Anti-phishing techniques for the real world

We need mutual authentication not just on the Internet, but also for more mundane forms of communication

I need to expand my idea of a secure computing ecosystem into the real world. Let me explain.

[ RogerGrimes's column is now a blog! Get the latest IT security news from the Security Adviser blog. ]

More than a decade ago when Internet e-mail was first taking off, I was the network and technology manager for a large global health care company. After an embarrassing sexual harassment event occurred (no, I wasn't involved), the CEO came into my office and instructed me to draft a computer usage policy update to tell employees that using e-mail to sexually harass someone was not acceptable.

I asked, "Shouldn't the policy read that it's wrong to sexually harass, period?" It isn't the medium, it's the message. The CEO seemed caught off guard by my rebuttal. He nodded in agreement, then told me to write the e-mail-only policy anyway.

It wasn't the last time my astute advice was ignored. I often chuckled after writing the policy because I could visualize someone being accused of sexual harassment via fax pointing to the new policy as their defense.

Over the last few columns, I've been recommending a new, more secure Internet, one built on the idea of persuasive authentication and default encryption. I've received dozens of letters of support, along with a smaller percentage of critics.

But securing the virtual world isn't enough. It's the message, not the medium. We need a more secure ecosystem in the real world, too.

For example, recently my bank called to offer me some new, better service at a discounted rate. It was slightly surprising because my bank had never called before. The voice on the other end of the line identified themselves by company name and their first name. The offer sounded too good to be true. I was ready to sign up.

Then they asked me to confirm my account number, billing address, and Social Security number. It was at this point that I realized the caller had not been successfully authenticated to me. I could be giving my identity information to a phone phisher. I told them to tell me the information, and I would confirm. Unfortunately, it doesn't work that way. The salesperson stated they could not access my account and complete the sale without my giving them my personal information.

I asked for a number to call back to confirm, and the salesperson said there wasn't one. It was their way or the highway. I wanted the new service, but I couldn't risk compromising my financial identity. I chickened out and turned down the offer.

Because it's pretty simple to spoof caller ID, unauthenticated phone calls can't really be trusted. I've read many stories about people, especially the older generation, being taken advantage of over the telephone. But it's more than that. Essentially, we can't trust land-based mail any more than we can trust phone calls or e-mail.

Our global economy is growing so fast that we need protection everywhere, not just on the Internet. So, in a move sure to invite more critics, I'm calling for more default authentication in the physical world.

I'm asking that all companies rework their communication processes to validate themselves to customers whenever initiating contact with the consumer via e-mail, mail, or a phone call.

My first hack at a solution would be simple and low cost. Each company should ask the customer for personal validating information or even a basic keyword that only the real company should know. We need more than the blatantly poor choices of mother's maiden name, pet name, or city we were born in. It should be something that only the user knows, such as a PIN, a password, or a passphrase. What a pain it is to be encumbered with yet another secret that I have to write down or remember. But better that than financial fraud and identity theft.

When the company calls, the rep should start by telling the customer the company name and the customer's shared secret -- a kind of server-side validation. We do it with HTTPS-enabled Web sites and e-commerce transactions. Why shouldn't we do it everywhere that sensitive information is at risk?