Sunday, January 15, 2006

New Cryptogram Out

The top two stories in Bruce Schneier's latest Crypto-gram offer two classic lessons in security.

1. When doing business, it is not whether you know someone's ID that counts, it's whether that person can be trusted. So it is accountability that matters.

"In an anonymous commerce system -- where the buyer does
not know who the seller is and vice versa -- it's easy for one to cheat
the other. This cheating, even if only a minority engaged in it, would
quickly erode confidence in the marketplace, and eBay would be out of
business. The auction site's solution was brilliant: a feedback system
that attached an ongoing "reputation" to those anonymous user names,
and made buyers and sellers accountable for their actions."

2. Unless the party who can actually do something about poor security pays the cost of that security getting breached, they have no incentive to do anything about that poor security. Says Schneier:


"According to "The Globe and
Mail":

"Susan Drummond was a customer of Rogers Wireless, a large Canadian
cell phone company. Her phone was cloned while she was on vacation,
and she got a $12,237.60 phone bill (her typical bill was $75). Rogers
maintains that there is nothing to be done, and that Drummond has to pay."

Like all cell phone companies, Rogers has automatic fraud detection
systems that detect this kind of abnormal cell phone usage. They don't
turn the cell phones off, though, because they don't want to annoy
their customers.

"Ms. Hopper [a manager in Roger's security department] said terrorist
groups had identified senior cell phone company officers as perfect
targets, since the company was loath to shut off their phones for
reasons that included inconvenience to busy executives and, of course,
the public-relations debacle that would take place if word got out."

As long as Rogers can get others to pay for the fraud, this makes
perfect sense. Shutting off a phone based on an automatic
fraud-detection system costs the phone company in two ways: people
inconvenienced by false alarms, and bad press. But the major cost of
not shutting off a phone remains an externality: the customer pays for it...

The solution here is obvious: Rogers should not be able to charge its
customers for telephone calls they did not make. Ms. Drummond's phone
was cloned; there is no possible way she could notify Rogers of this
before she saw calls she did not make on her bill. She is also
completely powerless to affect the anti-cloning security in the Rogers
phone system. To make her liable for the fraud is to ensure that the
problem never gets fixed."

It's worth repeating the key point "not shutting off a phone remains an externality: the customer pays for it." As long as someone else pays when security is breached, the phone company has no incentive to deal with the problem.

Mr Blair should be encouraged to meet Mr Schneier.

No comments: