Why the use of personal data for authentication needs to change
We run more and more of our lives online today, with multiple accounts for different services. But many of those sites rely on the same few personal identifiers.
Things like your date of birth, social security number and mother’s maiden name may be common to many of your logins, and that’s a problem. If one site's security is breached then your personal identifiers are compromised.
A new report by NSS Labs looks at the fact that half of the ten biggest breaches of the past decade occurred in 2013. These have exposed 512 million records and repeatedly compromised the personally identifiable information (PII) of around 319 million Americans.
The report's authors, Research Director Stefan Frei and Chief Research Officer Bob Walder, say in their introduction, "Enterprises that conduct any part of their business online should be prepared to bear full responsibility for the consequences of data breaches. At present, that responsibility is typically limited to a financial burden, whereas the true consequences of modern breaches are more far reaching than that implies. The loss of what is known as 'unique' or 'static' personal data, that which is truly personal (such as DOB or SSN), is far more serious than the loss of 'transient' personal data (such as pass codes, security questions, and credit card numbers) that is more easily changed following a security event or that is readily discernible in the public domain".
While individuals bear responsibility for the information they put in the public domain, on social networking sites for example, they often can't avoid entering unique personal data to log in to some websites.
The report notes that, in the US, social security numbers are regularly "squandered" in the name of authentication whereas in the UK National Insurance numbers are never used in this way. Indeed in Europe in general digital IDs are becoming more common.
Loss of authentication data threatens to erode confidence in ecommerce and adds to a serious risk of identity theft. To combat the problem enterprises need to recognize the need to hold as little unique personal information as possible. They also need to look at new ways to authenticate, such as permitting users to set their own challenge questions, allowing the use of long passwords without character restrictions, and offering geo-location or other controls on accounts.
NSS also suggests that online services should be designed with data breaches in mind so as to minimize risk and allow companies to act fast to protect their users if necessary. Data that is stored should be anonymized and disassociated with the user where possible, as well as stored in encrypted form.
Data breaches aren't just a problem for the companies that suffer them, but for all of us too, and authentication systems need to change to make everyone more secure.
The full report is available as a PDF from the NSS website.