More Information
- Now THIS is scary
- About Roger Thompson
- Views on the Review of the Personal Data (Privacy) Ordinance
- Your Data and Your Credit Card
First published: 14th December 2009
Roger Thomson, AVG's Chief Research Officer, has described how credit card companies are using information from social networks to authenticate customers in his blog. In short, his card was declined, he called his bank, and one of the "security questions" was about the age of his daughter-in-law, referred to by her maiden name. The only place Roger knows of a public link between them is Facebook, so it appears that (some) credit card issuers are utilising personal data from social networks for the purposes of authentication.
To find that a stranger knows something about us that we do not expect sends a shiver down our spine, yet the same information might be freely discussed in our circle of friends. It is the moment in the movie when the Bad Guy says to the victim, "We know where you live, and where your children go to school", the threat is implied, but strong. But what are the real issues?
Credit card companies are respected financial institutions, not known for indulging in the sort of kidnapping and extortion that features in movies. A credit card company using social network data for authentication does not pose a physical risk.
What if the credit card company matched your friend's birthdays to your purchase records and their interests and hobbies? They could sell the information to a direct marketer, and you might receive, entirely "coincidently", a marketing message just when you were wondering what gift to get. This represents a serious shift in the balance of information between vendor and purchaser, and is, effectively, an attack on the Free Market.
In the authentication process, multiple checks are made, so the reliability of a single question is less important, assuming the credit card company has correctly analysed the reliability of each question, and is using Bayes' Theorem to combine the results. Still, a question with 50% false positive and 50% false negative results would be worthless, so what will damage the reliability:
But there is another problem with the reliability, a problem that will become more severe as this type of questioning becomes more prevalent: there are intelligent adversaries. The criminals can try to harvest exactly the same information that the credit card companies are using, and provide it, real-time, to the low-level fraudsters so they can answer the "security questions" flawlessly. The criminals can probably develop their response more cheaply - they can copy or steal the credit card companies' software, and use stolen computer resources (botnets) to run them. Developing an expensive system that your opponent can defeat cheaply does not sound like a good strategy, and it is the customers who will ultimately pay.
Roger Thomson is in the USA, but Hong Kong and Europe have legislation on Personal Data Privacy. The details of the legislation differ, but the basis is six Data Protection Principles (DPP). A major difficulty in apply these to social network issues is that they assume a simple data subject/data user model that does not match the complexity of relationships on social networks.
Under DPP5, which requires data users to be open about their personal data policies and practices, the credit card companies probably need to say how they are using social networks.
By DPP3, which says that the data subject's permission is required before their data can be used for a new purpose, when your credit card company asks you about your daughter-in-law's age, you should refuse to answer because you do not have her permission to use her data to authenticate yourself. Of course, you then have the disadvantage of not being able to use your credit card.
We expect credit card companies to prevent fraud, and they can rely on us to not take good care of the cards, keep the PIN with the card, and all sorts of other, lazy security mistakes. In response, they introduce new security measures that do not require effort from us, but which may not be effective, sustainable or in our wider interests.
Updated: 15th December 2009
Allan Dyer
David Harley, Director of Malware Intelligence, at ESET has posted an excellent article discussing Roger Thomson's experiences. In particular, David raises the scenario, not discussed above, of an attacker poisoning publicly available information. I think that is a possibility, but the extra work and risk would make it a much more targeted attack, against a high-value victim.