Forget about protecting personally identifiable information, you need to protect their identity

Forget about protecting PII, we need to protect their identity.

As a recent meeting of the BeanSec community, we had a discussion about the next wave of business people. The current generation of teenagers that has posted all sorts of information about themselves on sites such as Facebook and Myspace. Now, many people are now running around scare mongering others about how dangerous this is. To be honest, the timing of this alert is like saying the horse has bolted out of the barn and now foaled at least 3 other offspring. Way too late.

Little known fact. Your data is already out there. Years ago for a project, I wrote a system that could confirm someone was in a country at a particular time. That was over 10 years ago. Your data is out. Social security numbers, bank details, parking fines, your network of friends and where you have lived is relatively easy to get. So where does that leave us?

Well, what do the malicious people try to do with this data. They try to impersonate you. Well, if all of your data is out there, the idea of trying to keep your mother’s maiden name as a key to some other data isn’t really going to work for much longer.

So the only thing I can see that will work, is that we need another piece of authentication (yes, 2 factor authentication) that should be universally adopted. It should be secure, easy for the user to provide (and remember. Easy to change, but not so simple that someone can guess. I dont know what the solution is going to look like but I do know that, sooner to later, we are going to need it.

Posted by Paul Davis on 04/28 at 03:27 PM

Name:

Email:

Location:

URL:

Smileys

Remember my personal information

Notify me of follow-up comments?

Submit the word you see below:


Next entry: USAF Cyber Command Mission

Previous entry: Institute of Applied Network Security: What works in SCAP and FDCC