Wednesday, September 13, 2006

More HP Fallout

Adam asks was ATT negligent in using the last four digits of the SSN for authentication?

A four digit password that is widely published and does not change for up to a century is hardly an effective security measure. There is unfortunately a big difference between 'ineffective' and the legal standard for 'negligent'.

I don't think that a case against ATT is very likely. If a case was going to be brought it would be against HP, the investigators and the agency they used.

If a case was brought ATT would certainly point out that they were simply following a widespread industry practice here. Last four digits of SSN is arguably as strong or stronger than mothers maiden name or favorite pet (fido or fluffy). Unlike mothers maiden name or favorite pet the use of a false SSN is a criminal act in itself.

Combined with other controls, SSN could be reasonably secure. Why were the phone records being sent anywhere other than the customer's billing address? Why do people think we need immediate access to our telephone calling logs anyway? Why is it the responsibility of the phone company to track who we call?

The legal standard for negligence is the Hands test, probability of harm multiplied by cost of harm is greater than the cost of an effective control.

The HP incident came only a few days after the existence of the cell phone records 'services' became widely known. Until then the incentive for stealling records and thus the probability of harm would arguably be low - in this case arguably meaning 'a jury might be persuaded'.

SSN verification might be viewed as being equivalent to a door lock, it offers little security in itself but breaking it provides a clear indication of criminal intent.

I don't see much hope of demonstrating negligence in this particular case. But what happens when the phishing gangs and the advance fee fraud gangs work out a way to work this type of activity into their schemes? Identity theft is all about building up a comprehensive profile of the victim. Knowing who they talk to would help a lot.

1 comment:

Phill H-B said...

Adam sent me the folowing comment in email:

"The cost of an effective control is low: Mail me a password with the
first physical mail you send me. Require it for future action. If I
don't have it, mail another one. Optionally, fedex it at my expense."