January 2012
Types of Attack (10 January 2012
Bilateral Authentication (13 January 2012
USACM SOPA and PIPA Letters (18 January 2012

Bilateral Authentication

13 January 2012

I received a call recently from someone at the prescription drug benefit plan administrator for Columbia University. Most likely, she wanted me to buy my medicines from their mail-order pharmacy operation, rather than buying locally. The merits of that aside (thanks, but I prefer to buy locally at a non-chain store; at the least, my local pharmacist tries to help me, rather than some mega-corporation's bottom line), she wanted me to authenticate myself before mentioning any of the medicines I take. That's not unreasonble — but before I'd give out any sensitive information about myself, I wanted her to authenticate herself. She acted like she'd nver received that response before.

Bilateral authentication is a difficult problem, even harder than the already-difficult problem of unilateral authentication. CallerID isn't helpful; bad guys are already spoofing it. If I give out a few digits of my social security number, repeated attacks can collect it all. Some folks handle this well. When I made the same request of American Express last year, the representative obviously knew what to say: she immediately said to call the number on my card, and told me exactly what to press and say to complete the transaction she was asking me about. (But not all parts of that company get it right. A year ago, I got a fraud alert on an attempted transaction, telling me to call particular 800 number to authorize it. Naturally, I called the number on my card instead. It took rather more talking and relaying to get through to someone who could Do the Right Thing, since it was a false positive on their part.)

I doubt that there's a technical solution here, unless you have (and have access to) a pair of secret numbers, one used for authentication in each direction. But getting the process right, and telling people to call back via a number they already have, can work, especially if the account can be flagged to send that specific call to the right place.