Canadian "Guidelines for Identification and Authentication"

These guidelines were released by the Canadian Privacy Comissioner, is a good document discussing both privacy risks and security threats:

Authentication processes can contribute to the protection of privacy by reducing the risk of unauthorized disclosures, but only if they are appropriately designed given the sensitivity of the information and the risks associated with the information. Overly rigorous authentication process, or requiring individuals to authenticate themselves unnecessarily, can be privacy intrusive.

And here's a longer document published in 2004 by Industry Canada: "Principles for Electronic Authentication."

Posted on October 27, 2006 at 7:29 AM • 12 Comments

Comments

/pdOctober 27, 2006 8:39 AM

I wonder how Company "X" go my name of the voter list ?? :)-

I think the gov should eat their own dog food first !!

RealistOctober 27, 2006 10:52 AM

@/pd
Did they get it off the voters list or off of the land registry or the tax assessment files? In Canada, the registered property owner information is public knowledge.

Full Disk EncryptionOctober 27, 2006 12:47 PM

Nothing new here. Key thing is
"Organizations cannot take a one-size-fits-all approach to authentication."

Recently somebody asked on the Security Basics List (@SecurityFocus), as to why the Amazon password policy is so relaxed. See:

http://www.xml-dev.com/lurker/message/20061024.173413.5ddb6762.en.html

Good question. Especially since Amazon has so much of your data. They essentially profile you. They know what books you would like to buy etc....

Any thoughts?

X the UnknownOctober 27, 2006 2:01 PM

@Full Disk Encryption:

Because Amazon has little real liability in case a password gets compromised...

Davi OttenheimerOctober 27, 2006 3:45 PM

Amazon has several incentives that are factored into using easy/weak passwords:
1) they want to make it as convenient as possible for you to login and spend money
2) they want to reduce the cost of password recovery, customer care calls, etc.

Like a shopping mall requiring you to enter a code before you can enter the facility and shop at the stores, would they make it a long and complex alphanumeric code? They are incented not to, whereas there is little incentive to ensure the code is not lost/compromised (the very opposite to knowledge-worker systems that host code, trade-secrets, IP, etc.)

Ben KOctober 27, 2006 4:08 PM

Password rules are useless. Either they are just a template for crackers that helps them limit the size of the dictionaries they need to apply, or they are so complex that users have to resort to writing down their password in places like wallets, desk drawers. or the back of keyboards.

RG3October 27, 2006 4:51 PM

@Ben K

Password rules do, however, protect against the easier-to-crack passwords, raising the bar for password hacking. Also, writing down your password in your wallet isn't such a bad idea, providing you keep your wallet safe (and don't keep your username with it).

CanuckOctober 27, 2006 9:16 PM

Canadian voter list:
The Canadian government maintains a voter list for federal elections and the information is available for provincial and municipal elections. Local officials can choose to generate lists themselves for local elections, I don't think many do.
The list contains non-address information as needed - language or school board for instance. Only the information needed for a given election is used for that list.
Voter lists are not published but I believe you can look at some (where your name should be) or all if you go and ask.
Use of the information for non-electoral purposes is illegal though, and I doubt if you could copy it in bulk.
You can definitely verify your information.
The list originated with the last federal election enumeration and has been updated constantly since. We don't do actual door-to-door enumerations for most voters lists any more.
You have to explicitly consent to forward to the voters list any information from tax forms, passport applications, and other goverment operations collecting information. Generally one allows the forwarding so that your address is current.
You can completely opt out of the voters list, but can still vote using the procedure available for anyone missed from the list.
However the list is far from secure. Voter lists of names and addresses are given to political parties and to election candidates.
There are, therefore, many lists in the wild. One can assume that this list has a value, and that somebody could fairly easily obtain and then sell it.
I don't know if the law against misuse is actively enforced. It would be simple to seed the list with false names to test for misuse, much like map companies add non-existent geographical features to prove copying.

Canuck tooOctober 28, 2006 6:08 PM

Canadian voter lists are public information. They are certainly available at federal, provincial, municipal offices, public libraries, candidate campaign offices, and pollingstations. Scrutineers and pollworkers often carry copies. I have seen municipal lists stapled to utilitypoles.

This is a necessary feature of democracy. It is a way of determining who is entitled to vote so that, for example, candidates can solicit said vote or candidates and neighbours can verify said entitlement.

That a corporation might illegally or unscrupulously copy published lists is another matter.

DavidOctober 30, 2006 11:22 AM

Because if you try to break into Amazon with password guesses, you won't get too many attempts before it slows down. And when in, you can buy some books, but where to ship them to?

AlianaNovember 16, 2006 1:30 PM

Regarding Authentication:

Part of my business is practical security advice to our customers, so I am not a novice or unaware of good security practices. Even so, I have experienced credit card fraud as well as a communications company business account take-over. Both were NOT due to any security laxness on my/our part. Both WERE due to unbelievably stupid authentication procedures at the companies whose job it is to authenticate.

The business account, a DSL account with Covad, was taken over and changed from our control. Covad said the usurper gave two pieces of identification information that they required: 1. our business name 2. our business address. DUH! When I challenged this through customer service, asking to speak to supervisors upwardly in line, I was promptly and indignantly stopped by each "droid" with a simple, "sorry, that is our policy for authentication, and we can't change it." When I asked to speak to the person in charge of formulating these authentication policies, I was given a phone number that got me to a menu loop that got me to no one.

The credit card fraud came after a credit card application at Micro Center. I only applied, since it would give me another $300 off a laptop. I was suspicious of their practices, when they asked me to fill out a paper application at the store. I grilled them on what happened to the paper application; where my information was stored; and who had access to it. They said the paper copy data was input right there at the store by an employee, while I waited; then the paper was shredded. I asked to watch the input, which they would not allow. I asked to have the paper returned to me, so I could shred it. This, of course, was silly, and I only used it to intimidate and challenge their casual security awareness. I still couldn't and don't know what they did with the paper, while it was out of my sight. They did return it to me, after they had it somewhere in the back for a time.

As it turned out, within a couple months, someone gained "authentication" to that credit card account (which I was about to cancel) and changed the email address and mailing address on the account. After doing so, they waited a couple weeks and attempted to charge an expensive electronics item to the card. Fortunately for me, the card company called me to authenticate the purchase. Unfortunately for me, their procedures for authenticating access to the account allowed someone else to change my information and begin to usurp my identity.

Since then, I have been on the warpath against STUPID authentication procedures. I called every credit card, bank, account of any type that I have. I asked them what they use to authenticate -- how do they confirm that I am me?

Most use two pieces of public information: my social security number or my date of birth or my mother's maiden name or my address or my phone number; all of which are PUBLICLY AVAILABLE TO ANYONE!!! They did not require any "secret" information that only they and I could know. DOUBLE DUH!!!

Worst of all, the credit card company fraud department was not allowed to give me detailed information that they had regarding the attempted fraud and ID theft. They said they could only give this to law enforcement.

ID theft and fraud advisors tell you to report such to local authorities. I tried this. If you relish put-downs and insults from local "Barney Fifes" who have no understanding of this type of crime, I recommend doing so. The detective told me that he saw no evidence of a crime being committed and that I must bring him some evidence before he would do anything. Remember, the credit card fraud department would not release anything to me directly.

You are also urged to fill out an FBI report. You cannot talk to an agent directly over the phone; you can only fill out a form on a website -- from which I never received any response.

So, as I said, my real war is with the various companies who hold my private accounts and their STUPID authentication methods. The onus must be placed on them. It is their job to ensure that my accounts are not compromised, not mine. It is their job to authenticate, and it is their job to create policies and procedures and employee training that supports best practices. This is not the job of their customers! Customers are not security aware, let alone experts.

Start requiring secret user IDs. Require cryptic passwords. Start requiring a secret verbal password or secret code for phone authentication -- emphasis on SECRET, and something odd that someone can't guess (lots of people know your dog's name -- another DUH!).

I know all of this is hard and people don't like anything difficult these days. But as Bruce Schneier has been telling us for years, security is a tradeoff. You can't have both security and ease or freedom. If you want security, you must put forth some effort and you must think.

As a customer with accounts, I need to do my part to protect my information and accounts, but I cannot protect what I don't control. I want everyone to get real about authentication. I have demanded realistic authentication procedures regarding every account I have. If a company did not have secret authentication available or was unwilling to listen to me, I simply canceled the account immediately -- don't need them; others are willing to listen and work on their authentication policies. But it will take more than just me getting real about this.

I urge everyone I talk to -- demand secret authentication practices from companies. Too bad if people whine because it is inconvenient. Fraud and account compromising will not go away and only get worse if both sides are not aware and willing to work at security. It's a company's job to make your account information safe, and your job to demand it and cooperate. In general, everyone can do a better job.

One last thing about personal information -- quit giving it out, just because someone asks for it! Example: I went into a Dollar Store. I stood in line to pay for my $2.00 worth of goods. I wasn't sure what I was hearing the clerk say to customers ahead of me, until I watched the woman ahead of me make her credit card purchase. Then I realized he was saying the same thing to everyone, whether cash or credit card: "I need to enter your phone number to complete this transaction." I realized everyone ahead of me had willingly and demurely without question given him their phone numbers, which he entered into their system. No one refused. No one challenged. You better believe I did! And I turned around and told the rest of the line that they did not need to comply.

So many times we are asked for bits of personal information, and we fork it over without question. Anything we submit can or will be tied to us and used. We may not have control over how someone else stores and authenticates, but we do have control of what we give out, and we do have the right to question and refuse. A simple NO works just fine.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..