Looking Beyond the Obvious
Whenever anyone talks about typical authentication use cases, they inevitably use a financial institution as an example. "The user logs into his bank to perform a transaction." or "The bank issues the user a credential to protect his account." We use financial institutions as an example because it's an easy situation to explain -- you have a place with a lot of money, criminals like money, so we protect the money from the criminals. Simple, right?
But we should look beyond the "obvious" places where additional security is needed. If someone breaks into your online bank account and steals your money, it's almost certain that your bank will eventually cover your losses. It may be a giant headache for you, take a ton of time and effort, and it probably reduces your faith in online banking, but you will most likely be made "whole." But now what if someone breaks into your online health record? Or your email account? Or your social networking profile? Or your blog? Who's going to make you "whole"? Is that even possible?
Last week there was a great anecdote being discussed on a C|Net blog about how someone's instant messenger account had been breached by a password stealing piece of malware. The attacker got the victim's IM username and password, then logged in as the victim. The attacker then tried social engineering all of the people on the victim's buddy list, pretending to be the victim who was in some dire financial/legal predicament and needed money wired immediately. While none of the targets took the bait, what would have happened if they did? Nobody's going to refund the money they send off to some scam artist -- their bank is just following their legitimate wire transfer instructions, the instant messaging provider is providing a free service and disclaims all liability. But these people are just as much a victim of a weak username and password as our typical bank example.
Who thinks these people are going to continue to trust IM as a communications medium? Shouldn't we be protecting our most private conversations, and our actual online identity with something better than an easily phished username and password?
Money can be refunded, but trust and privacy can't.