I recently received another email “alert” from “my bank” – “CitiBank”, telling me due to recent identity theft and fraudulent emails, CitiBank needs me to update my personal information by clicking the provided link. The sender of the email was shown as “customerservice@citibank.com”. The CitiBank logo was displayed in the email. The request was to “protect” me, a customer of CitiBank. Everything seemed so right. I almost wanted to click the link, but I did not.

Of course, I would never click such a link. As a researcher working on security and privacy, I’m quite familiar with such kind of fraudulent emails. But for the general public, especially those inexperienced Internet users, would they click such a link and update their personal information?

Study has shown that this attack (using fraudulent emails and screens to trick customers to provide their personal information) has a surprisingly high success ratio. As many as 5% of the email recipients were tricked by these fraudulent emails and screens. (I wish I had a reference for you about the 5%. I heard that in a seminar at NC State University in May 2004 given by Professor Marianne Winslett from UIUC.)

So, are you scared or are you astonished by the high success ratio of the attack?

I have been using online banking for over three years. So far it works pretty good for me. I enjoy the convenience that online banking has brought to me. So, maybe it is not bad after all.

A recent article by Tony Lima – Does Online Banking Put Your Money at Risk?, states that scammers and thieves are out there, but you can protect yourself. I agree with Tony. But I also think the security knowledge of the general public is far from good enough to protect themselves against the attacks that are invented every day.

Even for myself, I do not completely trust the security of online banking. For example, there is usually less than $1,500 balance in my checking account. This is the average amount I use to pay my bills each month for an apartment living. I have other accounts that I never use online banking. In this way, I have limited the maximal loss of my account in the worst case.

Online banking brings us a lot of convenience and also poses additional risks. Knowledge is the power. With more security knowledge, people can protect themselves from being attacked or tricked. There is a great need for more security training on and off campus for everyone that are involved in online banking and e-commerce.

I finally got a chance to see I, Robot last week. Frankly, I had many qualms about going to see this film. For one thing, every movie with Will Smith seems to end up being a Will Smith love-fest rather than, you know, an actual story. My main objection, at least before seeing the movie was that they didn’t use Harlan Ellison’s scrieen play. But I’m a sucker for summer sci-fi action flick so I decided to go anyway. Little did I know I’d be professionally insulted as well as underwhelmed.

I’ll try not spoil the story too much, for those of you who might want to go see the show. A key location in the movie is the world headquarters of “U.S. Robotics” the makers of commercial domestic Robots. The entire building is secured by Artificial Intelligence system called Vicki. (I forget the cute acronym.) They make a Big Deal out of the fact that Vicki is constantly monitoring everything in the U.S. Robotics buildings for security. OK fine. I can suspend my disbelief in AI for the sake of a move. The sentient Artificial Intelligence is a time honored trope in the science fiction.

But as things start to get tense in the movie, Our Hero, Detective Dell Spooner (Will Smith) and his geek robot psychologist, Dr. Susan Calvin (Bridget Moynahan) find themselves desperately needing to get into the U.S. Robotics building. Unfortunately, it’s surrounded by thousands of NS5 Robots who have inexplicably turned into bad guys.

As Del and Susan hide just out side the reach of the Evil Robots, they ponder how the heck they are going to get into the building, past Vicki’s perimeter security. Finally, Dr. Calvin comes up with a brilliant plan. I don’t remember the exactl dialog, but it was something like, “I know, we’ll sneak in through the service tunnel. It’s not monitored by Vicki because it’s only used for service!!”. And that’s what they do, they pry open a conveniently located man hole, hop into the service tunnel and sneak into the building. So there ya go, a security hacker lesson from I, Robot.

Um, OK. In other words, the screen writer wrote himself into a corner he couldn’t get out of so he wrote a plot hole that violated the most fundamental tenet of security, which is that YOU PLAN YOUR SECURITY ON WHAT COULD HAPPEN, NOT WHAT USUALLY HAPPENS.

Any security consultant who would suggest that a service tunnel doesn’t need to be monitored because it isn’t usually used by humans to get into the building would be laughed out of business. It’s like a police officer saying that you don’t need locks on your doors because most of the time burglars don’t try to walk in your front door. It’s like telling a company they don’t need firewalls protecting their intranet because most people interact with the company’s web site.

So we can all get a chuckle at the screen writer’s sloppy plotting and feel smug about the mature computer security industry. Even the most technologically phobic executive understands the basic needs of physical and network security in their company’s environment. We’ve got a rich industry of firewalls, authentication systems, authorization systems, intrusion detection systems, etc. etc.

It occurs to me that IT industry hasn’t yet adopted the same rigor in our thinking about privacy management. Ask any IT professional in a company about the tools they use to protect the prvacy of the personal information they are entrusted with and they’re likely to mumble something about having a privacy notice on their web site. Maybe they’ll talk about using SSL when transferring data from a browser to a browser to a server. And the really forward thinking folks may be able to articulate a strategy for encrypting personal informations when it’s stored.

All of these things are good, and I’d not speak against any of them. But do they really protect the privacy of their customers. How do the stewards of personal information know that they aren’t using data in ways that directly violate the promises they make to their customers? As the good folks at Hooked On Phonics found out the hard way, the FTC is starting to crack down on companies that violate the privacy promises that they make.

It’s most likely that the folks at Hooked On Phonics were not deliberately being malicious. It was just a case where one department in a company used sensitive personal information without any prior knowledge about the promises made by other departments in the company. All to often, the only preventative measure the companies have in place is to circulate a memo reminding people of the company privacy policy. In other words the typical privacy management strategy in a company is based on what usually happens, not what could happen, which is just as big a hole in its IT infrastructure plans as the plot holes in I, Robot.

- Calvin Powers