Who Are You? Securing Your Online Identity
Riverbank Ruminations; Observations from The Banks of The Technology River
Tom Evans ~ Ashton Engineer Emeritus
Another trip in the nostalgia machine takes us to 1978 when these song lyrics made their debut:
Who are you?
Who, who, who, who?
Who are you?
Who, who, who, who?
Who are you?
Who, who, who, who?
Who are you?
Who, who, who, who?
Perhaps not surprising, is the group who sang that song was The Who. For CSI fans, this was the theme for the original series. While rather repetitive, the song raises a relevant question from a security standpoint.
Who are you? That question is asked every time you login in on a website or app. There are several ways to answer that question: username/password, email address, fingerprint, or phone number. In non-computer situations when we are asked ‘Who are you?’, we usually reply with our name. In times gone by, in addition to your name you might add some titles that you might possess. For example, Prince Philip (England) was generally known as The Duke of Edinburgh but his actual title was “His Royal Highness The Prince Philip, Duke of Edinburgh, Earl of Merioneth, Baron Greenwich, Royal Knight of the Most Noble Order of the Garter, …..” and it goes on for a total of 133 words. My guess is it was not used often.
We often are counseled not to let what others think of us define who we are. Don’t let your job define who you are, goes the saying. When it comes to security, app makers and website designers dictate what they will accept to define who we are. We hope that what they choose will be sufficient to keep them from accepting imposters as us, especially when it comes to things like bank accounts and retirement funds.
Usernames Are Insufficient
We are long past the point where a username is sufficient to define who we are. While Google will do its best to assure that there will not be someone with my Gmail email address (username), there is nothing to prevent someone at Yahoo.com from using my username in that domain. So while a username may be unique to an application or website, it will hardly be guaranteed to be unique across the internet.
Physical characteristics can be used to help define who we are. Most of us have heard that everyone has a double. Maybe you have even met someone that could be mistaken for you. The chances that they have the same name (first, middle and last) is pretty remote but not impossible. While generally accepted as fact, I don’t know that you can say with absolute certainty that no two people have the same fingerprints. Statistically, DNA is highly individual, as long as you compare enough points. There has been some work in identifying people by their gait. Voiceprints can be used to some extent to identify people. Biometrics are popular because they are taken as unique pieces of data.
So to be very certain of someone’s identity, you need a lot of information to be collected and stored somewhere for reference. You also need to secure that data so you know with certainty that once recorded, that data has not been accidentally changed or changed in some unauthorized version. We are a long way from that situation and I have a feeling that storing enough information somewhere to be able to identify someone with high precision would not sit well with people concerned about privacy. Unfortunately, the certainty of identification is at odds with privacy, much in the same way the ease of use and security are at odds.
So for the time being we are stuck with some very imperfect methods of answering ‘Who are you?’. While we are not worried about someone stealing our face or fingerprints, our identity from an online perspective is very much at risk. When we are engaged in a dangerous activity, say using a disk grinder where there are bits of metal and sparks flying everywhere, we take precautions. We use safety goggles or a face shield, perhaps even earplugs. When it comes to our online identity, we need to take some precautions.
What Used To Secure Your Data No Longer Works
Things that used to work for security are no longer good choices. Text messaging for one-time passwords is not a good choice, but it is better than nothing. Putting your phone number in as a backup method for password recovery is risky. One risk that comes from tying accounts to a phone number is when you change your phone number. We probably don’t do that often but some situations might cause us to do so. This article talked about something we may not have thought about and that is the fact that if you change your number, your old number can be reissued to someone else. Brian Krebs mentioned, “Researchers in the computer science department at Princeton University say they sampled 259 phone numbers at two major wireless carriers, and found 171 of them were tied to existing accounts at popular websites, potentially allowing those accounts to be hijacked.” Unlike old clothes that you might donate to a charity that will be worn by someone else not being a method to impersonate you, your number being released for reuse has security implications. It may allow someone to change the answer to ‘Who are you?’
Who we are, from an online identity, is something that can be changed by bad actors. Identity theft happens depressingly often, demonstrating that people are not as careful they should be. There is a lot that goes into making sure that when the question is asked, ‘Who are you?’, you are the only one that can answer properly. Unfortunately, we can’t trust anyone else to care about this – we have to watch out for ourselves. If you’d like to learn more about securing your identity online, call Ashton Technology Solutions at 216 397-4080.
