net.wars: How do you know it's me?
by Wendy M Grossman | posted on 29 November 2002
Wendy Grossman gets uptight about identity. At least, we're pretty sure it's Wendy who is getting uptight. She has the Wendy attitude, she knows my email address, and she sure is fierce. It's gotta be Wendy, right?
Nasrudin went into a shop. "Have you ever seen me before?" "No, sir." "Then how do you know it is me?"
Classic security theory has it that there are three ways you can identify yourself: something you have, something you know, and something you are. The best security uses at least two of those. So, for example, your cash machine access depends on something you have (cash card) and something you know (PIN). Behind the scenes, something you are - your picture - is also being recorded by a hidden camera.
The Web's billion-dollar ecommerce platform relies on just one: something you know. There are, I think, two reasons for that. One's a reasonably good one: there has really been no way to force users to incorporate the hardware and software necessary to implement the other two. The other's a bad one: we have lifted our style of ecommerce from the physical world without completely recognising what a difference losing the physical presence makes. In physical-world retail, especially when stores were smaller, clerks could identify you personally. No one, for example, could impersonate me to pick up a package a courier left for me at my corner shop because the guys who run it know me.
And so on to the latest trend in junk email. As The Independent noted the other morning, spam has taken a giant leap upward in the last few months, to the point where it's estimated that something like one-eighth of email messages received in Britain are junk, and as much as one-third in the US. I think that's too low: my personal ratio right now is something like 10:1 junk:legit.
This week's junk - if you're a journalist you have to look, and boy do I envy you guys your spam filters - contained one message that made me pause: a request that I visit a particular Web page because my eBay account had become "corrupted". The Web page in question was a killer: it wanted name, address, phone number, credit card details, bank details, social security number, driver's license number, mother's maiden name, eBay account ID and password, Paypal ID and password ... everything, in other words, needed to perpetrate comprehensive identity theft and wipe out my finances. It looked pretty much like an eBay page (and if my default background were set to white like most people's, would have looked exactly like one), and the links on it to privacy policies and other eBay information all went to genuine eBay pages. I reported to eBay via the site's live chat function and by half a day later the page was gone.
This is the kind of scam we used to see back in the old days on CompuServe, where users would get email purporting to be from the system administrator asking you to "confirm" your account details. Ebay's user base is, of course, much bigger than CompuServe ever was. And if .013 percent (the figure in a recent Wall Street Journal article on the economics of spam, described by the bulk emailer as a "horrible" response rate) out of eBay's 50 million users responded ... that's 650,000 people who could have handed over their lives. Of course, the figure in this case will have been nothing like that. For one thing, the bulk email in question did not come to the address I use for my eBay account; it came to an address the junk emailer pulled off the Web.
So the list of recipients will overlap but not exactly match eBay's database of account holders.
This particular junk emailer also seems to have been a bit careful about how many copies got sent out - I got only one, to only one address, a rarity these days. Probably some people will have been suspicious enough of the Web page not to fill out the form. And the page wasn't up long. But even so ... that's potentially quite a few people and there's no easy way to trace who they are. Not a bad return, considering that the bulk mailing cost practically nothing to send out and the scoop-the-details form was on a free home pages service. It has also been reported that eBay has a problem with account hijacks.
This isn't to pick on eBay: any time you're that big you're a target, particularly since a large customer base is bound to include some users unsophisticated enough to hand over their information. You can say stupid people deserve what they get, but this kind of blatant attack will gradually be replaced by subtler and more dangerous ones. "Wasn't me, guv" won't be much of a defense. Chances are the next thing will be more calls to do something terminatory about junk email. What's probably more needed, however, is a way of incorporating one of the other security methods into our burgeoning remote infrastructure. It is not an easy problem, because any identification you perform remotely can be captured and later spoofed. We are building a world in which "who I am" rests on a tiny collection of facts, most of which are easily discoverable with a bit of research.
So now: who wrote this week's column?
Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, follow on Twitter or send email to netwars(at) skeptic.demon.co.uk (but please turn off HTML).
net.wars: How do you know it's me?