Executive Calls Govt. Bigger Security Obstacle Than Consumers
SANTA CLARA, Cal. -- Govt. agencies and big financial companies are weak links in data security, an industry entrepreneur said, dissenting from colleagues who pointed to consumers. Govt. won’t require better security across the board, raising the question of who will, said Steve Gal, co- founder of ID Analytics, on a panel late. Wed. at the Digital ID World conference here. Govts. do little identity verification, he said: “That’s where I think it breaks down,” letting imposters through the door to troll more widely throughout digitized data.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Liability for breakdowns in collaborative security efforts is a crucial, sticky question, said moderator Linda Elliott. She said major e-govt. projects she had worked on concluded that no liability framework could be imposed, and the matter had to be left to negotiations by each pair of partners. Gal said insurance would be the main answer.
What’s needed is “new technology across the board” in place of information-matching -- the conventional reliance on passwords and secret questions, which is highly vulnerable to data theft, Gal said. His company is increasingly focusing on verification of the identities of those already admitted to networks, rather than the usual upfront authentication.
Gal and panelist Louie Gasparini, RSA Consumer Solutions Div. CTO, emphasized the importance of analyzing as much information as possible about users after they've been admitted into a network. Gal also stressed a downstream approach to thwarting data crime, saying keeping fraud artists from getting to their payoffs is more productive than setting an impossible goal of stopping information theft.
Large financial institutions “are scared to tell the consumer, “'You have to change your behavior,'” Gal said. None wants to move first for fear of chasing customers to competitors, he said. But the companies underestimate consumers’ flexibility, he said: Essentially everyone has made the switch to ATMs and online banking, as well as from travel agents to online booking, he said.
Gasparini had called “the mass consumer” one of the biggest obstacles to “stronger authentication.” He said the U.S. govt. created an impetus for change in the Real ID Act. Forcing people to document their identities where they haven’t had to, the law creates a need for alternatives to people carrying around a great deal of paperwork, Gasparini said. Passfaces CEO Paul Barrett agreed “mostly the user is the weakest link” in security. An authentication system mustn’t be too complicated, because a confused customer is a greater burden on the help desk and is more susceptible to phishing, he said: “We have to put something in front of them that’s usable and that really works.”
Authentication and verification technologies work well, Gal said. HNS’s Falcon technology, used by most of the credit card industry, for example, made transaction fraud manageable at a point when it was seen as an epidemic threatening the integrity of the business, he said. New credential systems are almost entirely effective at first, Gasparini said, but over time crooks find ways to beat them. RSA has achieved 80% accuracy in fraud detection, allowing for a false positive for each true one, he said.
Digital credentials are much harder to forge than “real world ID” like driver’s licenses, Barrett said. The problem is reliably tying the credential to the person at the keyboard, he said. “Pretty much everywhere we do that with a password,” because biometrics isn’t feasible on a large scale, he said. “A layered approach,” adding security information-matching is a good response, Gasparini said. He said many banks are going this way, capturing and analyzing all of users’ activity to create an index of the likelihood that people are who they say -- and making specific judgments about the risk that they're not against each step they try to take.
Gasparini advocated “half-federation” approaches. This would entail partners each bearing partial responsibility for ensuring user IDs, instead of each accepting the other’s verifications. The division of liability for failures would track the division of responsibility, he said. Gal said: “The big clients -- they don’t even trust each other in the industry, and I don’t think they ever will.”