Imagine waking up in a world, where you would need to use two-factor authentication/biometric based ID, in order to do anything online. The reason for this? Accountability and supposedly, prevention of cybercrime.
This may well sound like the long-term reality, but Kaspersky's CEO Eugene Kaspersky has been pushing the idea for years. According to a recently published article, he still believes that the time has come for a mass adoption of hardware IDs affecting every Internet user.
Here are five reasons why I think this is a bad idea, if not one that is virtually impossible to implement.
"To prevent the misuse of social networking accounts, Kaspersky is pushing the idea of government IDs as a prerequisite for all computer users. "I've been talking about this for four years already, that we need to have a secure design for the (entire) internet," he says. In Kaspersky's perfect world, all digital citizens would carry some form of ID to go online, hopefully creating greater hurdles for malware creators - but creating a nightmare for privacy advocates."
"When you buy a car, the car is registered and you have a drivers licence. If you want to have a gun, the same thing - it's registered to the person who bought it. The question is why? Because it's dangerous. With computers, you can make much more harm than with a gun or car."
At first, the proposed ID scheme seems pretty logic in terms of accountability. Here are five points on what's wrong with it.
- Privacy vs Security for the sake of accountability - Interestingly, Kaspersky isn't claiming that the ID scheme would somehow lead to more privacy being sacrificed on behalf of the users. Instead, he argues that privacy is already dead, and that your ISP already knows everything about you, therefore the use of hardware IDs shouldn't really have an impact on the end user, since he's losing nothing. If privacy is already dead, and an ISP somewhere across the globe always knows everything about the activities of its customers, then what's the point of having a hardware based ID to authenticate something that's (supposedly) already known? There isn't. Which leads us to the best possible solution to the problem of tracking down the source of a cybercriminal - cross-border/cross-agency threat intelligence sharing.
- Mass adoption of two-factor authentication is no proof that it works, exactly the opposite - Using the "success" of two-factor authentication for E-banking as an example on the usefulness of the proposed IDs is partially incorrect. How did cybercriminals manage to undermine the myth of the hardware based authentication? Not by attempting to attack it directly, but by bypassing it entirely in the sense of patiently and automatically waiting for the now authenticated victim to start interacting with the E-banking provider. Neither a SSL connection, nor a two-factor authentication device would prevent a crimeware-infected host from having its owner victimized by cybercriminal on the other side of the world. In the worst case, it would offer the user a false feeling of security.
- Hardware IDs would not solve the problem, since a malware infected host will be used to commit the same crimes - The article claims that the ID scheme would create some sort of hurdle for malware authors, which is totally untrue. How come? Even if we assume that the end user would be unplugging himself/herself from the Internet and connectivity would be disabled unless he authenticates himself again, botnet masters would continue operating with the bots whose users are online, taking advantage of the different time zones. With or without the hardware ID, the malware-infected host would continue forwarding the responsibility for the actions of the actual cybercriminal, to the owner of the host, unless it's proven the same has been compromised. Long gone are the days when a cybercriminal would use his own host to commit the crimes, unless we exclude the Mariposa botnet masters of course, who got caught by doing exactly the same.
- By authenticating yourself on a PC that's not yours, you automatically inherit its reputation - A quote from the article - "Kaspersky says that in Dubai "they are going to introduce regulations that in public places, to get access to public WiFi, you have to present your ID." The idea is that whenever a phishing attack is launched from a particular host, using the proposed ID scheme would allow law enforcement to find out the person that's supposedly behind the campaign based on the fact that he's already authenticated himself. In reality though, even when you're using a public computer, the malicious campaigns that were going on in the background would continue taking place, with numerous users identifying themselves, and none of them would theoretically have anything to do with these background processed maintained by someone on the other side of the world.
- Budgeting the idea on an international scale is off base - In order for this ID scheme to get even close to being of any use, would be its mass adoption. Otherwise, certain countries that deny, do not have the resources, or don't even believe in the idea, wouldn't bother implementing this. The real problem with fighting cybercrime has never been about the lack of technologies or knowledge on how the ecosystem really works. It's always been about the lack of mass adoption for these technologies, and the lack of active cooperation among countries. Even if we assume that in a perfect world, this scheme gets implemented, just like photoshop-ed IDs sent to domain registrars in Russia and China in order to comply with new regulations, biometric passports have been under fire since day one. It would be totally naive to assume that the same wouldn't happen to these IDs as well.
Do you think the pros of the proposed hardware based ID scheme -- if any -- are worth the loss of privacy? Do you still believe privacy exists online? Are you willing to sacrifice even the left overs of it, with the idea to improve accountability over the Internet, and supposedly limit cybercrime?
How long before cybercriminals undermine the ID scheme as well, and wouldn't a potential flaw in it lead us the same situation we're into today - millions of end users still susceptible to outdated 3rd party application flaws and vulnerable browser plugins, given the fact that only a small number of the hardware ID users would even know they're susceptible to impersonation based on the flaw?