Can we really rely on our mothers’ maiden names to continue to secure our personal information? asks our regular contributor Mike Gillespie.
I wanted to take a look at some of real impacts from data breach that affect us all. When I started thinking about it, it boiled down to our attitude and expectation on challenge and response security. How up to date is our thinking about challenge and response security? If you are unfamiliar with that terminology, you may know it better as the ‘security question’ and it normally involves your mother’s maiden name, a pet name or sometimes, information as personal as your National Insurance (NI) number.
So setting up internet shopping accounts, online banking and a variety of other online activities require this extra layer of security, but is it genuinely secure? If your security question is the same across a range of sites and platforms, if it is breached in one place then your accounts across the platforms on which you have used that response, will also be vulnerable. They will be vulnerable in the same way that using the same password across sites will render a greater range of risk in the event of a data breach; the criminals can simply try the password across sites. We are often asked or indeed forced into changing passwords for a site or service that has been breached, but changing that password everywhere you have used it, is just as important. Security questions are often configured as a select and click option from a drop down menu. Everyone has the same choices and so those who seek to gain access to accounts will also be aware of what the questions are. Hopefully you can see where I am going with this … some careful research on one individual may give you the information required to access multiple accounts and in a very short time. It might be a numbers game and the criminals may need to go through many accounts but think about it. If you have complained to your bank on social media, they know who your bank is. If you have talked about your pet on Facebook, they know your pet’s name, probably when you got it and what your kids are called. If you were unfortunate to have been caught up in any of the Yahoo! breaches, your security answers will be well known by now. If your details were part of the VTech breach the same thing applies. In fact, your children’s details may have been taken, so that when they emerge into the adult space key pieces of information needed to build bank accounts etc, may well already be known to criminals. This leads me to wonder about potentially rising levels of identity theft in young adults, enabled by breaches that happened when they were still children.
Consider then the use of more sensitive and supposedly secure items of information such as the NI number. This is actually quite widespread when dealing with HMRC and other Government Departments, being used as a security challenge which will allow access to some of our very sensitive personal information, our tax affairs and indeed our very legal identities, utilising your NI number as validation in the same way you may use your first pet’s name. In 2007, HMRC lost two data CDs which were carrying 25m tax records. This included personal details such as, bank account, NI number and children’s date of birth (DOB) as this data was related to child benefit payment.
Rather worryingly, ten years on and we are still using information we know has been compromised and compromised for a long time, to validate our identity.
And what of our children? Again, we can see DOB required when our children reach an age to start applying for credit or setting up bank accounts. Are the current systems inadvertently enabling fraud by continuing to use these details as security challenges, knowing they may have already been compromised and could potentially be used for criminal activity like identity theft or money laundering? What is the knock on effect for our children in this situation? There are many difficult questions around this and we should probably have started this debate some time ago and mandated the move to other, more robust and reliable forms of security challenge. We cannot afford to be short sighted about this issue and as long as people have a digital life, they need to know more about the way their information is protected but also think about the platforms they are using and the information they are sharing.
As security professionals, it is up to us to be well informed and proactive in challenging the status quo when it comes to digital resilience. We should be encouraging people to go to their digital service providers and platforms, like banks for instance and ask them to justify their use of potentially compromised information, as part of an outdated security validation methodology. Maybe getting these platforms and service providers to understand users will vote with their feet and wallet when they see their security is not taken seriously, is the way to get the debate started. At the very least, encouraging users to consider this particular practice when performing their own basic risk assessment, before using a particular technology, has to be a given behaviour for us as security professionals. It is up to us to spark and grow the debate.
About the author
Mike Gillespie is Managing Director of information security consultancy Advent IM; visit http://www.advent-im.co.uk/about-us/advent_im_what_makes_us_tick/.
See also the company’s blog.
Mike is a board member of the Security Institute.
