Comments on: When Security Increases Exposure to Risk http://www.marketingrev.com/2007/05/30/when-security-increases-exposure-to-risk/ Tech News for Marketers Thu, 20 Nov 2008 11:13:57 +0000 http://wordpress.org/?v=2.6.2 By: Robert http://www.marketingrev.com/2007/05/30/when-security-increases-exposure-to-risk/#comment-207 Robert Tue, 03 Jul 2007 21:05:56 +0000 http://www.marketingrev.com/2007/05/30/when-security-increases-exposure-to-risk/#comment-207 It seems the right answer is to hash the information yourself (pick something that hashes to a reasonably easy to remember value, at least in the last few digits) and supply the hash as your answer. Also, there is no value in the answer matching your actual history, just in you being able to match the answer you previously provided. I would be tempted to pick 'first girlfriend' as the question and provide the name of the first associate at the institution in question, that you dealt with. This should be possible to remember - or to recover, in case of forgetting, and tied to the individual istitution, hence limiting the exposure. If you only supply a hash of that value, it is double-blinded. If you REALLY want to get fancy, supply a hash of encryping the value plus a timestamp, hashed, with your private key - that way only you can convince yourself of the correctness of a specific value later. And that way you can update the answer by hashing the value with a new timestamp. But I think this is way beyond the level of justifiable complexity... By the way, assuming that no human reads this before posting, the name and address above are fake, of course. I am, indeed, paranoid... But you know the old joke: just because you are, it does not mean they are not after you. It seems the right answer is to hash the information yourself (pick something that hashes to a reasonably easy to remember value, at least in the last few digits) and supply the hash as your answer.

Also, there is no value in the answer matching your actual history, just in you being able to match the answer you previously provided. I would be tempted to pick ‘first girlfriend’ as the question and provide the name of the first associate at the institution in question, that you dealt with. This should be possible to remember - or to recover, in case of forgetting, and tied to the individual istitution, hence limiting the exposure. If you only supply a hash of that value, it is double-blinded.

If you REALLY want to get fancy, supply a hash of encryping the value plus a timestamp, hashed, with your private key - that way only you can convince yourself of the correctness of a specific value later. And that way you can update the answer by hashing the value with a new timestamp. But I think this is way beyond the level of justifiable complexity…

By the way, assuming that no human reads this before posting, the name and address above are fake, of course. I am, indeed, paranoid… But you know the old joke: just because you are, it does not mean they are not after you.

]]> By: Patricia http://www.marketingrev.com/2007/05/30/when-security-increases-exposure-to-risk/#comment-141 Patricia Fri, 01 Jun 2007 23:00:11 +0000 http://www.marketingrev.com/2007/05/30/when-security-increases-exposure-to-risk/#comment-141 Sort of related rant. You know what bugs me about site registrations? Why do they need my physical mailing address? I'm talking about sites that make it a required field. It's not for verification or log-in purposes. The only explanation is that they're selling a list to a direct mail company or the like. I'm sure many of us have invented a fake address or decided not to register in such cases. Sort of related rant. You know what bugs me about site registrations? Why do they need my physical mailing address? I’m talking about sites that make it a required field. It’s not for verification or log-in purposes. The only explanation is that they’re selling a list to a direct mail company or the like. I’m sure many of us have invented a fake address or decided not to register in such cases.

]]> By: Kelly Sparks http://www.marketingrev.com/2007/05/30/when-security-increases-exposure-to-risk/#comment-136 Kelly Sparks Fri, 01 Jun 2007 02:01:14 +0000 http://www.marketingrev.com/2007/05/30/when-security-increases-exposure-to-risk/#comment-136 Chris: You are welcome. I agree with you that the enterprises at large are starting to get a bit too personal. Really all they are doing it digging in deeper and asking more personal information. Over time this new information will not be enough to protect you from identity theft since it's just more static information about you that is ultimately tied to your other personal information. Masking via hashing helps of course, but phishing schemes are getting better all the time and they will just update their sites to include the new questions... Thanks for your post. Kelly Chris:
You are welcome. I agree with you that the enterprises at large are starting to get a bit too personal. Really all they are doing it digging in deeper and asking more personal information. Over time this new information will not be enough to protect you from identity theft since it’s just more static information about you that is ultimately tied to your other personal information. Masking via hashing helps of course, but phishing schemes are getting better all the time and they will just update their sites to include the new questions…

Thanks for your post.

Kelly

]]> By: Chris http://www.marketingrev.com/2007/05/30/when-security-increases-exposure-to-risk/#comment-132 Chris Thu, 31 May 2007 15:46:24 +0000 http://www.marketingrev.com/2007/05/30/when-security-increases-exposure-to-risk/#comment-132 Kelly-- That's a great point. Thank you. I certainly hope CountryWide uses hashing to store responses as one of many layers of security. And yet, from a marketing and consumer perspective, I still think what they're doing is a mistake. I think that consumers should be learning more and more how to protect their identity by not giving potentially sensitive data out, and they can start by thinking very critically about what data their financial services companies should be asking. I think, from the perspective of leveraging security as a major brand attribute, CountryWide should be leading their customers on this front, not encouraging them to give up unnecessarily personal data just because it's requested. Just my cranky opinion. :) Thanks for the response. /chris Kelly–

That’s a great point. Thank you. I certainly hope CountryWide uses hashing to store responses as one of many layers of security.

And yet, from a marketing and consumer perspective, I still think what they’re doing is a mistake. I think that consumers should be learning more and more how to protect their identity by not giving potentially sensitive data out, and they can start by thinking very critically about what data their financial services companies should be asking. I think, from the perspective of leveraging security as a major brand attribute, CountryWide should be leading their customers on this front, not encouraging them to give up unnecessarily personal data just because it’s requested.

Just my cranky opinion. :) Thanks for the response.

/chris

]]> By: Kelly Sparks http://www.marketingrev.com/2007/05/30/when-security-increases-exposure-to-risk/#comment-131 Kelly Sparks Thu, 31 May 2007 11:30:35 +0000 http://www.marketingrev.com/2007/05/30/when-security-increases-exposure-to-risk/#comment-131 You should inquire if CountryWide uses hashing to store your "secret" answers to the personal questions. Hashing is a typical strategy to mask known information into something is unique, but not identifiable in and of itself. For example, many web sites use hashes for Passwords. Let's say you use yyyPWyyyy. In the Database, these are converted to hashes that are one way only cryptographic function: See details here [http://en.wikipedia.org/wiki/Hash_function ] Once this is stored, the company actually does not have your original PW and can not recreate it if they tried. The new hashed key is used to access your information, but the only way to derive that key - is from the password yyyPWyyy which only you know. This is why so many websites can only send you a temporary "new" password when you forget yours, because they don't know your current password. If someone got ahold of your hashed PW, it can't be used to access your information on the site because it will be hased a second time during login- which would be wrong. So on to the personal questions.. If they use hash functions to store the answers, you should be OK - because once they store it, it can't be used by anyone for any reason, and can't be recreated except by knowing the original input. BTW = a hash for yyyPWyyy is: BF0EF9995638B4BB57A537C13F7C011F I hope this helps.. You should inquire if CountryWide uses hashing to store your “secret” answers to the personal questions. Hashing is a typical strategy to mask known information into something is unique, but not identifiable in and of itself. For example, many web sites use hashes for Passwords. Let’s say you use yyyPWyyyy. In the Database, these are converted to hashes that are one way only cryptographic function: See details here [http://en.wikipedia.org/wiki/Hash_function ] Once this is stored, the company actually does not have your original PW and can not recreate it if they tried. The new hashed key is used to access your information, but the only way to derive that key - is from the password yyyPWyyy which only you know. This is why so many websites can only send you a temporary “new” password when you forget yours, because they don’t know your current password. If someone got ahold of your hashed PW, it can’t be used to access your information on the site because it will be hased a second time during login- which would be wrong.

So on to the personal questions.. If they use hash functions to store the answers, you should be OK - because once they store it, it can’t be used by anyone for any reason, and can’t be recreated except by knowing the original input. BTW = a hash for yyyPWyyy is: BF0EF9995638B4BB57A537C13F7C011F

I hope this helps..

]]>