Tuesday, October 24, 2006

Information Risk Management = Information Triage Art Coviello, President of RSA Security, has just spoken at the RSA World conference, and used an expression I've not heard before, but very much like: Information Triage. This is the process of making decisions based on information value. He refers to it in the context of risk management, although I suspect it might be even more appropriate to use it in a Business Continuity scenario... 8:20:47 AM    comment []

RFID on credit cards? No thanks... The New York Times is reporting that a RSA Labs researcher has successfully hacked an RFID tag embedded in a credit card. I was unaware that contactless credit cards were available, and assume this is a US-centric feature - and I hope it remains this way for a long time yet. Don't get me wrong, I'm a big fan of RFID, but am concerned about inappropriate use of the technology, and this is a perfect example. The credit card providers are re-engineering their systems to push fraud liability back to the retailer and the consumer. The introduction of Chip and PIN in the UK was essentially designed for just that purpose: to prove that the cardholder must have the PIN, which means that they are either the legitimate user, or the legitimate user has disclosed the PIN. But once we bring RFID into the equation, the potential for a hack increases exponentially, as there is no longer a requirement for physical contact with the card in order to attack it. This is why, to date, RFID has only been used for micropayments. I have an Oyster card to pay for my use of the London Underground, but have not linked it to my credit card for top-ups. In Hong Kong, I had an Octopus card, which gave me access to the MTR and allowed me to buy coffee at Starbucks as well. But if I lose either of those cards then all I lose is the value stored on them. RFID simply provides another attack channel to unload my credit cards. We place all of our trust in a very low power chip that can only provide limited crypto processing, and this is a solution looking for a problem. I've no doubt that one day RFID will provide a trusted mechanism for credit card payments, but until then I'd be keeping my RFID-enabled cards in a tin-foil wallet to protect them. 8:15:25 AM    comment []

The Home Office nearly gets it... A very interesting quote" from Joan Ryan MP, at the Biometrics 2006 conference: "There's a danger of underestimating the public reaction to ID cards. People's trust in the scheme depends on protecting privacy and ensuring the scheme is properly used. More secure identification does not mean curtailing rights to privacy." As I started to read that paragraph, I got very excited that maybe the Home Office has finally understood Benjamin Franklin's thoughts and has got some real value for the £46m spent on the ID Cards programme to date. Then I reached the last sentence and it became clear it's still not sunk in yet: more secure identification certainly does not mean curtailing rights to privacy - what we should be saying is that trusted identification mechanisms are essential to protect privacy in the information age. The government still hasn't seen the opportunity here. If we were to build a federated ID scheme that complies with Kim Cameron's Laws of Identity, and in which the government underwrites (indemnifies) the value of the enrolment mechanism - say, £10,000 per ID - then we have an environment in which both citizens and commerce understand that not only can the system can be trusted, but there is a shared understanding of the value that can be associated with that ID before further proof is required. If this were to be done, we'd see queues of citizens in Marsham Street begging the Home Office to get a move on with their ID Cards. I'm collaborating on a paper that explores this in more detail, and will keep you posted on progress. 8:01:24 AM    comment []

A case of mistaken identity... I've noticed a huge upsurge in hits on this blog in the past few weeks. I'd love to believe it's because of an interest in my thoughts and writings, but I'm not sufficiently smug to believe that for a second :) A far more likely explanation is the recent appearance of actor Toby Stephens in the BBC's adaptation of Jane Eyre (which I rather enjoyed). So, for the avoidance of doubt: Toby Stephens is a RSC actor and Bond baddie. If that's who you're after then get back to Google and check your spelling ;) 7:48:43 AM    comment []