« ViewStateUserKey final verdict | Main | Security benefits of OS virtualizations: real or virtual? »

The futility of secrets

My view point on this subject just appeared in the March 2007 issue of Information Security. For those of you that do not wish to subscribe to this excellent magazine, I provide it below.


I agree with Ranum that we must stop living in denial about the futility of using easy-to-compromise secrets to authenticate people and transactions. However, the fix he proposes is futile too: one-time passwords of this kind are susceptible to well-known attacks. There are much stronger available technologies for user and transaction authentication.



Yes, Schneier has it right in pointing out that the problem is mainly economic but he is wrong in saying we should give up on fixing the authentication of people.  The payment card industry has introduced smart cards in Europe where, for example, a person paying at a restaurant is presented with a portable wireless payment terminal and must insert the card and then enter a PIN before the transaction is approved. This eliminates the possibility for the waiter to go in the back room and record the card details so that he can place a fraudulent transaction later; something that still happens on this side of the Atlantic. There is no other way to explain the resistance of the payment card industry to introducing this technology here than to paraphrase Bill Clinton’s election slogan: “It is the economy, stupid.”



Just try to imagine what a horrible reality we could be living in if the auto industry in this country had the luxury of using the approaches of the payment card industry: the number of people in the United States involved in car accidents compared to the total number of people driving is small; it is also a fact that the society is not at risk as a whole, even if all traffic accidents were fatal; so, what if the auto industry skipped safety technologies such as seat belts, airbags, anti-lock brakes, traction control, etc?



Indeed, let’s work on fixing the economic problems first and then introduce comprehensive privacy laws.



TrackBack URL for this entry:

Hosting by Yahoo!

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)