Thursday, August 2, 2007

How do you help someone who won't help themselves?

So as I think about consumer protection, I recall an old parable my Sunday school teacher told us. I'll give you the abridged version. Basically a guy was stuck on a rooftop in a floor, and asked God for assistance. A few hours later a guy in a boat came by to rescue him but he sent him away saying God was going to rescue him. It happens two more times, another boat and then a helicopter - then the guy drowns and asks God why he didn't save him. God's reply is simple - I sent you two guys in boats and even a helicopter to rescue you... all you had to do was let me help you. The moral of the story- you need to let yourself be helped when you're in over your head, literally and figuratively. This is the reality us security professionals live in. Consumers who won't let us protect them - so often the worst enemy of the consumer is... you guessed it - the consumer.

Many of you know exactly where I'm going with this. Consumers expect, nae, demand to be protected online when making purchases, reserving their vacation tickets, or buying grandma's birthday present, but it seems a rare one who is willing to do something about it. I get marketing people in my ear every day how I can't make people use 'stronger' passwords because they won't use the application or site. I can't make a partner site (which potentially has financials in it) require more than an email as a UserID and your ZIP CODE as your password... everything else and ... get this... the consumer will go to a competitor who allows easier access. If you're reading this blog, and this sounds like a recent project you've heard me wail about... yes I work with you :-) Some days I'm tempted to put my foot down and say "Fine, let them go to the competition; but when their accounts are empty because someone guessed their idiotically simple password - we can say we told you so!"

Before I get too far off on a rant about my marketing folks (sorry, you're such easy targets) I need to make my point. Consumers won't let us, as security professionals, protect them in the obvious ways. So we have to do things the sneaky way. We have to write filters, and scripts and other behind the scenes types of things which will keep them safer, without letting them know we're doing it. This drives me bonkers... what about you? Sure, one-time passwords via RSA token aren't the end-all, and can still be tricked via man-in-the-middle attacks or skimming attacks (session riding) but we at that point would significantly up the ante - we would force the 'bad guys' to work that much harder for their stolen money.

So - I have to ask the consumer... what is wrong with you people? I feel like I can answer myself... complexity is bad but there has to be a happy medium... somewhere. If any one of you readers (how ever many I have) have ideas - let's discuss... maybe we can get an open forum going? I'd love to hear people from across the industry present ideas, and maybe we can creatively solve this problem together? Maybe education is part of the answer, and an industry-wide 'mandate' or (dare I say it) another compliance policy which mandates something more 'complex' than simple userID and passwords?

I think I can safely say, and not get too many blank stares, that the userID/password is dead for high-risk use. There has to be a better way, but unless consumers realize that this is a "takes two to tango" scenario... we're screwed.

No comments: