May 30thWhen Security Increases Exposure to Risk
Christopher Kenton
I’m a customer of a little company called CountryWide Financial, a holding company of various financial and banking services, including insurance, mortgage, commercial loans and capital markets. Actually, they’re one of the largest financial companies in America, with many thousands of customers who trust them to safeguard personal data. Like many financial companies, CountryWide frequently changes and upgrades its security policy for handling online transactions. But the latest upgrade ensures that I will never use the CountryWide site again to handle transactions, and it’s an issue that has enormous impact for marketers who are charged with safeguarding customer relationships and brand image, if not directly responsible for customer data.
When I recently went to the CountryWide site to carry out a transaction, they stopped me at the door and introduced a new security policy. It started out in an intriguing new direction. To safeguard against phishing—situations in which an imposter hosts a lookalike site and lures customers to enter personal data which can be used to access and pillage the real account—CountryWide has instituted a personalized authentication image and statement. The idea is that the customer chooses a random image—say a tractor, or a telephone, or a leaf—and enters a random site ID phrase of their own choosing, such as “Holy Retinal Scanner, Batman!” Whenever the customer returns to the CountryWide site, they can authenticate that it is indeed CountryWide by the presence of their secret personal image and phrase. Very cool. I haven’t personally seen this concept before, and it’s kind of a cool idea. Great.
So I continue on to the next stage of the new security protocol, where I’m prompted to select a series of security questions, and to provide responses, which will be used to authenticate me in the future. Nothing really new here—how many times have I entered the name of my pet or my mother’s maiden name. But as I started to look through the security questions, it started feeling a little creepy. These weren’t the standard security questions, but an entirely new breed of questions that have some scary implications.
- What is your best friend’s first name?
- What was the name of the maid of honor at your wedding?
- What is the first name of your oldest nephew?
- What was the name of your first boyfriend/girlfriend?
- Where did you first meet your spouse?
- What is the nickname of your grandfather?
And on they go. Now I should point out that you can choose from these questions, and others a little less probing, like the name or city of your high school. But you must choose three questions, and these kinds of really personal and unique questions are prevalent. As I started to fill out one of these questions, thinking “gee, this is really specific”, I suddenly got a cold premonition. Wait a minute. I realize these are questions designed to safeguard my identity and personal data, but these companies have a really nasty habit of losing this kind of data, not to mention shifting privacy rules in ways that seem to make more and more data available for purposes I didn’t want. Not only are major breeches of customer data common, they include outrageous breeches by many of the most trusted financial institutions, including Bank of America, Citibank, Wachovia, FDIC, JP Morgan Chase—the list is literally too long to recite. And yes, CountryWide is not immune to its own security breaches.
I cannot imagine a more disturbing recipe for truly frightening levels of identity theft, than a database of information so personal and specific, that it could be used to impersonate you with a frightening level of authenticity. There are already plenty of instances of brazen identity theft, in which the perpetrators have gone as far as full-blown impersonation of their victim. Remember Frank Abagnale, the real life subject of Catch Me if You Can? What’s particularly disturbing is that the kinds of questions CountryWide is asking are not just specific and personal, many of them are permanent. Timeless. The name of your first girlfriend, where you met your spouse, will never change. Once that personal information is lost, you’ll never get a chance to recover it.
So while I applaud CountryWide for improving their security policy, and even taking creative steps to do so, I think these new measures of gathering personal information are disturbingly misguided for consumers. For many thousands of consumers, their first experience of security breach is when the institutions they trust lose their personal data through negligent loss or theft. In that regard, the first step in protecting your identity is safeguarding yourself from the probing questions of your service providers. And the marketers who manage the brands for companies like CountryWide should understand this fact better than their customers, since the backlash of losing such valuable data is far more costly than the value in collecting it.
I’m a customer of a little company called CountryWide Financial, a holding company of various financial and banking services, including insurance, mortgage, commercial loans and capital markets. Actually, they’re one of the largest financial companies in America, with many thousands of customers who trust them to safeguard personal data. Like many financial companies, CountryWide frequently changes and upgrades its security policy for handling online transactions. But the latest upgrade ensures that I will never use the CountryWide site again to handle transactions, and it’s an issue that has enormous impact for marketers who are charged with safeguarding customer relationships and brand image, if not directly responsible for customer data.
When I recently went to the CountryWide site to carry out a transaction, they stopped me at the door and introduced a new security policy. It started out in an intriguing new direction. To safeguard against phishing—situations in which an imposter hosts a lookalike site and lures customers to enter personal data which can be used to access and pillage the real account—CountryWide has instituted a personalized authentication image and statement. The idea is that the customer chooses a random image—say a tractor, or a telephone, or a leaf—and enters a random site ID phrase of their own choosing, such as “Holy Retinal Scanner, Batman!” Whenever the customer returns to the CountryWide site, they can authenticate that it is indeed CountryWide by the presence of their secret personal image and phrase. Very cool. I haven’t personally seen this concept before, and it’s kind of a cool idea. Great.
So I continue on to the next stage of the new security protocol, where I’m prompted to select a series of security questions, and to provide responses, which will be used to authenticate me in the future. Nothing really new here—how many times have I entered the name of my pet or my mother’s maiden name. But as I started to look through the security questions, it started feeling a little creepy. These weren’t the standard security questions, but an entirely new breed of questions that have some scary implications.
- What is your best friend’s first name?
- What was the name of the maid of honor at your wedding?
- What is the first name of your oldest nephew?
- What was the name of your first boyfriend/girlfriend?
- Where did you first meet your spouse?
- What is the nickname of your grandfather?
And on they go. Now I should point out that you can choose from these questions, and others a little less probing, like the name or city of your high school. But you must choose three questions, and these kinds of really personal and unique questions are prevalent. As I started to fill out one of these questions, thinking “gee, this is really specific”, I suddenly got a cold premonition. Wait a minute. I realize these are questions designed to safeguard my identity and personal data, but these companies have a really nasty habit of losing this kind of data, not to mention shifting privacy rules in ways that seem to make more and more data available for purposes I didn’t want. Not only are major breeches of customer data common, they include outrageous breeches by many of the most trusted financial institutions, including Bank of America, Citibank, Wachovia, FDIC, JP Morgan Chase—the list is literally too long to recite. And yes, CountryWide is not immune to its own security breaches.
I cannot imagine a more disturbing recipe for truly frightening levels of identity theft, than a database of information so personal and specific, that it could be used to impersonate you with a frightening level of authenticity. There are already plenty of instances of brazen identity theft, in which the perpetrators have gone as far as full-blown impersonation of their victim. Remember Frank Abagnale, the real life subject of Catch Me if You Can? What’s particularly disturbing is that the kinds of questions CountryWide is asking are not just specific and personal, many of them are permanent. Timeless. The name of your first girlfriend, where you met your spouse, will never change. Once that personal information is lost, you’ll never get a chance to recover it.
So while I applaud CountryWide for improving their security policy, and even taking creative steps to do so, I think these new measures of gathering personal information are disturbingly misguided for consumers. For many thousands of consumers, their first experience of security breach is when the institutions they trust lose their personal data through negligent loss or theft. In that regard, the first step in protecting your identity is safeguarding yourself from the probing questions of your service providers. And the marketers who manage the brands for companies like CountryWide should understand this fact better than their customers, since the backlash of losing such valuable data is far more costly than the value in collecting it.
You should inquire if CountryWide uses hashing to store your “secret” answers to the personal questions. Hashing is a typical strategy to mask known information into something is unique, but not identifiable in and of itself. For example, many web sites use hashes for Passwords. Let’s say you use yyyPWyyyy. In the Database, these are converted to hashes that are one way only cryptographic function: See details here [http://en.wikipedia.org/wiki/Hash_function ] Once this is stored, the company actually does not have your original PW and can not recreate it if they tried. The new hashed key is used to access your information, but the only way to derive that key - is from the password yyyPWyyy which only you know. This is why so many websites can only send you a temporary “new” password when you forget yours, because they don’t know your current password. If someone got ahold of your hashed PW, it can’t be used to access your information on the site because it will be hased a second time during login- which would be wrong.
So on to the personal questions.. If they use hash functions to store the answers, you should be OK - because once they store it, it can’t be used by anyone for any reason, and can’t be recreated except by knowing the original input. BTW = a hash for yyyPWyyy is: BF0EF9995638B4BB57A537C13F7C011F
I hope this helps..
May 31st, 2007 at 3:30 am
Kelly–
That’s a great point. Thank you. I certainly hope CountryWide uses hashing to store responses as one of many layers of security.
And yet, from a marketing and consumer perspective, I still think what they’re doing is a mistake. I think that consumers should be learning more and more how to protect their identity by not giving potentially sensitive data out, and they can start by thinking very critically about what data their financial services companies should be asking. I think, from the perspective of leveraging security as a major brand attribute, CountryWide should be leading their customers on this front, not encouraging them to give up unnecessarily personal data just because it’s requested.
Just my cranky opinion.
Thanks for the response.
/chris
May 31st, 2007 at 7:46 am
Chris:
You are welcome. I agree with you that the enterprises at large are starting to get a bit too personal. Really all they are doing it digging in deeper and asking more personal information. Over time this new information will not be enough to protect you from identity theft since it’s just more static information about you that is ultimately tied to your other personal information. Masking via hashing helps of course, but phishing schemes are getting better all the time and they will just update their sites to include the new questions…
Thanks for your post.
Kelly
May 31st, 2007 at 6:01 pm
Sort of related rant. You know what bugs me about site registrations? Why do they need my physical mailing address? I’m talking about sites that make it a required field. It’s not for verification or log-in purposes. The only explanation is that they’re selling a list to a direct mail company or the like. I’m sure many of us have invented a fake address or decided not to register in such cases.
June 1st, 2007 at 3:00 pm
It seems the right answer is to hash the information yourself (pick something that hashes to a reasonably easy to remember value, at least in the last few digits) and supply the hash as your answer.
Also, there is no value in the answer matching your actual history, just in you being able to match the answer you previously provided. I would be tempted to pick ‘first girlfriend’ as the question and provide the name of the first associate at the institution in question, that you dealt with. This should be possible to remember - or to recover, in case of forgetting, and tied to the individual istitution, hence limiting the exposure. If you only supply a hash of that value, it is double-blinded.
If you REALLY want to get fancy, supply a hash of encryping the value plus a timestamp, hashed, with your private key - that way only you can convince yourself of the correctness of a specific value later. And that way you can update the answer by hashing the value with a new timestamp. But I think this is way beyond the level of justifiable complexity…
By the way, assuming that no human reads this before posting, the name and address above are fake, of course. I am, indeed, paranoid… But you know the old joke: just because you are, it does not mean they are not after you.
July 3rd, 2007 at 1:05 pm