the Force that is online commerce. Until then, monitor the crap out of your financial accounts because you can't trust anyone or anything nowadays.

Mike Rothman is President of Securosis and author of the Pragmatic CSO Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
10/3/2013 | 1:09:04 PM
re: Commerce In A World Without Trust
there are a few thing you have to get straight before you can discuss the issue.
first off the majority of computer crime is accomplished using un-authorized programming. rats, trojans, sql injection, xss, and the like, 'computer virus' in common terms.

substitution of biometrics for passwords won't affect the business of computer virus: hackers use the victim's credentials to do their mischief -- after the victim has supplied their credentials and logged on . all that it will accomplish is to reduce anonyminty -- which is a separate issue. there's a time and a place for it just as there is a time and place for actual identifications ..

as a result it is necessary to get better control over computer updates -- and particularly -- the activities of programs that access the open internet. you might think this is only your browser, but think again. you download an e/mail and the attachment - e.g. and office document -- can contain an infection embedded in a flash object or as a script. music players often connect to the net to get art and lyrics

programs accessing the internet -- under the authority of your logon credentials -- generally -- have unrestricted access to all your documents, music, pictures, and videos, correspondence, and other libraries. unless you have applied a program such as apparmor onto the application against this hazzard.

computers generally have been developed using old manual paper and pen based processes as their model. this is not appropriate in the new network based environment -- where there are no homes, offices, or file cabinets which can be secured.

the computer industry has rushed us into this new network environment with little thought or concern for its many implications . only for how fast they can grab the almighty dollar .

now we have to fix it. and that starts with a clear picture of the actual situation.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Threat Intel Today
Threat Intel Today
The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5242
Published: 2014-10-21
Directory traversal vulnerability in functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the name parameter in a get_template action.

CVE-2012-5243
Published: 2014-10-21
functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to read arbitrary database information via a crafted request.

CVE-2012-5702
Published: 2014-10-21
Multiple cross-site scripting (XSS) vulnerabilities in dotProject before 2.1.7 allow remote attackers to inject arbitrary web script or HTML via the (1) callback parameter in a color_selector action, (2) field parameter in a date_format action, or (3) company_name parameter in an addedit action to i...

CVE-2013-7406
Published: 2014-10-21
SQL injection vulnerability in the MRBS module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-2531
Published: 2014-10-21
SQL injection vulnerability in xhr.php in InterWorx Web Control Panel (aka InterWorx Hosting Control Panel and InterWorx-CP) before 5.0.14 build 577 allows remote authenticated users to execute arbitrary SQL commands via the i parameter in a search action to the (1) NodeWorx , (2) SiteWorx, or (3) R...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.