Security by Letterhead
This otherwise amusing story has some serious lessons:
John: Yes, I'm calling to find out why request number 48931258 to transfer somedomain.com was rejected.
ISP: Oh, it was rejected because the request wasn't submitted on company letterhead.
John: Oh... sure... but... uh, just so we're on the same page, can you define exactly what you mean by 'company letterhead?'
ISP: Well, you know, it has the company's logo, maybe a phone number and web site address... that sort of thing. I mean, your fax looks like it could've been typed by anyone!
John: So you know what my company letterhead looks like?
ISP: Ye... no. Not specifically. But, like, we'd know it if we saw it.
John: And what if we don't have letterhead? What if we're a startup? What if we're redesigning our logo?
ISP: Well, you'd have to speak to customer--
John (clicking and typing): I could probably just pick out a semi-professional-looking MS Word template and paste my request in that and resubmit it, right?
ISP: Look, our policy--
John: Oh, it's ok, I just sent the request back in on letterhead.
Ha ha. The idiot ISP guy doesn't realize how easy it for anyone with a word processor and a laser printer to fake a letterhead. But what this story really shows is how hard it is for people to change their security intuition. Security-by-letterhead was fairly robust when printing was hard, and faking a letterhead was real work. Today it's easy, but people -- especially people who grew up under the older paradigm -- don't act as if it is. They would if they thought about it, but most of the time our security runs on intuition and not on explicit thought.
This kind of thing bites us all the time. Mother's maiden name is no longer a good password. An impressive-looking storefront on the Internet is not the same as an impressive-looking storefront in the real world. The headers on an e-mail are not a good authenticator of its origin. It's an effect of technology moving faster than our ability to develop a good intuition about that technology.
And, as technology changes ever increasingly faster, this will only get worse.
Posted on October 30, 2007 at 6:33 AM • 73 Comments