January 2008

When you buy a rope, it comes tested for tearing strength, which you can count on. A tire comes with a money-back mileage guarantee. But what do you get when you install an anti-theft system? If a hacker gets through, do you have any recourse vis-à-vis that vendor?

Security consumers trying to sort out vendors' products need a standard, a metric, to go by. Of course, one could turn to X.800, "Security Architecture for Open Systems Interconnections," issued by the International Telecommunication Union (ITU), Telecommunication Standardization Sector. Alas, this abstract standard is hardly a comparative tool (and barely readable). Let's develop a more down-to-earth list:

A good identity-theft countermeasure should be:

Let's talk about these attributes:

Security: Typically, security vendors protect you against last year's hack, totally ignoring the fact that hackers move on and devise new exploits. The latest approach is to rate security systems by appraising the effort to tear them down. Implicit in this approach is the notion that every security system built by humans can be compromised by humans. Enumerate all the conceivable attack scenarios, and show that each of them can be handled by the system.

Unburdensome: The product must be easy, simple, and straightforward for the user, while requiring little in the way of schooling or time. It should avoid a requirement to tug along a secure device. If you need to have your cell phone ready to log on, for example, you are shut out if you don't have it with you, or if you just switched. Same for tokens and fobs, which you might lose or misplace.

Mutual: It stands to reason that an identity-theft protocol should accomplish the authentication process both ways. Unfortunately, today's products allow the service provider to authenticate the user, but fail to assure the customer that he is talking to the service provider, rather than spilling his guts before a hacker's site.

Minimum false rejection: A recent authentication trend is to base decisions on soft behavioral parameters. While it appears helpful, it also runs the risk of rejecting bona fide customers who for some reason do something uncharacteristic. A good system would keep the hackers out, but not close the door for the legitimate customers.

Recoverable: Should you lose your PIN, or ID string, it should be easy to recover from this loss or theft and re-establish secure communication. This requirement comes to mind when considering biometrics for this purpose. If you compromise your fingerprint data, it's difficult to acquire a new thumb.

Delocalized: People take trips, operate from vacation sites, and log on from a friend's house. A good product would allow customers to exercise their security protocol from any location and from any computing device. Some products rely on cookies, and even hardware, that ties the user to his home or office computer.

Timely: Similar to the former attribute: people need the comfort of 24/7 access. So, if you need a human operator, that might pose a problem.

Cost Effective: The cost of setting up and fielding the system must be acceptable in light of its purpose.

Scalable: You may start with a solution that manages 1,000 customers, but some day you may need to apply the same to 10,000 individuals. Your solution should be able to accommodate this growth. Scalability also relates to sliding security metrics. If hackers become more resourceful, or for any reason your assets become a juicier target, you will want a product that can slide up the security barrier and match the growing threat.

Session Re-Invokeable: The state of the hack-art is a pesky little software packet residing in the customer's computer, waiting to ambush a customer-bank session. Once in, it empties a bank account or performs a similar fraud. It does not matter how secure the authentication protocol, the theft happens in a session that was properly authenticated. To counter this threat, it is necessary to be able to activate the system at will throughout the contact session.

Duress Communication: People occasionally access their bank account under undue pressure or coercion. It would be nice if the protocol allowed the customer to communicate his or her duress without raising the suspicion of the coercer. Some new products offer just that.

You might opt to construct a table with the above attributes and rate your candidates accordingly. Which of these attributes counts the most? This, my friend, is a question where each institution is on its own!