Who Goes There? Authentication Through the Lens of Privacy (2003) / Chapter Skim
Currently Skimming:
4 Security and Usability
4 Security and Usability
Pages 80-103
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 80... ...
It is therefore essential to understand the security requirements and properties of both the authentication system itself and the resources it is protecting. To that end, a discussion of threat models and how to think about security risks is presented.
|
From page 81... ...
Attacks may be has part of overall system security, the security of the authentication component itself (separate from broader system security issues) is crucial, because without it, a primary purpose of the authentication process is undermined.
|
From page 82... ...
Passive wiretapping, buffer overflows, and social engineering (for example, deceiving individuals such that they reveal privileged information) are examples of attacks.
|
From page 83... ...
Because of the opportunistic nature of hackers and because the hacker community is so large, all systems with network connectivity should consider hackers as threats. Many hackers seem to place little value on their time, and thus may be willing to expend considerable personal time on what might seem a trivial target, perhaps motivated more by the desire for bragging rights than by the value of the data accessed.
|
From page 84... ...
if attacks were to succeed, as well as on the risk-management strategies adopted by those making the decisions. Several fundamental approaches to securing systems have been adopted over time, and multiple approaches usually are employed that complement one another.6 5For example, an authentication technology that uses a one-time password list may be very effective against hackers using network-based attacks but ineffective against an insider who might have ready access to the list taped to a monitor.
|
From page 85... ...
Once a sufficient threat analysis has been undertaken, the security requirements of the system should be more explicit.7 It is at this point that decisions can be made about whether authentication is necessary and sect, respond," reflects this multifaceted theme. Another commonly accepted approach to security is captured by the phrase "defense in depth." The notion here is that multiple, independent security mechanisms provide greatly improved security, since all must be circumvented in order to breach security.
|
From page 86... ...
Similarly, although much private information is stored in the cookies on computers information about personal identification numbers, preferences, and time-stamped indicators of which Web sites were visited people do not remove these after every transaction, even in cases where the cookies provide no real benefit to the user.8 Two possible reasons for this are that since there are no visible traces of their existence and use, people forget that the cookies are there, and if they do remember, it is too hard to find and delete them. Similarly, people find it difficult to read the "fine print" of privacy notices that companies are now required to send out, both because the print itself may be too small and because the notices are usually written in obfuscated style.9 Therefore, in order to work effectively, authentication and privacy schemes need to be designed with the same consideration of human strengths and limits as for any other technology, maybe more.
|
From page 87... ...
Norman, "Commentary: Human Error and the Design of Computer Systems," Communications of the ACM 33~1990~: 4-7.) Norman commented on the 2000 Florida ballot in an interview with Kenneth Chang of the New York Times ("From Ballots to Cockpits, Questions of Design," New York Times, January 23, 2001~.
|
From page 88... ...
tiering, by not attending to signals, and by simple mistaken acts such as hitting a key adjacent to the one intended. On the basis of knowledge accumulated from decades of research in cognitive psychology, user-experience engineers have developed a core set of design principles, a common set of which are shown in Table 4.1.
|
From page 89... ...
, a communications encryption technology, showed that many users failed outright to understand what they were supposed to do and made catastrophic errors, such as sending the private key instead of the public
|
From page 90... ...
Many of the databases in use at large financial companies, motor vehicle bureaus, social service agencies, and so on are legacy systems with badly designed interfaces and poor checks on the accuracy of data entered, resulting in errors in database records. Many of these errors are caused by poorly designed interfaces, poor training for the high-turnover workforce (high turnover caused by the boredom of such a low-level job)
|
From page 91... ...
People take actions that make them vulnerable, believing that others will do them no harm. They accept payment in checks or credit cards assuming that the payer has the resources and will pay when asked.
|
From page 92... ...
Because people do not spend the time and effort to investigate authenticity and the shortcut attributes that they use are well known, they are left open to fraud at many levels. Blithe Federal Trade Commission is charged with consumer protection broadly and has been investigating conduct on the Web.
|
From page 93... ...
Actions There are at least two approaches to accommodating the known limits of human behavior when considering authentication and privacy schemes: designing to fit those known limits and training people to be cautious when caution is warranted.
|
From page 94... ...
As for protective measures at a micro level, Web sites could have visible statements of the sort heard in many recorded messages on customer service hotlines namely, that the conversation (site use) may be monitored to ensure quality.
|
From page 95... ...
Smart cards are relatively hard to deploy, however, since few people have the smart card readers and associated software on their computers. In addition, most card issuers insist on owning their own cards, which is why cards that could technically "share" issuers (for example, a payment card that is also an airline affinity-program card)
|
From page 96... ...
Since vulnerabilities are hidden and threats are generally not observable except to those who have done ample analysis of the particular system and its context, people using the system may underestimate the benefit of risk mitigation. This can result in inappropriate choices of authentication systems or in inappropriate usage models that defeat the purpose of the system.
|
From page 97... ...
This complexity, the multitude of contexts in which authentication systems could be deployed, and the ultimate need for someone to make policy decisions about security and privacy requirements are why simple cost-benefit analyses are unlikely to be effective in guiding the needed choices. A final factor that must be considered when deciding how to proceed namely, the recognition that authentication systems must be adequate to protect the resources they are guarding against the perceived threats, while at the same time remaining simple enough for administrators and others to use.
|
From page 98... ...
A simple example would be when information used to register at a Web site in order to access content that is later used for marketing purposes by that Web site. A more insidious form of unplanned-for usage would involve a technology designed for a certain security context, user population, and so on that is later (intentionally or unintentionally)
|
From page 100... ...
00 WHO GOES THERE? without a determination as to whether the security and privacy safeguards still hold.
|
From page 101... ...
Finding 4.5: Secondary uses of authentication systems, that is, uses for which the systems were not originally intended, often lead to privacy and security problems. They can compromise the underlying mission of the original system user by fostering inappropriate usage models, creating security concerns for the issuer and generating additional costs.
|
From page 102... ...
Finally, computer security in many organizations is not as strong as it could be or needs to be.l6 In the federal government, there are numerous efforts to document federal agency computer security plans and practices and some that find glaring weaknesses in these plans and practices.l7 Many reports over the years have described security issues, concerns, and research challenges.l8 While security and privacy are often discussed as though they were in opposition to one another, in many ways adequate security is a prerequisite for privacy. If data are not well protected, they may compromise the privacy of the individual to whom they pertain.
|
From page 103... ...
Finding 4.7: Effective privacy protection is unlikely to emerge voluntarily unless significant incentives to respect privacy emerge to counterbalance the existing incentives to compromise privacy. The experience to date suggests that market forces alone are unlikely to sufficiently motivate effective privacy protection.
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.