Monday, November 7, 2011

Banking on web security

People do care about web security.  There are highly competent full-time professionals in the field.  There are conferences on the subject on a regular basis.  You'll see them in the press -- Experts Meet to Fix Security on the Web.

And yet, in large part because the problems to be solved are hard and involve significant non-techical factors, there is no shortage of things that could stand to be fixed.
  • Authentication is a mess.  For the most part, we have passwords and security questions.  I've griped about this before, multiple times, and I'm sure I'll gripe about it again.
  • Identity is a mess.  Everyone has scads and scads of identities -- logins here, there and everywhere. They can easily get confused ("That wasn't me, that was some other David Hull!").  There's no good way to say two random identities are or aren't the same.  I've griped and speculated about this before, too, and I expect I'll have more to say on that, too.
  • Anonymity is problematic.  Everything you do on the web leaves traces, but unless you're paying extremely close attention you generally don't know exactly what kind, or whether they can be tied to your identity (whatever that is).
  • Network infrastructure is scary.  Https with certificates is widely deployed, and most people probably at least know that some sites are "secured" and some aren't, but many fewer understand (or should need to understand) details like signatures, secure hashes and certificate authorities, or what can fail and what's less likely to.  Did I mention DNS?
  • PCs are scary.  Viruses, rootkits, system crashes ... some platforms are better designed than others, but nothing's perfect.
  • The cloud has its own problems.  Who owns what you put there?  Who's liable if data is lost or compromised?  Who can see what?  Who can see who sees what?
  • Spam is a perennial problem, not helped by any of the above.
I could go on, but if it's so bad -- and it is -- how does it work at all?  People continue to be able to use credit cards both online and in person, people continue to email and text each other all sorts of sensitive information, people continue to turn to the web for all sorts of vital information.  Clearly Bad Things can happen to a person on the web, but just as clearly it's not bad enough often enough to put people off the web entirely.  Far from it.

My guess is that banks have a lot to do with it, at least in the US.  In particular
  • Banks handle liability.  If someone steals your credit or debit card, whether physically or online, you can tell your bank and generally they will make sure you don't have to pay for things you didn't buy.  That's oversimplified, and there are certainly cases where that simple process has turned into a nightmare, but it's still a vital part of getting people to do business confidently online.
  • Bank cards provide a de facto stable identity.  If you're buying something from my web site, I do care who you are (well, I would, and stores in general do seem to care what their customers are up to), but I certainly also care that your payment is going to go through.  To some extent I'm talking to you, but I'm also talking to your bank account.
On the first point, you're not responsible for keeping your bank accounts absolutely safe.  You're responsible for taking reasonable precautions, so that if someone does get hold of your account number and misuses it, they're clearly at fault (the usual "I'm not a lawyer" disclaimer applies here).  Putting the rest of the burden on the banks and legal system is a large part of what keeps the wheels turning.

On the second point, if I shop at store A and store B, it's important that my bank knows that those purchases both come out of my account, and I know that I'm the same person in both cases (at least on a good day).  It's less important that store A and store B know I'm the same person.  There may even be cases where I'd rather they didn't know.

In short, security and identity matter when money is at stake, in which case your accounts serve as your identity and you have legal protections that predate the web.

Security and identity also matter where reputation is at stake, that is in the social realm, be it email, social networks, Twitter or whatever.  The landscape is different there, but it's worth noting that most accounts and identities, including your bank accounts, don't play into that much.  If someone compromises my account at, they might be able to have a truckload of widgets sent to my address at my expense, but they won't be able to say embarrassing things about me on this blog.  Likewise if they compromise my bank account, though that would of course be bad for other reasons.

If you buy that, then you should make sure to use strong unique passwords and unique security questions for your bank accounts, your email accounts and your major social accounts, and use better security than that when it's available.  How much to worry about other accounts depends on how closely they're tied to the accounts that matter.  For example, if your city's online parking ticket paying site doesn't remember credit card numbers or your nefarious history of overparking, you probably don't care as much about security there.

No comments: