Blog

A few years ago I was researching IT authentication solutions for a government agency in Seattle. Biometrics was a buzzword in the industry with social and ethical implications. My research found that it wasn’t the Biometric Authentication model itself that was causing so much churn, but rather the idea that such data could be compromised and with it a person’s identity. Identity theft was already an issue then, but the risk could be mitigated, once discovered, via a password change, new credit cards issued and a few letters to credit reporting agencies.

Biometrics presented a new problem, what you are is always you and cannot be reset.

Definition: Biometrics any intrinsic identifier, used in this case to describe an individual to a system.

These include physical characteristics such as voice, fingerprints, hand geometry, iris and face recognition. They may also take the form of behavioral characteristics like signature or algorithms designed to compute the rate/speed of how you type a sentence on the keyboard. Regardless of the biometric used, one thing is for certain – it is something completely unique to you, as such the question arises could it be stolen, and if it were what would be lost exactly?

Identity theft here takes on a very profound meaning!

Suffice to say that it would not be easy to steal someone else’s biometric and the logistics of this are beyond the scope here, but identity theft is a real problem today and the greater the amount of “personal private data” that is stolen deepens the effect of the loss as well as the recovery. Like pealing an onion, one piece of data can lead to another, then to another and so on.

I believe that IT administrators should follow a similar layered prevention approach when adding personal data to their systems.

When it comes to an individual’s personal information, I would define it into three categories:

1. Personal Public Information, data that people can learn about you from a public environment.
   1. Appearance
   2. Language spoken
   3. Car you drive
   4. etc.
2. Personal Private Information, data that describes details about you that you want to keep private, or agreed upon data that is needed between yourself and others to conduct a business or other relationship.
   1. Social Security Number
   2. Mothers’ Maiden Name
   3. Birthday
   4. etc.
3. Personal Authentication Information, data that describes you to an information system.
   1. Something you know:
   1. • Username, password or shared key
   1. Something you are:
      • Fingerprint, voice or face geometry biometrics
   2. Something you do:
      • Keyboard analytics, signature algorithms, biometrics
   3. Something you have
      • Smart Card

Safeguarding a person’s identity via conscientious data collection goes like this: If you don’t need to know it, don’t collect it!

Risking the unthinkable

I was at a chained video rental store requesting a new account. The application form included required fields indicated by red x marks on the form. I consented to having my credit card on-file and I agreed that name, address, phone number was necessary, but drew the line at Social Security Number and Mothers Maiden name. I refused to fill this in, and risked the unthinkable – no video store account!

They issued me the account anyway.

I believe that the “extra” data shouldn’t have been associated with my “account”. I was not requesting credit or agreeing to a credit check, in fact a credit card was already required to set up this account. This extra data put us both at risk if it were compromised.  I’m confident that this form was designed to get as much data as necessary with little or no regard to what would happen if it was lost or stolen.

While researching biometric security authentication techniques, I learned that great concern over segregating Personal Authentication Data from Personal Private Data was already being discussed.  The first question being asked was: what is the biometric being used for? If it is simply to authenticate to a system, how much more data is really needed about the person. I would suggest that in most instances not much, and when the model dictates it, deeper security safeguards are expected and should be implemented.

Examples:

Identity theft risk level :: Minimal

Network account (or building access), data collection just needs to be enough to associate a person to the system and nothing more. It answers the following questions, does this “entity” have permission to access the system and if so what can be done once access has been provided. Very little personal information is needed here, and really should only be used for auditing.

• Personal authentication data (2 of 3 must pass to succeed)
  • Fingerprint scan (Something you are)
    • Stored at account creation in form of SHA1 hash
      • Periodic re-calculation of random sampling à system driven
  • Username and Password (Something you know)
  • Smart Card (Something you have)

• Personal Public Data — What is really needed here?
  • Name and department information, maybe supervisor, etc.

• Personal Private Data – What is really needed here?
  • Nothing!!!!!

• Loss/Theft risk and recovery
  • Risk assessment – Minimal
    • Can be accessed by multiple security groups on the system for ease of account administration.

• Recovery
  • Account reset and re-issuance of smart card fixes everything; no personal private data has been compromised and biometric data only has meaning to this account!

Identity theft risk level :: Moderate

Video store account, data collection here needs to support a simple business transaction. It answers the following questions, does this person have an active account and if a rental is late how do we recover payment. Aside from a credit card on file, no additional personal information is needed here and collecting it puts both business and customer at risk.

• Personal Public Data — What is really needed here?
  • Name, address and phone number

• Personal Private Data – What is really needed here?
  • Optional – depending on business requirements
    • Credit card or other financially backed funding.
    • Data of Birth – to determine what can be rented.

• Loss/Theft risk and recovery
  • Risk assessment – Medium
    • Account can be closed; minimal personal private data is at risk, potential for one piece of financial data to be lost requiring re-issuance.
  • Recovery
    • Account reset and fraud report to credit institution, if needed.

Identity theft risk level :: Very High

Banking system with or without online access. Included here to illustrate the most intrusive data collection requirements. Many questions may need to be answered for this business relationship mandating the collection of Personal Private Data. What is the credit risk and data needed to determine it? What is needed to supply federal and state financial information about the individual? What is needed to support password recoveries? Etc. Due to the risks associated with this information, data safeguarding regulations are mandated, audited and governed both internally and externally.

• Personal authentication data (1 of 2 must pass)
  • Online (2 of 2 must pass)
    • Username or account number (something you know)
    • Hardened pa0ssword (Something you know)
  • Local Office (1 of 2 must pass)
    • Bank Card & Pin (Something you have and know)
    • Valid Identification & Signature (Something you have and are)

• Personal Public Data
  • Name, address, phone number, perhaps more
• Personal Private Data
  • Social Security Number
  • Password and account recovery data
    • Mothers Maiden name, etc.
  • Date of birth
• Loss/Theft risk and recovery
  • Risk assessment – Very High
    • Data loss here can compromise a person’s ability to get credit and the loss of “Personal Private Data” may enable creation of rouge credit accounts.
  • Recovery
    • Necessitates account closure, and notification to credit reporting agencies.
    • Potential exists for lifetime exposure to identity theft due to the personal private data attached to the account, data that cannot be reset.

Clearly not all environments can be void of personal private data collection. While banks may need a great deal of personal data, a video store account does not.  Mitigating risk is not always exciting to think about, but really easy to deploy when you critically answer the following question: What do I absolutely need to know about the person to safeguard my system and/or provide service to them?

—

About Iris Professional Services
Iris Professional Services is a computer consulting company operating offices in both Seattle and Portland. Businesses throughout the Pacific Northwest rely on our expert IT consultants for all their network IT support services.