Hey website! Prove you are you.

I got a call last week from my insurance company - or someone claiming to be from my insurance company. The nice lady on the other end wanted my credit card information to pay for the co-payment required for some "speciality meds" for our youngest son. Even though the caller-id had identified the caller as my insurance company, still I hesitated. The cold, cruel reality of the Internet has apparently made me even more cynical than normal.

We're often told never to give out our credit card information to anyone who requests it - over the telephone or on the Internet - because it may be a phishing attempt. But if this really was the insurance company I would do so - the wait time associated with mailing a check would delay the delivery of the medication. What to do, what to do...

Don, of course, had the answer. "Ask her for the name of Nathaniel's pediatrician," he suggested.

Of course! Ask her for information that she could only have if she were really from the insurance company. After she correctly answered I gave her the credit card info and was satisfied.

The incident got me to thinking that perhaps "reversing" security questions isn't a bad way to combat theft of sensitive personal information like credit cards. This isn't a new idea at all - many websites and Identity Management systems (IDM) have been using the concept of "security" questions for years, but they are ALL focused on validating that the user is who they claim to be, not the other way around.

Phishing works because the bad guys impersonate a site that a user would normally trust - their bank or a well-established commerce site like e-Bay or Macy's. If we could somehow apply the same kind of process we use to validate a user's identity to validate a site's identity we might be able to stop a few more phishers from successfully stealing personal information. Sure, you could rely upon SSL certificates, but as we've seen in the past even those can be hijacked.

Phishermen don't generally have access to corporate databases, their sites only superficially appear to be a trusted site. By requring that sites answer a super secret security question, they would be able to raise the confidence of consumers with regards to the authenticity of the site. And it's information a phisher is unlikely to be able to provide.

It is valid for a site to implement additional safety measures when validating a user's identity. Today, it is just as valid for a user to require additional security measures through which a site must verify its identity. Maybe it's time to "reverse" some of the security measures we've been using to verify user identities to combat the impersonation of sites by the bad guys.

Sometimes the answer is about the process, not necessarily the product.

Imbibing: Coffee

Technorati tags: , , ,