Paul Wing: Privacy's Northern Light

Paul Wing, former Scotiabank information security leader, says Canada and the United States need revamped privacy policies and practices

By Scott Berinato

Page 2

This all seems to focus on security, specifically authentication. The lack of logical risk-based authentication policies makes private data more vulnerable by opening up avenues to identity theft.

Yes. Strong authentication can ensure that private information is more likely to remain private. No one's going to be able to get my heat and hydro bill statement, but why does that have stronger authentication than the cash machine? Because there are no best practices or uniform, risk-based policies. We're trying to develop those now.

So how we authenticate is one problem. Isn't what we use to authenticate another problem?

Absolutely. We're working on a governance model with several principles, one of which would define what is a valid piece of personal information to authenticate with. Our principle is, you should never use personal facts that don't change in your life as an authentication tool: Date of birth. Social Security number. Town you were born in. Mother's maiden name. There are also things that change very little—our mailing address, for example. Those should be avoided, too.

But wait. The uniqueness of these facts is what makes them appealing authentication techniques in the first place. Why wouldn't I want to use them?

Well, one reason is the people who know you can use this information, too—to your detriment.

One of the things we're seeing in Canada is children of the elderly using electronic banking to take over accounts and receive inheritances before their parents have died, before they're entitled. If my parents are in their 80s and have no idea about telephone and Internet banking, I can call and say I'm Mr. Wing Sr. and I'd like to activate my online banking. They'll say: Sure, what's your date of birth, mother's maiden name? I know all this stuff about my parents. There is a system-savvy, tech-savvy younger generation exploiting these authentication weaknesses.

Insiders will always have more information and more access though. How can you stop this?

What I push for is what you might call "opt out forever." There should be an opportunity for consumers to say, I never want to use a service, like online banking. And if "I" do use it, that is if someone activates it pretending to be me, you [the bank] are responsible. The fact that many services can be activated at any time is an issue. Two of the biggest sources of identity theft here in Canada, it turns out, are video stores and health clubs. You give them your driver's license and credit card and address and date of birth and your signature and all these minimum-wage employees have access to it behind the counter. If you stop using that store or club, do you think they destroy that information? No.