Hacks will happen, but the damage can be less (DigiNotar)

2011/09/06

Below a blog post in Dutch on the DigiNotar certificate authority hack, and two lessons we can learn from this. The bottom line of the post is that DigiNotar wasn’t the first and won’t be the last certificate authority to be hacked. Although I support that the PKI system needs to be changed, this will take a long time. In the mean time, since hacks are IMHO unavoidable, we should make sure we do better damage control. Lesson 1 is make sure there is a very serious obligation for Certificate Authorities to report hacks e.g., prison). Lesson 2 is that companies should make sure they can switch to new certificates more quickly (so that the now untrusted certificates can be revoked immediately without loss of business continuity, contrary to what is happening now).

Hacks zijn niet te voorkomen, drama’s wel (DigiNotar)

De media staan bol van de cyberaanval van Iraanse hackers op de Nederlandse digitale certificaten leverancier DigiNotar en de verstrekkende gevolgen daarvan. Elektronische dienstverlening wordt lamgelegd of loopt tenminste een gevoelige deuk op als het gaat om het vertrouwen. DigiNotar is niet de eerste en ongetwijfeld ook niet de laatste digitale certificaten leverancier die gehacked wordt. Het DigiNotar drama heeft ons wel twee zaken geleerd om de schade te beperken: zorg ervoor dat dit soort hacks meteen gemeld worden en zorg dat bedrijven/overheid snel kan overstappen op alternatieve certificaten.

Dagelijks is het in juli gehackte bedrijf DigiNotar in het nieuws. Hackers hebben digitale certificaten aangemaakt waardoor ze zich kunnen voordoen als bijvoorbeeld Google’s emaildienst gmail, of DigiD (zie Fox-IT rapport van 5 september 2011). Met grote gevolgen voor privacy en vertrouwen, we weten namelijk niet met welke website we communiceren. DigiNotar, dat beveiligingscertificaten uitgeeft, krijgt veel kritiek over het te laat melden van de cyberinbraak. Nu, zo’n zes weken na dato, worden alle certificaten afkomstig van het bedrijf ongeldig gemaakt. Het probleem is dat daardoor ook bonafide gebruikers van die certificaten, zoals DigiD, problemen hebben om hun dienstverlening te continueren. De hack zorgt dus niet alleen voor veiligheidsproblemen (bv afluisteren internet verkeer), maar ook voor business continuity problemen.

DigiNotar was een geaudit en gecertificeerde leverancier van digitale certificaten (zie bijvoorbeeld dit PWC certificaat van 1 november 2010), en stond als betrouwbaar bekend. DigiNotar is gehacked ondanks deze certificering en audits, en uit het Fox-IT rapport is gebleken kwam dit omdat er het nodige mis met de beveiliging bij DigiNotar (en niet bijvoorbeeld omkoping of ‘pech’). Het is niet de eerste keer dat een certificaten leverancier gehacked is, eerder dit jaar gebeurde dit al bij Comodo. Het heeft er ook alle schijn van dat het om dezelfde hacker gaat. Er zijn meer dan 500 leveranciers van digitale certificaten, en het is een kwestie van tijd voordat dit weer gebeurt. Er is en zal de komende tijd nog veel gesproken worden over waarom de hack bij DigiNotar gelukt is, en mogelijk worden andere certificaten leveranciers voorzichtiger. Dit verandert echter niks aan het feit dat 100% veiligheid in de digitale wereld onmogelijk is, dat geldt ook voor de certificaat leveranciers en dat dit zeker geldt voor 500+ leveranciers. Ik sluit mij aan bij velen die oproepen voor een nieuw systeem voor certificaten, zie bijvoorbeeld Moxie Marlinspike, maar ben tegelijk sceptisch of dit snel genoeg en echt structureel voor een oplossing zorgt.

We kunnen echter wel twee lessen leren uit het DigiNotar drama die helpen de schade te beperken na een hack bij een certificaten
leverancier. Les één is een serieuze meldplicht voor certificaat leveranciers. We moeten de regels zo aanpassen dat een
certificaat leverancier meteen bekend maakt als ze gehacked zijn. Er kunnen dan meteen maatregelen genomen kunnen worden (lees: de certificaten van die leverancier niet meer vertrouwen). Een meldplicht is echter gemakkelijker gezegd dan gedaan. Het bekend raken van een hack leidt tot grote reputatieschade en kan makkelijk tot faillissement van de leverancier leiden. Een simpele meldplicht zal dus niet werken. Het alternatief van niet melden moet ‘erger’ gemaakt worden dan deze schade. Dit kan door, zoals ook door PvdA tweede kamerlid Martijn van Dam wordt gepropageerd, door strafrechtelijk vervolging. Probleem hierbij is wel dat er certificaat aanbieders zijn over de hele wereld. Nederlandse wetgeving alleen heeft zo een vrij beperkte invloed, op zijn minst moet dit Europees.

De tweede les is gaat meer over business continuity. Gebruikers van certificaten moeten per direct over kunnen schakelen op een andere leverancier. Dit zodat de niet meer vertrouwde certificaten per direct ook niet meer gebruikt hoeven te worden, zonder de continuïteit van de dienstverlening in gevaar te brengen. Na het bekend worden van de DigiNotar hack zijn de PKI Overheid certificaten nog een tijd lang gewoon gebruikt, en minister Donner heeft zelfs Microsoft zover gekregen een update uit te stellen die gebruikers zou vertellen dat deze certificaten niet meer vertrouwd zijn. Dit omdat de Nederlandse overheid en anderen blijkbaar niet in staat zijn snel over te schakelen op andere certificaten. Dit is een kwalijke zaak. Naast technische maatregelen is de doorlooptijd van het registratieproces onderdeel van het probleem. Immers moet de certificaataanbieder verifiëren dat de aanvrager is wie die zegt dat hij is, vaak door een face-2-face controle. Bijvoorbeeld door voor kritische diensten alvast een certificaat van een ander certificaat aanbieder aan te vragen kan deze doorlooptijd vermeden worden.

Inmiddels gaan er ook stemmen op voor een grotere taak van de overheid in deze. Dat is een les die mijn inziens niet getrokken kan worden uit dit drama. Wat er door de overheid en wat er door het bedrijfsleven gedaan moet en kan worden is een genuanceerde afweging, en veiligheidsincidenten zijn en blijven er ook bij de overheid zelf.

Een les die we ook niet kunnen trekken is dat e-dienstverlening niet veilig genoeg kan. De risico afwegingen en maatregelen vereisen wel meer aandacht van zowel politiek als hogere managementlagen van het bedrijfsleven. De positieve kant van deze DigiNotar inbraak, maar ook bijvoorbeeld de recente inbraak bij Sony playstation network, is dat ze zo publiek zijn dat die aandacht er ook eindelijk komt.

1 Comment | Uncategorized | Tagged: | Permalink
Posted by Maarten Wegdam

Submissions for Novay Digital Identity Award 2011?

2011/08/09

If you are working on an innovation in the area of Digital Identity: my employer (Novay) in collaboration with the IDentity.Next (un)conference will grant the Novay Digital Identity Award for the second year now. Last year’s winner was Ziggur, a company that innovates our digital death… I’m organizing this award (but not in the jury, influencing me will not help you get the award :) ).

The deadline is October 11. For more information, see http://www.identitynext.eu/award.php or below.

Submissions wanted for Novay Digital Identity Award 2011

On November 9, the Novay Digital Identity Award will be granted to the best new concept or product concerning digital identity. The award is part of the conference Identity.Next’11 in The Hague. With the award, Identity.Next and ICT research institute Novay want to recognize and support new developments that are shaping the future of digital identity. Submissions are welcome until October 11.

The conference in November 9, 2011 is organized by the IDentity.Next association, a non-profit organization on Digital Identity, in cooperation with EEMA, Europe’s leading independent, non-profit e-Identity & Security association. Identity.Next will bring a program with top experts, professionals and industry stakeholders to discuss the world around Digital Identity and best practice. The (un)-conference will consist of debates, workshops, and presentations in four tracks: ‘Social consumer’, ‘Mobile-me’, ‘Private Eye’ and ‘eCitizen’. The award-winning concept the organization is looking for, should relate to one of these themes.

Innovative concepts, projects and products on digital identity can be submitted for the award until October 11, 2011. Submissions will be judged by a jury, chaired by Hermen van der Lugt, CEO of Novay. Criteria include innovativeness (technological as well as business model); success & impact; how the privacy aspect is dealt with and added value for users and for stakeholders.

For more information, including jury members, factsheet and submission form, see http://www.identitynext.eu/award.php.

Leave a Comment » | Uncategorized | Tagged: | Permalink
Posted by Maarten Wegdam

Consent from the EU legal perspective

2011/07/27

The Article 29 Data Protection Working Party wrote an opinion on the definition of consent. Not everything this Working Party produces is of interest to me, or even understandable (‘too’ legal for mere mortals). I however did find this opinion interesting since it describes when consent is needed from a legal perspective (based on Data Protection and e-Privacy Directives), and it has examples making it relatively easier to interpret.  In my work on this area I usually take the user’s perspective on consent (e.g., on consent for the SURFfederatie), and how to enforce this (architectural/technical perspective), but a legal perspective is of course also needed.

The statement in the summary that especially got my attention was that if consent is used incorrectly, the data subject’s control becomes illusory. I couldn’t agree more, of course, consent cannot be used as an excuse, and in some cases a different legeal ground is needed, and that consent should be informed, freely given etc. I however do want to make a point here that even in cases that privacy law requires a different legal ground for data exchange than consent, it does not forbid to additionally ask for consent. I therefore argue that the decision if and how to offer consent should be primarily based on whether users want it.

Below I quote and interpret parts of the opinion that I found most interesting, and further motivate my position on doing consent-even-when-not-legally-needed.

… obtaining consent does not negate the controller’s obligations under Article 6 with regard to fairness, necessity and proportionality, as well as data quality. For instance, even if the processing of personal data is based on the consent of the user, this would not legitimise the collection of data which is excessive in relation to a particular purpose.

Consent is related to the concept of informational self-determination. The autonomy of the data subject is both a pre-condition and a consequence of consent: it gives the data subject influence over the processing of data. However, as explored in the next chapter, this principle has limits, and there are cases where the data subject is not in a position to take a real decision. The data controller may want to use the data subject’s consent as a means of transferring his liability to the individual. For instance, by consenting to the publication of personal data on the Internet, or to a transfer to a dubious entity in a third country, he may suffer damage and the controller may argue that this is only what the data subject has agreed to. It is therefore important to recall that a fully valid consent does not relieve the data controller of his obligations, and it does not legitimise processing that would otherwise be unfair according to Article 6 of the Directive.

Or in my wording: if a data processor has obtained consent then this does not mean the data processor can do whatever he wants with the data, it has to be a reasonable usage of the privacy sensitive data, the data processor still has a liability and last-but-not-least the person has be in a position to really make a decision.

Transparency is a condition of being in control and for rendering the consent.

Or in my wording: without insight there is no actual control.

There is in principle no limits as to the form consent can take. However, for consent to be valid, in accordance with the Directive, it should be an indication.

The form of the indication (i.e. the way in which the wish is signified) is not defined in the Directive. For flexibility reasons, “written” consent has been kept out of the final text. It should be stressed that the Directive includes “any” indication of a wish. This opens the possibility of a wide understanding of the scope of such an indication. The minimum expression of an indication could be any kind of signal, sufficiently clear to be capable of indicating a data subject’s wishes, and to be understandable by the data controller. The words “indication” and “signifying” point in the direction of an action indeed being needed (as opposed to a situation where consent could be inferred from a lack of action).

Or in my wording: consent can be implicit in an action, but not implicit in doing nothing.

Consent can only be valid if the data subject is able to exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences if he/she does not consent.

In several opinions, the Working Party has explored the limits of consent in situations where it cannot be freely given. This was notably the case in its opinions on electronic health records (WP131), on the processing of data in the employment context (WP48), and on processing of data by the World Anti-Doping Agency (WP162).

Or in my wording: a consent given in a situation where the person did not really have a choice is basically no consent, and another basis for processing the data is needed. I guess the consent could be considered a form of conformation that the person was at least informed, but the opinion did not state that explicitly.

To be valid, consent must be specific. In other words, blanket consent without specifying the exact purpose of the processing is not acceptable.

To be specific, consent must be intelligible: it should refer clearly and precisely to the scope and the consequences of the data processing. It cannot apply to an open-ended set of processing activities. This means in other words that the context in which consent applies is limited.

Consent must be given in relation to the different aspects of the processing, clearly identified. It includes notably which data are processed and for which purposes. This understanding should be based on the reasonable expectations of the parties. “Specific consent” is therefore intrinsically linked to the fact that consent must be informed. There is a requirement of granularity of the consent with regard to the different elements that constitute the data processing: it can not be held to cover “all the legitimate purposes” followed by the data controller. Consent should refer to the processing that is reasonable and necessary in relation to the purpose.

The need for granularity in the obtaining of consent should be assessed on a case-by-case basis, depending on the purpose(s) or the recipients of data.

Actually, this one does not help me much. Completely open-ended consent is of course not valid, but there are many gray zones here … I guess doing a user survey on what users expect what the consent would reasonably include would be an approach, but don’t know if that would hold up in court.

“consent by the data subject (must be) based upon an appreciation and understanding of the facts and implications of an action. The individual concerned must be given, in a clear and understandable manner, accurate and full information of all relevant issues, in particular those specified in Articles 10 and 11 of the Directive, such as the nature of the data processed, purposes of the processing, the recipients of possible transfers, and the rights of the data subject. This includes also an awareness of the consequences of not consenting to the processing in question”

Two sorts of requirements can be identified in order to ensure appropriate information:

• Quality of the information – The way the information is given (in plain text, without use of jargon, understandable, conspicuous) is crucial in assessing whether the consent is “informed”. The way in which this information should be given depends on the context: a regular/average user should be able to understand it.

• Accessibility and visibility of information – information must be given directly to individuals. It is not enough for information to be “available” somewhere.

I do not understand the difference with transparency, but it certainly makes sense that consent needs to be informed. This is in my opinion also very difficult in reality, since users will often not be willing to spent time/attention to be informed. There are trade-offs here. I think in current practise the quality of information requirement is violated with long legal texts that no-one wants to read or is able to understand.

As time goes by, doubts may arise as to whether consent that was originally based on valid, sufficient information remains valid. For a variety of reasons, people often change their views, because their initial choices were poorly made, or because of a change in circumstances, such as a child becoming more mature.This is why, as a matter of good practice, data controllers should endeavor to review, after a certain time, an individual’s choices, for example, by informing them of their current choice and offering the possibility to either confirm or withdraw. The relevant period would of course depend on the context and the circumstances of the case.

This is what we call “timed consent“. I didn’t realize this was a good practise from a legal perspective :) Our primary motivation for introducing timed consent is also different, we did it because people will forget what they consented to, not because they changed their mind or circumstances changed.

What becomes clear in the opinion, is that simply asking for consent is often not enough. There has to be an actual choice, and the data processor has to provide different legal grounds if this choice is not there. This is also argued by this blog post of Andrew Cormack (JANET). Although I, of course, agree with this, I do not think this means that a consent functionality is therefore not beneficial in cases that a different legal ground is needed.

To make this more specific, taking the consent-from-a-user-perspective pilot we did as an example. In this case, in the SURFfederatie. personal information is exchanged between universities and service providers. Some of the provided services a student simply has to use to be able to complete some course. In this case, there is little choice and there needs to be a different legal ground for the data exchange (and I think there is). However, I believe there is added value in still offering a consent question during the login user experience because:

  1. The users are informed that this exchange takes place, which in my opinion is a goal in itself.
  2. There are also services that the user does have a choice, and consent is needed as a legal ground to exchange data, and we need a consistent user experience for all services
  3. Last but not least: users appreciate the consent question, as our research showed (85% in our pilot)

Or to make it as simple as I can make it (repeating my earlier statement): even in cases that privacy law requires a different legal ground for data exchange than consent, it does not forbid to additionally ask for consent. I therefore argue that the decision if and how to offer consent should be primarily based on whether users want it.

2 Comments | Uncategorized | Tagged: , | Permalink
Posted by Maarten Wegdam

Position paper on digital identity from Thuiswinkel.org (Dutch online retail association)

2011/06/23

 

Last week the Dutch online retail association Thuiswinkel.org published a press release and position paper (in Dutch) on online identity services. The press release contains five recommendations aimed at ‘parties in the online identity services area’. I think it is good that this is thuiswinkel.org apparantly considers this an important subject, and I agree with most of what they state in the recommendations. I do however have some comments on the specific recommendations. I translated each recommendation below, and give my comments to each of them.

  1. Re-use of existing consumer identities, such as login data, bank cards and phones
    My comment: yes! this is/was also a key element in our vision for a trustworthy consumer identity in the cidSafe project, especially the “existing” in this recommendation is important because of the business case and user convenience implications.
  2. Choice for online retailers between several providers that each provide universal access to identities, also internationally
    My comment: this seemed a bit naive, that there will be several providers that can provide universal access. But checking the explanation in the position paper itself made is clear that they refer to intermediate brokers between the online retailers and the identity providers. These may make life easier, see a previous post on 3 vs 3.5 vs 4 party models.
  3. The user determines which parts of his identity he reveals, the online retailers determine the desired trust level
    My comment: good! Where in many case revealing “nothing” should be an option …
  4. Good communication about online identities for users
    My comment: absolutely, the question is more the ‘how’, and where the trade-offs are between keeping the solutions simple enough so we do not need to explain too much, and having an open and flexible solution.
  5. Government should start with a pilot with verified attributes that online retailers can use, including age
    My comment: no :( see below

In the press release, and following press articles such as this one, focus on the online age verification recommendation. This is a hot subject in the Netherlands, also because of legislation on what you cannot sell to minors, e.g., porn, violent video games or gambling to 16 years or younger. In the offline world this can be (but is not always …) checked by cassier, in the online world there is currently no way to do so. I however disagree with the fifth recommendation because of two reasons. The first is that it is more general on the verified attributes than age, and with minimal data disclosure in mind I do not see why this needs to be so general (with post-payment as a possible exception, but more creative things can be done there). Secondly, it assumes a government solution. Why exclude a private market solution? Actually, Novay (in the person of my colleague Bob Hulsebosch) did a impact & feasibility study on using iDEAL for online age verification for online retailers. Our client was a public-private working group from the Ministerie of Security and Justice and NICAM. iDEAL is the Dutch online payment service provider for retailers and is used by 81% of Dutch web shoppers. Online retailers would in this case rely on the banks behind iDEAL for age verification. See also this recent article in emerce with an interview with workinggroup lead Willem van Teeseling from Buro 240a. Of course, also a private market solution may benefit from ‘encouragement’ from the government, but that’s not what the fifth recommendation states (contrary to section 6.5 of the actual position paper which is more in line with my position on this).

Only somewhat related to the above, in the position paper a few sentences discuss combining identity with payment, which would streamline the user experience. We all know: less clicks, more convergence, thus this is IMHO a good point: payments providers have an edge as identity providers especially when it comes to online retail. And the point they also make is that the mobile channel needs a user friendlier identity solution (with less user input) , is also very true I think.

1 Comment | Uncategorized | Tagged: , , | Permalink
Posted by Maarten Wegdam

Government eID versus identity trust frameworks, at EIC

2011/05/13

I spent most of this week in Munich, at Kuppinger Cole’s European Identity Conference. This had again a full program with presentations and panels on digital identity, GRC and, of course, cloud. Some personal high-lights were presentations and panels on:

  • externalization of authorization (XACML 3.0 won an identity award)
  • privacy (including personal clouds/datastores, Qiy won an identity award)
  • consumer identity/trust frameworks/OpenID (including an interesting presentation by Andrew Nash from Paypal). 
  • and mostly the off-sessions discussions with leading people in the digital identity area

I also had a presentation myself on consumer identity, and participated in panel. I presented my ideas on government issued consumer/citizin identities versus doing this through the market via an identity trust framework.

Leave a Comment » | Uncategorized | Tagged: , , , | Permalink
Posted by Maarten Wegdam

Mobile-centric identity in the IDentity.Next newsletter

2011/04/05

Below a contribution I wrote for the IDentity.Next newsletter  (I’m on the expert panel) on mobile-centric identity, see also http://www.identitynext.nl/news.php?id=22

Mobile phone – the remote control of our (digital) identity?

Mobile phone - the remote control of our (digital) identity?

29-03-2011

For most people the mobile (smart) phone is the most personal device they have. You carry it with you almost always, you rarely let others use it and you notice it is gone very quickly. Combine this with the smart phone becoming a mature and popular channel to online services, and you realize the importance of your mobile phone for your digital identity. The term user centric identity was (or still is) quite popular the last few years, going further I’m a strong believer in mobile centric identity: the mobile phone as the central component to control your digital identity.

 I distinguish three ways in which this is happening:

1.     The mobile phone as authentication device– this is already happening and is progressing, especially one-time-passwords over SMS are pretty common. But also apps for Android or iPhone with one-time-password generators, or Mobile PKI which exploits the SIM card for more security.

2.     Authentication for the mobile channel– this is still a struggle, even more than identity on the ‘fixed’ internet. Typing passwords is a huge hassle on mobile phones, and providing these to random and barely trusted mobile apps is not a good idea (for example a third party mobile banking app). Common stronger authentication means like smartcards-with-readers or one-time-password tokens  are not really an option since no one wants to carry additional devices with them. Also identity federation standards like SAML WebSSO and OpenID are not really suitable for mobile phones. We’ve been using oAuth for mobile Apps, which may not be the final solution but is a step into the right direction if ‘medium’ security is good enough.

3.     Control your privacy on your mobile phone – I, and many with me, believe that sharing personal data can make our lives easier, but that the user should be in control of this. A single point of control for this is the way to go, for example determine in a central place who should get access to my new home address, and my location updates. This starts at basic consent functionality when using external identities (e.g., OpenID), but goes all the way to Personal Data Ecosystem, Vendor Relationship Management and User Managed Access ambitions. The mobile could be the trusted device to control this. This is far from reality nowadays.

A major risk for the success and speed in which mobile centric identity will come to be is if we are successful in keeping the mobile phone secure enough for this. This has not been a major issue yet, but for sure requires attention (for example, ENISA report or KuppingerCole Top Trends 2011). Solutions that are part of the operating system and/or exploit trusted hardware like the SIM card may prove most successful.

Related to identity is always payment, and although slower than expected the signs are good that NFC technology (for mobile payments) will get a significant penetration to mobile phones the coming years. Also, at least in the Netherlands, banks and mobile operators have joint forces to make mobile payment possible. Your mobile phone may very well replace both the coins and the bank/smartcards that are now in your wallet. It will be interesting to see how, how fast and who will profit from this!

Maarten Wegdam (principal researcher at Novay – member of IDentity.Next expert panel)

1 Comment | Uncategorized | Tagged: , , | Permalink
Posted by Maarten Wegdam

User study outcome: users DO want consent for federated login

2011/04/03

Providing consent to users before sharing personal attributes when using federated/external login is hardly new. Most OpenID implementations provide this, InfoCard standard has/had it and even some SAML implementations do this (e.g., the Danish, Norwegian and Swiss higher education identity federations). What we could not find however is statistically significant studies if users actually want this form of control over their privacy, and if so, how and how much control. We (Ruud Janssen, Dirk-Jan van Dijk, Eefje van de Harst a.o.) did a series of smaller scale user study and then a large-scale pilot for SURFnet for the SURFfederatie (Dutch higher education identity federation) on this subject. The outcome is clear: users DO want consent! Or put differently, even for this specific federation where there is probably an above average amount of trust between parties and users, users still prefer control over their privacy over the hassle of having this. The shortest summary on how and how much control users want is that users want a very simple and basic control, some of the more fancy features we came up with were not really appreciated.

Below I copied the synopsis of the report we wrote on the user studies, design, prototype, pilot and survey (in English), and I uploaded the extended summary (5 pages) to here. The complete report will become available on the SURFnet site, this may take some time and for those that cannot wait, just send me an email.

The SURFfederatie is the identity federation for higher education in the Netherlands. This report describes the outcome of research on providing users of the SURFfederatie with user controlled privacy (informed consent) functionality. Focus point of the research was the user perspective: do users actually want to be bothered with consent functionality, and if so, how to deal with the unavoidable trade-offs in the user interaction between obtrusiveness, fine-grained control and understandability. Users were involved through two small-scale in-depth user studies that were input to the design of user interaction, and through two surveys that were done as part of a large-scale pilot. The outcome of the research is three fold: (1) five guidelines on how to design consent for web-redirect based identity federations (SAML, OpenID), (2) an implementation of these guidelines, and (3) a detailed evaluation by a large number of users of this implementation. The conclusion of the research is that users want to have more control over their privacy in the SURFfederatie, and consider the prototype to be a good add-on to do this. 

 The report also describes our “5 guidelines for web-based consent” for federated logins, and lot’s of details on the outcome of the user studies which may help others to improve their consent functionality. One of the things we implemented is what we called “timed consent”. We do not provide an “always” option for the consent question, only a “allow once” and “allow for some period”.  The reason for not providing an “always” option is that users will forget what they consented to. It is noteworthy that although time consent is feature they appreciate, there was no clear preference by users for how long the period for a timed consent should be.

There also was an article on the research in Novay’s magazine KnowHow (February issue, pages 12 and further), that is easy to read (for Dutch speaking …). There are also earlier reports (in Dutch, see my previous posts http://maarten.wegdam.name/2010/10/08/user-consent-pilot-for-surfnet/ and http://maarten.wegdam.name/2010/03/11/user-centric-saml/) , but for convenience for the readers we summarized these in the new report.

1 Comment | Uncategorized | Permalink
Posted by Maarten Wegdam

Updated numbers on internet banking fraud in the Netherlands: 5 fold increase in 2010

2011/03/15

In October 2010 the Dutch Banking Association (NVB) provided numbers on internet banking fraud in the Netherlands indicating an increase of about 450% in the first 6 months of 2010. Yesterday they provided updated numbers: over the whole of 2010 compared to 2009 the amount increase 5 fold (from €1.9 million to €9,8 million) and the amount of cases increased 10 fold (from 154 in 2009 to 1383 in 2010). Phishing attacks are becoming more professional, the ‘old days’ of phishing through emails written in very poor Dutch are behind us, and we’ve entered the age of sophisticated social engineering attacks and malware.

I agree with the statements of NVB that compared to the amount of people and money involved in internet banking these are still relatively small numbers, but the increase remains troubling. Also announced yesterday is that the Dutch banks  jointly with government (police etc) will prioritize internet banking fraude (in a taskforce).

On the positive side, although in absolute numbers skimming is still a bigger problem than internet banking fraud, this number is rapidly decreasing from €36 million in 2009 to €19.7 million in 2010.

2 Comments | Uncategorized | Permalink
Posted by Maarten Wegdam

No more Cardspace …

2011/02/16

Microsoft announced yesterday that Cardspace 2.0 will not be shipping. Or to put this  more directly: that they’ve stopped with Cardspace. This is not a big surprise, uptake was very slow and Microsoft already showed signs of less-than-fully supporting Cardspace/InfoCards for a while now.

Cardspace was IMHO a promising approach to some of the privacy, security and usability concerns for federated identity systems, but it lacked adoption. Part of the reason as Mike Jones puts it is it is not drop-dead simple to use. Lack of user acceptance is  also confirmed by the user study we did for SURFnet in 2009, where users basically distrusted Cardspace. Other reasons I think are lack of an easy migration path from existing standards, and slower-than-hoped  update of identity federation in the consumer space in general.

Anyway, Microsoft stopping Cardspace will probably mean the end of the used InfoCard standard as well. This makes things clearer in the standards department, which a consolidation on basically OpenID (/OAuth) and SAML. And especially Facebook with a non-standard protocol to do similar things.  Not that standards are the most important, I agree with Eve Maler (now Forrester) when she states:

when it comes to lightweight consumer-scale federated identity, the specific protocol matters less for success than the user base, the nature of the data available about those users, and the tooling available for relying-party integration.

Even though the protocol may not  be the biggest issue for a federated consumer identity solution, it is still not a trivial one. Especially the issue to have a web-based client (i.e. OpenID or SAML WebSSO) or an active client (Cardspace/InfoCard) is one that remains interesting because of the consequences for usability and security.

2 Comments | Uncategorized | Tagged: , , , | Permalink
Posted by Maarten Wegdam

Quotes from IT-security-in-2010

2011/01/07

While catching up on my reading my favorite blogs, I read Bruce Schneier’s blog post on IT security in 2010 (already a couple of weeks old …). Worth the read, especially these quotes:

One old trend: deperimeterization. Two current trends: consumerization and decentralization. Three future trends: deconcentration, decustomerization, and depersonization.

IT security in 2020 will be less about protecting you from traditional bad guys, and more about protecting corporate business models from you.

With decustomerization Bruce refers to the trend that we get IT services for free, but then become the product contrary to the customer, e.g., Google, or Facebook. Eve Maler also has some blog posts on this, for example “The price of free service“.

Leave a Comment » | Uncategorized | Tagged: , | Permalink
Posted by Maarten Wegdam

« Previous Entries
Next Entries »
Follow

Get every new post delivered to your Inbox.