Security theater online
Mark Pothier has a well-written and compelling write-up of a great paper by Cormac Herley of Microsoft, which demonstrates that most of the things we do on the instruction of various IT departments are a waste of time. My favorite datapoint is that fully 100% of certificate error warnings — those roadblocks you get sometimes when you try to visit a secure website — are false positives.
Next time I log in to my computer at Reuters, I’m going to have to change my password — again. But as Pothier says, that won’t do any good to anybody:
Users are admonished to change passwords regularly, but redoing them is not an effective preventive step against online infiltration unless the cyber attacker (or evil colleague) who steals your sign-in sequence waits to employ it until after you’ve switched to a new one, Herley wrote. That’s about as likely as a crook lifting a house key and then waiting until the lock is changed before sticking it in the door.
The biggest losers here are actually companies like Reuters itself, which pays its employees to spend thousands of hours jumping through silly hoops set by IT people, despite the fact that there’s no real evidence that jumping through those hoops does any good at all.
For instance, I’ve had an email address since 1993, when storage space cost $2,000 per gigabyte; it now costs about 5 cents per gigabyte. In those 17 years, I’ve never deleted a non-spam email: I haven’t felt the need. But now Reuters is telling me that I can’t have more than half a gigabyte of storage space for my email (about 3 cents’ worth) unless I spend a very significant amount of time deleting at least 100MB of email per week. No matter how little my time is worth, it’s certain that the value of 100MB of freed-up disk space is lower than the value of the time I’m going to spend doing the deleting. (Not to mention the value of the time of the people I asked about raising my email quota.) But still the rules persist: maybe they were put in place back in 1993, and have never been changed.
It’s not just my time which is being wasted, either. Last night I spent about half an hour on the phone to First Direct, my bank in England, trying to navigate their incomprehensible online banking security system. I talked to two real people, who walked me through all the various steps, and who had information I didn’t and therefore could tell me that when the system seemed as though it was telling me that my password was wrong but the answer to my personal question was right, in fact it was the other way around. The cost to First Direct of its employees’ time was vastly greater than any benefit to the bank, as Pothier explains using a US example:
For banks, the greater potential for damages comes not from a phishing attack itself, but indirect expenses. Herley used Wells Fargo as an example. He wrote that if a mere 10 percent of its 48 million customers needed the assistance of a company agent to reset their passwords — at about $10 per reset — it would cost $48 million, far surpassing Wells Fargo’s share of the $60 million in collective losses.
The bigger picture is simple:
In the paper, Herley describes an admittedly crude economic analysis to determine the value of user time. He calculated that if the approximately 200 million US adults who go online earned twice the minimum wage, a minute of their time each day equals about $16 billion a year. Therefore, for any security measure to be justified, each minute users are asked to spend on it daily should reduce the harm they are exposed to by $16 billion annually. It’s a high hurdle to clear.
I think it’s reasonable to assume that the idiotic practice of masking passwords by turning them into dots takes up a good minute of people’s time each day, and saves much less than $16 billion a year if it saves anything at all. (In fact, there’s a strong case to be made that it actually costs companies money, rather than saving them anything.) But it’s all part of the greater apparatus of security theater now, and a lot of people think that it’s making them safer somehow, even when it isn’t. So our time will continue to be wasted, and at some point in the next few weeks I’m going to spend $50 worth of my own time to save a couple of pennies in email storage costs. But hey, at least I got a blog post out of it.