Friday, September 24, 2010

Blockbuster, RIP

Back during the Madness, a neighbor happened to mention a new service that would let you rent DVDs online.  This was around the same time as eToys and WebVan, back when one could look at a preposterous business plan and think "Well, maybe I'm missing something."  Nonetheless it seemed a bit unlikely that people would want to wait for DVDs to arrive in the mail when they could just hop over to the local Blockbuster.  I didn't give the idea much of a chance.

About a decade later, Netflix is still going strong and Blockbuster has just filed for bankruptcy, sending its stock from about $0.06 to around $0.04.  That's a typical "oh look, you can too fall through the floor" dot-bomb performance and, sadly, not too much of a surprise.  I literally don't remember the last time I set foot in a Blockbuster or heard someone say "Oh, I'll rent it at Blockbuster".  For that matter, I'm still not sure when I last bought a DVD.  The only reason even to rent a DVD is that it's not available online cheaply enough.  My Netflix subscription, however, is still going, albeit at the minimum rate [and it's still alive and well ... the new "smart TV" in the bedroom has Netflix built in with a button for it on the remote control, and Netflix seems to be doing pretty well following the HBO playbook in moving from supplying movies to producing original content --D.H. Dec 2015].

The winner here, of course, is online video (provided you include video on demand).  The loser is physical video (tape and DVD, but with movie theaters in a separate category).  Netflix would likely be in the same boat as Blockbuster had it stuck to mailing DVDs and conversely Blockbuster might have survived had Netflix not beat it to the punch online.

So there you have it: Convergence and the web winning decisively over the old bricks-and-mortar model.  It really did happen.  Just years later and only in an industry that's essentially been selling bits all along.

Monday, September 6, 2010

More reading on identity

As a companion to the previous post, Joe Andrieu's blog, apart from its own merits, is also a fine jumping off point into a whole community of people thinking long and deeply about such things as what identity means on the web and how to empower* people to take charge of data.  The immediately relevant post is Self-managed Identity, itself part of a series Introducing User Driven Services.


* I generally cringe when I hear words like "empower," but I use it here because I believe it's appropriate and they really mean it.

The cry of the squeamish ossifrage

I think I got rid of the old Scientific American issue years ago, but I still remember reading about the RSA public key cipher in Martin Gardiner's Mathematical Games in 1977 (August, to be precise).  Thirty-three years later, RSA is still in use, providing a secure means of encrypting and signing digital data (unless someone has figured out a way to crack it and is sitting very, very tightly on the secret).

In particular, it can be used to verify that only someone in possession of a particular secret key, generally a several-hundred digit number, could have produced a particular block of bytes.  If you visited a site whose URL started with "https://", for example your bank, your browser most likely used RSA in the process of satisfying itself that it really was talking to the right server.

So why is authentication such a mess?  Why does resetting a password require anything from coming up with the name of a cat to providing a working email address to providing several pieces of information and then getting a phone call?  Why do some sites want the three-digit code on the back of your card and some not, and how is adding three more digits that you end up handing out to all and sundry helping the situation?  Why hasn't OpenID or some other knight in shining armor been able to rescue us?  Why do we still use passwords for anything besides locally decrypting the key to a real authentication system?  How do you even know I wrote this?

I don't really know, but if I didn't have some guesses I probably wouldn't be writing this, now would I?

First, what would a really seamless authentication system look like?
  • It would allow for multiple identities.  Maybe I just haven't caught on to the whole every-waking-moment-of-your-life-available-online thing, but I would rather keep my work identity separate from my blogging identity separate from my personal email separate from my bank accounts.  Not to mention my identity as an international man of mystery.
  • It would allow the same identity to work multiple places.  This is not the same as giving N different sites the same username and password.  Your username doesn't belong to you, whereas a real identity does.  Anybody can choose your favorite username if they happen to get there first.  It's also not the same as letting your browser keep track of a bunch of username-password pairs and putting a master password on all of them.
  • It would minimize the number of tokens needed for an identity, and each token would be there for a clear reason.  If the token is a password, fine, but it should be a password, not a password and two or three "security questions."
  • It would use current best practices.  It's risky to use anything too new when it comes to security technology, and unless you're No Such Agency or the like it's madness to try to create your own, but there are plenty of well-established road-tested security techniques available.
  • It should be portable, both physically (like the "pocket-thing") and across sites.  Ideally, registering with a new site means registering the token(s) for the appropriate identity.
  • It should be as completely under the identified individual's control as possible.
What actually happens?  Something along these lines, I think:

Suppose I have some sort of digital certificate that I can use to identify myself.  Properly used, this could satisfy the requirements above, perhaps together with some sort of physical token, like a smartcard.  Any really secure authentication system, including a smartcard, is going to have some such certificate in it somewhere.

Since it costs money to have a major certificate authority (CA) vouch for a certificate (by signing it), certificates used by individuals in practice tend to be "self-signed", or signed by members of a "web of trust" instead.   That's fine for some purposes, but not for doing business with a bank.  If it's not good enough for the banks, it's probably not good enough for your utility company either.

In theory, you could establish your identity with a bank and then get them to sign a certificate to that effect, which your utility company might choose to trust, but that basically puts your bank into the CA business, not one they're necessarily keen to get into.  In practice, each company would rather control the process, typically asking for an account number off a paper statement to get the ball rolling.  Each entity has its own customer ID system for the account number, and usernames are potluck, so you end up with (at least) one semi-identity for each company you do business with.

In the wild-and-woolly world of pure web sites, where you don't already have a customer id when you sign up, there doesn't seem to be any strong push to move beyond the usual username-password system. Everyone's used to it.   Switching would mean re-doing the login screen, at the least, with new and less-familiar technology, then convincing your users to go along with it.  If it ain't broke don't fix it.

Since an authentication scheme is only as strong as its reset mechanism, there are basically two schemes in wide use:
  • An identity is a working email address
  • An identity is a couple of "security questions" and answers
If I had to choose, I'd take the former, but it's not much of a choice.

Thursday, September 2, 2010

Online customer service, only without the service

I don't generally like to criticize customer service reps.  It's a thankless job.  However, this particular one might have been a little more careful with those boilerplate macro keys.  It would be helpful, also, if SomeCompany's system would allow a password reset* given:
  • Account number
  • Username, being the service provider's home-grown email address for the customer
  • Customer's personal email address
  • Customer's full name and home address
  • Last four digits of customer's SSN
  • Customer's home phone number
  • IP address associated with the account (from which the system was already able to find the username)

It's sort of a division of labor anti-pattern. A human an a computer working together end up more obtuse than either alone.  Offering the customer the service the customer can't log into and the chat support that didn't help is a nice parting touch.

What follows is an anonymized and lightly edited transcript of an actual customer chat sent by one of my "army of stringers, researchers, fact-checkers and miscellaneous hangers-on."


Problem: Trying to sign in; need password

Hello Customer, Thank you for contacting SomeCompany Live Chat Support. My name is Service Rep. Please give me one moment to review your information.  I'm ready to assist you today. How are you doing by the way?

Fine, thanks
.

Nice to know that you are doing good.

I was trying to log in to your service


As what I have understood, you would like to have your password for you to sign in right?


Yes.  I thought I'd already set up an account and your website found a user name from looking at my IP address, but I can't reset the password
. Also, I'd rather choose my own user name rather than use the assigned one (wemadethisup@somecompany.com), if possible.

Oh, I see.
  I understand that it is very important for you to know the password of your here.
  I also know that you would like to have your email address personalized and change it.
  There is no need to worry since as your service representative today, I want you to know I am more than willing to help you today with your issue. I can assure you that we can have a positive resolution since we will be working on this together.

Here’s what I can do, Since your password is not allowing you to log in, and since we do not store our customers’ passwords, I can give you a randomly system generated password would that be okay?

That would be fine, thanks


Alright. Please allow me to pull up your account information so that we can resolve it in the most efficient way possible. I will be verifying security information to protect your account privacy. May I please have the account number, account holder's full name, home address, and the last 4 digits of your SSN?

<Customer gives the information>

Thank you.
  May you also verify your phone number and the Email address that you are using?

<Customer gives phone number and personal email address>

Thank you.
  I am referring to the SomeCompany email address that you would like to reset the password.

I don't use SomeCompany for email, so that address is only useful to me as the login ID.  I'm not set up to check that account and I would rather not have to be.  But I think you mean wemadethisup@somecompany.com.

Thank you.  While waiting, I will share with you a feature of SomeCompany that you can truly benefit. Are you aware of the customer self-help on SomeCompany.com? SomeCompany.com has an extensive series of Frequently Asked Questions (FAQs) that cover all of our products. Customers do not have to sign in to access the FAQs. Quick steps to do it...Open a web browser window and go to http://www.somecompany.com/. On the home page, the navigation menus are on the left side of the window and click on Customers then Help and Support.


I have already pulled up your account.

I don't think the FAQ will help.  Please just reset the password.


Okay. 
  Now, for the password, since we do not keep it for security reasons, I can reset it and provide you with a randomly generated one. Do not worry about changing it because you would be able to change it to your preferred password once you are able to log in. Would that be okay with you?

Yes, please.

Sure, now for me to push through the process and reset your password, may you please give me your security pin?

I don't remember setting a security PIN.

A security pin is like a password to your account. This will be sent via a postal mail to you, a few weeks after your service is started. It is a 4 digit number.   May you please try to check your postal mails?

OK.  I might have the mail somewhere.  I have no idea where.
 [time passes] Sorry, I can't seem to find anything.

Since you have not provided the Security pin, in order to push through with this process, I would have to call you right now on your phone number to authenticate. Would that be okay with you?

Unfortunately, no.  My kids are sleeping.
  Perhaps I should try again during the day?

Yes, you may always contact us. 
 We are available 24/7, Customer.

So there's nothing else you can do?

Customer I really know how important it is to have your password. I would like to apologize however, we need to call you to authenticate so that we can reset your password.

OK. I'll try again during daytime hours.

Thank you so much for your time, Customer.

[time passes]


Customer, here’s what we have done on this chat today, I have assisted you with your SomeCompany inquiry on resetting your password however we need to call you to authenticate.
 Customer, it has been my pleasure serving you today and I truly appreciate your understanding and cooperation. Do you have other concerns for me today? I will be glad to assist you further.

No, that will be all, thank you.

We strive to exceed your expectations and hope that you will take a moment to complete the 3 question survey that will follow our interaction, your feedback will help us to continue improving how we serve you. 
 Do you want to use our service? Go to http://www.somecompany.com. Thank you for choosing SomeCompany as your service provider and have a great day! SomeCompany appreciates your business and values you as a customer. Our goal is to provide you with excellent service. If you need further assistance, you can chat with one of our Customer Support Specialists 24 hour a day, 7 days a week at http://www.SomeCompanySupport.com



* Actually, SomeCompany is probably right to want better authentication.  It's quite possible that someone, say, found their neighbor's bill, with the account number, and leeched onto their non-secured WiFi or used other chicanery so as to connect from the right IP address and thence obtain the user name.  It's conceivable that such a person also somehow happened to know the customer's personal email address and last four digits of the SSN.

Calling the phone number of record (which the customer was challenged to give and the service rep is able to verify) would raise the bar significantly.  Likewise, assuming the snail mail with the PIN didn't also have the account number, the would-be thief would have had to steal two separate pieces of mail, typically delivered on different days.

The annoyance here is that the stronger authentication is strong on its own.  That is, "Tell me the PIN we mailed you" is about as secure as "Tell me the PIN we mailed you and several pieces of not-too-hard-to-find information." and "So you want a password reset?  Let me call you at the phone number listed on the account." is at about as secure as "Tell me several pieces of not-too-hard-to-find-information and I'll call you on the phone number listed on the account."  Unfortunately, Service Reps are generally required to go through the whole account verification cha-cha-cha before doing anything meaningful.

One wonders, though, why this bundle of not-too-hard-to-find information is good enough the let the customer access the account information, but not good enough to let the customer use the service itself.

Wednesday, September 1, 2010

A belated Happy Birthday

Yikes, this is a bit casual even for the new, even-more-casual Field Notes [Heh ... I think the current record is now 27 Aug to 14 Dec 2015, which would include a Field Notes birthday -- D.H. Dec 2015].  For months I'd realized that post 500 and the third anniversary of the first Note would come close together, but I got so caught up in spinning up the new blog after post 500 that I forgot all about the date, even though I posted just one day afterwards.

In the new spirit of apathy, I won't hold forth as I did in years past, but I would at least like to note the occasion, if only a bit after the fact.