On personal data

Lately, the Hong Kong Personal Data (Privacy) Ordinance (PD(P)O) is up for review. There has been quite a bit of controversies surrounding a number of issues, one of them is the special treatment given to biometric measurements.

PII vs. PII that can be used alone as an authentication factor

I want to illustrate the need to distinguish between a common PII such as name + dob + phone + address, and a PII that can be used alone as an authentication factor such as password or thumbprint biometric measurements.

The primary threat that can come from PII leakage PII is identity theft, as PII by definition (the NIST definition) can potentially be used to convince a third party that the bad guy is actually the identity theft victim. Leakage of a common PII is bad enough, but leaking a PII that can be used alone as an authentication factor is even worse, as this can potentially let the bad guy directly assume the identity of the victim.

Consider two scenarios:

1. Call up phone banking, say you forgot the password and respond to the operator's challenge by correctly stating the victim's name + dob + phone + address, having "proven" you are who you claim to be, proceed to operate on the victim's account, and
2. Log into e-banking with the victim's login name + password.

These two scenarios make a world of difference:

1. From an audit trail / forensics / monitoring perspective, the e-banking compromise vector is the "normal" way of access, making detection much more difficult.
2. From an authentication soundness perspective, pedantically speaking the bank probably should not have given trust to someone based solely on the fact that he can state an account holder's name + dob + phone + address, because none of these PII is private to the individual only (e.g. a receptionist of a hotel that the victim stayed in before probably could have access to his name + dob + phone + address).
   

This is precisely why I consider passwords and biometrics to be much more dangerous than any common PII.

On the changing PII hierarchy

An even more interesting phenomenon is the changing PII hierarchy. If you follow my rationale above you see that passwords are more important than name + dob + phone + address, but what if the hypothetical bank operator above really was so naive as to have fallen for the impersonator, reset the password and release it to him? Does it not make these more-widely-shared information more permission-granting than "unique" passwords?

Whereas we see things like credit card numbers generally protected (e.g. encrypted in accordance to PCI-DSS), I haven't seen many people taking very proactive measures protecting your mother's maiden name and your first pet's name. We all know it's entirely plausible that given those "secret" information alone a bad guy can gain access to your account (perhaps via a password reset) and make purchase on your behalf with your "properly protected" credit card number (think one-click purchase).

Go figure.