Monday 19 December 2016

You don’t know what you’re doing

Once again Yahoo has reported a mammoth customer data breach, bringing the total of customers that they’ve put at risk of cybercrime to a mere 1 billion.  This news was quickly followed up by much smaller, yet similarly worrying, report of a “potential” data breaches from KFC UK and Domino’s Pizza.  KFC were keen to reassure its customers that it had improved its security measures to ensure it wouldn’t happen again and then provided a handy link to take them to the password reset process – proving that they still know little about keeping their customers safe online.

Cybersecurity is a constant battle to remain one step ahead of the criminals – with the web being inherently insecure due to its annoying insistence on exchanging data with human beings in an unencrypted form – resulting in even the best organisations battling to stay ahead.  Incompetent actors within the system are undoubtedly adding to the problem.  The same customer information existing in military grade security systems is undermined when it’s also kept in a minimum-security chicken shop.



Too many organisations are using poor practice – even things that have minimal costs to change – and these exist in organisations both large and small – even those with multimillion dollar IT security functions.  I recently heard of a large multinational organisation who emailed its staff to tell them they were increasing their security by changing their password policy; with the email containing a link to a deep URL that required the users to first enter their existing username and password.  By attempting to increase security they’d actually conditioned their workforce to accept basic phishing attack methods.

A few simple things that we shouldn’t see from any organisation – my 2017 authentication wish list:

  • Uppercase, lowercase and number requirements: “Password1” is no more secure than “password”, as that’s what this policy results in most users doing.
  • Your password is too long: No, your field length is too small. 
  • Your password has expired and must be changed: making me change my password, makes me forget my password, makes me reset my password, creates an unnecessary weak point. 
  • Your password is too similar to your previous one: how do you know?  Oh that’s right you use my password unencrypted so you know throughout your system what it is and creates opportunities for others to steal it.  Hash it when I first give it you and compare the hash when I assert it in future.
  • Here’s an email with your password: Just no.
  • Here’s an email with a link to change/recover your password: See above.
  • Sorry we don’t support 2nd Factor authentication: Use a federated service that does.
  • Sorry we don’t support keychain / password management services: Get better developers who know how to integrate them.


Fortunately, there are organisations who operate good practice – with many of them offering federated services that can be consumed securely by other organisations.  Whilst governments and regulators are encouraging consumer choice and market competition they’ve been slow to enforce standards for keeping customers safe.  As data and systems are exposed using open APIs for the good of the consumer we need to ensure that we have proportionate controls for the organisations seeking to use them.  PSD2 may make it easier for my fast food company of choice to take payment, yet as it seems we can’t trust them with my password how can we trust them with access to my finances?

Under GDPR the Information Commissioner has greater powers to punish companies who play fast and loose – which will hopefully encourage those who currently operate poor cybersecurity to stick to what they’re good and leave customer data management, authentication and payment processing to others who do.  We need continually evolving standards for treatment of customer data that encourage limits of liability for those who apply them, and proactive measures against those who don’t so that they’re stopped from undermining the entire system.


It would be great to find out, before my data has gone missing, who the organisations are who don’t know what they’re doing.


Read my other posts
Let's get physical - how to get fit for the digital era by leveraging the offline world
Just in Case - From early adoption to maturity
I have control - Can we truly own our identity
Tipping the balance - Getting the right balance between security and user experience
I didn't say you could touch me - Biometric authentication and identity
You don't need to tell me - Impacts of the EU General Data Protection Regulations
Coming together on being alone - The need for a clear government digital strategy
I'm not the person I used to be - Authentication for real world identities
Distributed Identity has no clothes - Will distributed ledger technology solve identity
Bring Your Own Downfall - Why we should embrace federated identity
Unblocking Digital Identity - Identity on the Blockchain as the next big thing
Tick to Agree - Doing the right thing with customer's data
The Kids Are All Right - Convenient authentication: the minimum standard for the younger generation
The ridiculous mouse - Why identity assurance must be a rewarding experience for users
Big Brother's Protection - How Big Brother can protect our privacy
I don't know who I am anymore - How to prove your identity online
Three Little Words - What it means for your business to be agile
Defining the Business Analyst - Better job descriptions for Business Analysis
Unexpected Customer Behaviour -  The role of self-service in your customer service strategy
Rip it up and start again - The successful Business Transformation
Too Big To Fail - Keeping the heart of your business alive
The upstarts at the startups - How startups are changing big business 
One Small Step - The practice of greatness
In pursuit of mediocrity - Why performance management systems drive mediocrity

About me

Bryn Robinson-Morgan is an independent Business Consultant with interests in Identity Assurance, Agile Organisational Design and Customer Centric Architecture.  Bryn has near 20 years experience working with some of the United Kingdom's leading brands and largest organisations.

Follow Bryn on Twitter: @No1_BA



Connect with Bryn on Linked In: Bryn Robinson-Morgan

Monday 21 November 2016

I didn’t say you could touch me

The use of biometrics in user authentication is thriving with fingerprint sensors becoming more common and technology evolving for reliable facial and voice recognition being used within apps.  Next generation smartphones may also contain iris scanning capability thanks to micro form factor components that can be included in the existing footprint.   This convenience is driving a wave of innovation in how organisations identify their customers.  As with any trend, a flood of ideas is generated - with associated risks too.

Over the past month I have heard several industry speakers explain how they’ll use these on-device biometric capabilities to verify the identity of new customers.  Which brings the first misunderstanding which can be quickly addressed; unless you have an established link between the biometric and the identity, you can’t verify your customer.  Facial recognition offers opportunities of comparison against the established physical identity documents, such as passport or driving licence.  Though this is nothing new and the quality issues with this are on validating the document and getting a sufficient quality image of the printed photo.



There’s no commercial source of verified voice biometrics, so there is nothing to compare against.  And whilst some physical documents contain fingerprint samples, the ability to access these presents a major hurdle without additional hardware.  The other issue with a fingerprint is that sensors used in smartphones don’t present the fingerprint for comparison.  The device simply signals the authentication has occurred.  The case may likely be the same for other on-device biometric authentications.

Which brings us onto another risk with authentication on a multipurpose device based credential.  The iPhone allows up to five fingerprints to be registered and used to authenticate using TouchID.  I can choose to take prints of my thumb and four fingers from one hand; digits from both hands; or I can register the fingers of myself and four friends; in fact, which digits, from which hands and from which people is entirely my choice.  Authorising others to unlock my phone doesn’t mean that I’m authorising them to sell my car.

Now this is nothing new from any other form of credential.  I can authorise you to use my bank card by giving it to you and telling you my PIN.  With on-device biometrics I can do the same thing though I need to clearly consent to the activities that I’m authorising.  If I normally log into my banking app using a password, they can’t simply enable TouchID authentication without tying the consent back to me first.

Smartphones have revolutionised how we interact digitally with our customers.  Biometrics bring a new realm of convenience.  Before we start implementation, we need to ensure that we understand the implications and get the design right.

We still need to have robust identification of the customer.  We still need explicit consent from that customer.  And we need to ensure that their responsibilities should they delegate authority (whether we encourage it or not) are understood and accepted.  Getting it wrong will lead to accusations of inappropriate touching; and no one wants that.

Read my other posts
Let's get physical - how to get fit for the digital era by leveraging the offline world
Just in Case - From early adoption to maturity
I have control - Can we truly own our identity
Tipping the balance - Getting the right balance between security and user experience
You don't know what you're doing Poor security practices are putting users at risk 
You don't need to tell me - Impacts of the EU General Data Protection Regulations
Coming together on being alone - The need for a clear government digital strategy
I'm not the person I used to be - Authentication for real world identities
Distributed Identity has no clothes - Will distributed ledger technology solve identity
Bring Your Own Downfall - Why we should embrace federated identity
Unblocking Digital Identity - Identity on the Blockchain as the next big thing
Tick to Agree - Doing the right thing with customer's data
The Kids Are All Right - Convenient authentication: the minimum standard for the younger generation
The ridiculous mouse - Why identity assurance must be a rewarding experience for users
Big Brother's Protection - How Big Brother can protect our privacy
I don't know who I am anymore - How to prove your identity online
Three Little Words - What it means for your business to be agile
Defining the Business Analyst - Better job descriptions for Business Analysis
Unexpected Customer Behaviour -  The role of self-service in your customer service strategy
Rip it up and start again - The successful Business Transformation
Too Big To Fail - Keeping the heart of your business alive
The upstarts at the startups - How startups are changing big business 
One Small Step - The practice of greatness
In pursuit of mediocrity - Why performance management systems drive mediocrity

About me

Bryn Robinson-Morgan is an independent Business Consultant with interests in Identity Assurance, Agile Organisational Design and Customer Centric Architecture.  Bryn has near 20 years experience working with some of the United Kingdom's leading brands and largest organisations.

Follow Bryn on Twitter: @No1_BA


Connect with Bryn on Linked In: Bryn Robinson-Morgan