[ISN] Just don't ask me my mother's maiden name

[InfoSec News]

http://www.cbc.ca/news/viewpoint/vp_binks/20051111.html

Georgie Binks
CBC News Viewpoint 
November 11, 2005 

Usually I spend my days as a freelance writer tied to my computer. My 
kids and neighbours know who I am; the mailman feels confident about 
leaving letters in my mailbox. The dog keeps any unwanted intruders 
out - it's quite simple. But last summer, I faced three different 
security situations away from my home which left me frustrated, 
humiliated and, oddly enough, no longer feeling secure. 

During a visit to Vancouver, I discovered I had forgotten my bank card 
in Toronto. After undergoing a cross-examination by my bank that 
included giving my mother's maiden name, recent transactions and money 
totals in each account, I had a new card. But to get it fully 
functional, I was forced to call the bank four more times and undergo 
another personal-identity interrogation, driven to patience only by 
the knowledge that a thief had easily lightened my bank account of 
$200 US south of the border in June. 

My second encounter was at Ozzfest, a heavy-metal concert I attended 
with my son in the United States. After undergoing a full-body search 
and being disarmed of plastic water bottles and blankets, but 
thankfully not my migraine pills, I wandered into a parking lot where 
many bands were playing. The lot was full of stones and rocks - which 
I could have thrown at anybody if I'd wanted. Security people just 
shrugged embarrassed when I confronted them about it. 

My final security stunner started out with your basic airport 
experience. I flashed all my photo ID to anyone who was interested 
(and many who were not), because my fear of flying has been replaced 
by a fear of not flying. Five days later, I watched as people waiting 
for travelling relatives strolled into the baggage area and wandered 
up stairs. I marveled at how they outwitted security - it was simple, 
when people walked out, others walked in. 

Such common security woes keep North Americans from their money, off 
planes and out of concerts, but do little to keep us safe from thieves 
or terrorist threats. The Fifth Estate showed the glaring reality of 
that this week, with its expose on the lack of effective security in 
airports. 

Marcus Shields, a computer security expert, says society is subjected 
to "movie plot security," a term coined by security guru Bruce 
Schneier. 

"An awful lot of the security measures you see in everyday life are 
not being done by institutions because they are terribly effective, 
but because they need to be seen to be doing something," says Shields, 
enterprise product manager with Soltrus, which is owned by VeriSign, a 
computer security company. "What you see in larger bureaucracies is 
increasingly intrusive measures, which at the least subject people to 
delays, and at the worst serious personal humiliation." 

The problem is much of this security starts to feel like a huge 
invisible straitjacket, meant to keep us safe from one another, but 
actually making modern life more impossible. The balance, says 
Shields, who was prevented last summer from photographing his daughter 
at a splash pool by security guards worried he would send pictures of 
her and other children over the internet, is: "How much inconvenience 
is it reasonable for the average person to put up with to gain a 
certain level of security back, and are those measures effective?" 

He adds, "In the computer industry, we have a push from governments 
and bureaucracies these days to collect personal information, but at 
the same time our mandate is to keep personal data private." 

The other problem is that many systems such as internet banking, there 
to make life easier, become more complicated if security is beefed up. 
Shields says, "The more complex and intrusive a security system gets, 
the less secure it becomes. That's because users either won't be able 
to figure it out and give up, or else they will find some way of 
end-running the system." He says if people have to remember a bunch of 
passwords, they end up putting them on sticky notes on their 
computers, which defeats the purpose of security. 

My worry is that while adults of higher intelligence can usually fight 
their way through bureaucracies, etcetera, what about those not as 
mentally apt, or young people? How are they ever going to learn to 
navigate their way through the ever-burgeoning security systems these 
days? 

Shields believes there are two answers. One is that people will rebel 
against this first wave of "movie plot security." Secondly, he thinks 
that security will have to become more sophisticated. Right now, he 
says, much security is relatively cheap and can be run by unskilled 
operators. Shields says, "I'm hoping we see the Israeli approach. The 
airline, El Al, constantly targeted by terrorists, doesn't ask you 
stupid questions. They have highly trained officers in plain clothes. 
It's expensive, but it's also the most effective form of security, 
much more so than this 'let's frisk everyone at the door' kind of 
thing."

I'm now taking part in my own personal battle against "movie plot" 
security. When a bank clerk phoned me the other day and asked for my 
security information before he would continue to speak to me, I told 
him he could hang up if he didn't believe it was me. When I won that 
round, I asked if the conversation was being recorded and he answered, 
"Yes." Good, I answered, because I told him I was also recording the 
conversation for a story I was writing. It was nice to hear the 
nervousness in his voice for once - kind of like the way I feel when I 
am cross-examined incessantly for "security" reasons. 

I wonder if he felt any safer, or did he feel like the criminal Big 
Brother thinks we all are?