Commerce In A World Without Trust

The trust model underlying online commerce has been threatened by the constant attacks on information providers used to authenticate consumers. Is the Internet as secure as it needs to be anymore?

Trust is kind of a squishy concept. If you refer back to the definition from our pals at Merriam-Webster, trust is the "belief that someone or something is reliable, good, honest, effective, etc." Reliable? Honest? Sounds great, right?

Our world of increasingly frequent online commerce is based on trust. Your merchants need to trust that you are who you say you are. You trust you're dealing with the legitimate merchant/vendor that you think it is. Ultimately the entire process depends on trust that your transaction will be accepted and that, at some point, you'll receive goods or a service in exchange for your payment.

Of course, fraud has existed since the beginning of time. Identity theft makes it difficult for merchants to know who is actually buying something. Site scraping and phishing make it difficult for consumers to know whether the site they are using is legitimate. A third party emerged to bridge the gap and provide financial protection to both sides of the online transaction -- credit card brands (and their associated issuers) vouch for a consumer to the merchant and protect the consumer from a fraudulent merchant. For their 2- to 3.5 percent transaction fees, both merchants and consumers are _protected_ from fraud. As long as the card brands don't suffer more loss than they make in transaction fees, the system works.

But what happens when we hit the tipping point -- when we don't know who is who, and online fraud is so rampant that the models the financial institutions use to make sure they don't lose money on transactions become obsolete. If those models break down, then transaction fees could skyrocket. Or maybe they would bottom out as aggressive financials look to gain market share (we've seen that movie before). No one knows what would happen.

After reading Brian Krebs' totally awesome investigatory piece, "Data Broker Giants Hacked," we may be closer to that point than we wanted to believe. I mean, we always knew fraud was rampant, but reading about the SSNDOB service that traded in personal data takes it to another level given the recent trends in authentication technology.

I know, you're probably thinking, "What's the big deal?" ChoicePoint got popped over 10 years ago, and this is the same thing, right? Well, not so much. It turns out that many organizations (especially financial organizations) use adaptive authentication to reduce the risk of their transactions, which involves asking personal questions to validate a consumer's identity depending on what they are trying to do.

If the attackers have access to many (if not all) of these standard questions, then you can be as adaptive as you want -- you still can't be sure who is on the other end of a connection. Even better, many of the new health-care insurance exchanges rolling out in the U.S. heavily use this kind of adaptive authentication to validate citizens and offer services. Soon enough your dog may be online buying health insurance from one of these exchanges (though I'm not sure if there will be checkbox for ringworm on the medical history page).

If we live by the old adage that the Internet is as secure as it needs to be, we need to question whether we're getting to the point where we have to reset expectations of security. Do we have to fundamentally rethink our dependence on personal information for authentication, knowing full well that this data is easily accessible and not really a secret? Remember the old days when the Social Security number was a primary unique identifier and something you had to protect at all costs? Pete Lindstrom was early to point out the misplaced reliance on the SSN since it's neither unique nor hard to get for an attacker. It turns out he was right, and now we should be asking the same questions about all of this other personal information. Are your previous addresses and mother's maiden name becoming as useless as the SSN?

If you think about alternative technologies, we've learned that biometrics will be a tough sell, as evidenced by Apple's TouchID technology, so we'll need to expect pushback about centrally storing biometric information. Do the financial institutions just jack up their shrinkage estimates and adjust transaction fees accordingly? Do consumers become more aware and go back into brick-and-mortar stores? Although it's not like personal data captured in the physical world has proved any more secure.

Some days I wish my crystal ball were back from the shop. If I had to bet, I'd bet on Mr. Market gradually adjusting transaction fees until it's too expensive to do online commerce, and that will result in a wave of new security/authenticity technology to make the Internet once again "as secure as it needs to be" and restore balance to the Force that is online commerce. Until then, monitor the crap out of your financial accounts because you can't trust anyone or anything nowadays.

Mike Rothman is President of Securosis and author of the Pragmatic CSO Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and ... View Full Bio