Growing up in the New York area in the 1970s, one never really paid attention to all the crime that occurred. There just was so much of it. Even when I lived in California, while a murder would make the local news, it wasn’t something that would shake the community. A murder in the Zürich area, however, is rare. Maybe it’s because everyone has a gun, as my friend Neal might say. Who knows? The point is that people here are not inured to that level of violence.
Now we are discovering the online version of that. When last we left our situation, we were trying to figure out how best to protect ourselves from evil bad guys by limiting the damage dumb passwords can do. Since then, it has been widely reported that 10,000 Hotmail account passwords were stolen. But they weren’t the only ones. Many of the people who use Hotmail accounts also have GMail and Yahoo! accounts, and many of those passwords are the same. Why? Because humans don’t like having to remember lots and lots of passwords. And of course, if you were one of those people who used the same password between both and linked your Yahoo or GMail account to Facebook, that means that your Facebook account could have been compromised as well. And that means that your friends may have been attacked, as we previously discussed.
How could this be worse? Let’s add Paypal into the mix. If you use the same password for eBay as you used for Yahoo!, now all of a sudden, you have invited someone to empty your bank account. Had Paypal implemented an OpenID consumer for login, an attacker wouldn’t even need your password.
Now let’s aggregate all of the people who do that. The popular OpenID providers include Google, Yahoo, and Verisign. As the number of providers increases, the concentration of risk of any one single failure decreases. Concentration of risk is a fancy way of saying that one is putting all of one’s egg in one basket. On the other hand, from the perspective of a web site that uses OpenID or some other federated mechanism such as SAML, the information received from any random Identity Provider (IdP) could reasonably be considered suspect.
This leads to a few conclusions:
- A large number of Identity Providers will require a service that provides some indication as to the reliability of the information returned by a given IdP.
- The insurance and credit industries can’t manage concentrated risk. We’ve seen what happens in the housing market. The Internet can reproduce those conditions. Hence, there will be limitations on transitive trust imposed.
Conveniently, you are not without any protection, nor are the banks. There are large federated market places already out there. Perhaps the two biggest are eBay and Amazon. Amazon has the advantage of requiring a physical address to deliver to, for most goods, the exceptions being software, soft-copy books and downloadable movies. In each of these cases, the transaction value tends to be fairly low, and the resale value of most of these items is 0. It’s the resale value that’s important, because the miscreants in this business don’t want 150 copies of Quicken for themselves, nor can they really sell off an episode of House.
Paypal is another matter. If someone has broken into your Paypal account, here is what they can do:
- Empty it of any credit it might have;
- Charge against your credit cards; and/or
- Take money from your bank.
If you’re paying attention and act quickly, you might prevent some of these nasties from happening. But first you will have to read a tome that is their agreement. In all likelihood you have no recourse to whatever final decision they make. If you’re not paying attention, your account and those associated with it become an excellent opportunity for money laundering. What does it mean to pay attention? It means that you are receiving and reading email from paypal.com. That means that they have to have a current email address. When was the last time you checked that they do? Assuming that they do, it also means that you have to read what you are receiving. Now- I don’t know about you, but I’ve been spammed to death by people claiming to be PayPal. Remember, how this posted started by talking about being inured to crime? Well, here we go again.
Clearly there are issues with the implicit transitive trust that happens when people reuse passwords. The answer remains the same – get rid of the passwords (or at least shore them up with stronger means).
I would be completely happy with explicit transitive trust (e.g. OpenID) if it was backed by strong auth. Services like MyOpenID.com do a good job in this respect, but what’s presently missing from the protocol is a means for an RP to determine whether a claim was strongly authenticated (so my RP that uses MyOpenID.com or whatever doesn’t know if I used password, cert, OTP or whatever). That’s what needs to be fixed, as until it is I can’t say to my service provider that they should trust an IDP that I use but only if I strongly authenticate. This leaves a small window of opportunity for an OpenID provider that only accepts strong auth, then educated consumers can choose.