Sunday 30 March 2014

The Scottish on-line security experiment


On-line, you can have convenience. Or you can have security.
One or the other.
But not both.

Stolen Twitter passwords 'worth more than credit card details'.

That's what it said in the Telegraph a few days ago, 28 March 2014. Credit card details are only worth between $2 and $40 these days on the black market, whereas your Twitter password can be worth between $16 and $325. That's what Michael Callahan of Juniper Networks says. And he's a security expert.

You're probably getting bored with these stories. They appear every day in the media. And every month on the DMossEsq blog, see for example Cybersecurity, and GDS's fantasy strategy. And "When it comes to cyber security QinetiQ couldn’t grab their ass with both hands". And Hyperinflation hits the unicorn market. And ...

It's boring. But it's still important.

The Telegraph article ends with this advice:
Callahan said it was vital for people to use different passwords for each site, so that if one account is compromised it will not allow the hackers access to their whole digital lives
He's not a security expert but even DMossEsq says that. Repeatedly. See for example Identity assurance – convenient? It'll make your life so much easier. And GDS – the user experience of misfeasance in public office. And Digital-by-default, an open letter to the House of Commons Science and Technology Committee (para.14). And ...

But the Government Digital Service (GDS) disagree. They're the people in charge of the identity assurance programme. And when the UK's first so-called "identity providers" were appointed, this is what we read, the opposite of Callahan:
Providers announced for online identity scheme

The Post Office, Cassidian, Digidentity, Experian, Ingeus, Mydex, and Verizon are the successful providers chosen to design and deliver a secure online identity registration service for the Department for Work and Pensions.

... providers will be required to offer a simplified registration process, minimise the number of usernames and passwords a customer will need to remember ...
It's hard work/inconvenient having multiple logon details.

GDS want to make life more convenient for us all. Keep all your logon details in a personal data store (PDS), they say, and the PDS can log on for you to your Amazon account or your electricity account or your bank account and so on and so on, world without end. All you have to remember is the logon details for your PDS. Much more convenient.

And much less secure.

As Mr Callahan says.

And DMossEsq.

On-line, you can have convenience. Or you can have security. One or the other. But not both.

GDS just can't take security seriously. See for example RIP IDA – JFDI security. Security is over-rated, according to GDS, and should always be trumped by usability/convenience.

Who's right?

How can we decide?

We need to conduct an experiment.

As luck would have it, there's an experiment coming up. A big one. In Scotland. Please see Connecting the nation – Scotland's empowered future: "Scotland’s proud heritage of innovation beckons, and Mydex CIC is proud to be part of enabling that future".

(Can a proud heritage beckon?

Never mind.)

Scotland has a Digital Participation Charter and Mydex are going to help her on the road to Estonia. They have a trust framework. They aim to make every on-line transaction dependent on Mydex.  And they will "empower" everyone with a PDS. Armed with one of these dematerialised ID cards, no Scot will ever again have to remember more than one password. That may be convenient. But will it be secure?

The Scots will soon find out.

And so thereby will we.

No comments:

Post a Comment