Subscribe
Blog / Podcast Readers
NEWSGATOR YAHOO
BLOGLINES ITUNES
DEL.ICIO.US DIRECT RSS

Underage Drinking, McLovin and Authentication

by Seth Geftic on 11/24/2009
Topics: Authentication | Identity Protection | Online Fraud, Fraudsters

"Just like getting up in the club with a fake ID. If it don't work, we gonna do it again" from Fight! Smash! Win! by Street Sweeper Social Club

Average people are constantly going through authentication challenges without even realizing it. For instance, when most young people attempt to order an alcoholic drink at a bar they are in fact passing an authentication challenge. By producing a driver's license (the credential most people have), security agents (bouncers and bartenders) are checking to see that you are of legal drinking. They are tasked to determine if the identification shown to them is real, if the identification being shown to them is actually your ID (and not someone else's) and if you are old enough to drink legally. It is possibly the simplest security concept out there. But if that is true, how come so many kids under 21 are able to beat the system and drink before they are of age?

The first problem is that not everyone has the same type of credential. Theoretically, a driver's license should be issued by a government agency and have the person's name, age and photo on it so that a bartender can accurately determine if a customer is indeed 21 years old. Yet, driver's licenses weren't always created in a way that made them difficult to copy, and underage drinkers and scammers exploited this fact. After years of underage drinking and ultimately the effects of a post 9/11 world, drivers' licenses started to get increasingly more sophisticated. In some cases, holograms were added, your photo was in a different position if you were under 21, and the overall quality made it much more difficult to replicate. However, it took a long time for every state to modernize their system for issuing driver's licenses.

When I was in college, just a few months into my Freshman year, there were dozens of students in my dorm who suddenly claimed that they hailed from Oklahoma, New Jersey and even Hawaii (hey it worked for McLovin in Superbad!) as these were the easiest state driver's licenses to fake. My school was in the Midwest, and we had students from all over the world so it wasn't unusual to see IDs from far off states and even far off countries. The bouncers and bartenders did well to recognize fake IDs from states they saw frequently, but they really had a tough time spotting the flaws in less standard IDs.


Figure 1: McLovin from Superbad!

Like fraudsters today, "would be" underage drinkers found the weakest link in the authentication system and exploited it as much as they could.

Nothing about what I've just said should come as a complete shock to you. College students drinking... fake IDs... toga parties... it's not exactly news. What was interesting about this trend was not that kids found the easiest IDs to spoof, but that they didn't even need to invest in a really good one. The bars closest to my college campus (that would be full with or without underage drinkers) were pretty serious about checking IDs. They would quiz the person to make sure that they knew all the data on their ID, conduct secondary analysis like checking the layout vs. a book of legitimate IDs and confiscate ones they deemed fake. Many even went so far as to staple the confiscated fake ID to the wall as both a source of humiliation for the person who got denied and a warning to others who attempted to illegally drink there. In fact, this was probably the most effective measure they used to curb underage drinking at their establishment.

However, even after IDs became easier to spoof and local bars became more vigilant, underage drinking was not really curbed. Why? Because there was always a bar or supermarket or liquor shop a few blocks down the street that did not institute good security measures. Sometimes, the bartender or bouncer might glance at your ID, but not take a truly thorough look; other times, they simply didn't even bother. Maybe they needed the business, maybe the task of separating real IDs from fakes was just too difficult, or maybe they were just lazy. Who knows? Either way, the task of properly authenticating patrons was broken.

I remember a bartender once telling me that I could just show him a library card saying I was 21 and that would be good enough for him. (I did not have a fake ID for the record). Eventually, I showed him my Student ID which contained no birth date, but he served me anyway.

Don't think this is happening in your organization? Guess again. Every day employees and customers are getting around authentication challenges. Someone doesn't have the proper credentials? Just borrow them from a friend. Don't have your token? Call a call center rep and have them give you temporary access. At one online site that I use quite frequently, I signed up to buy a token to protect my personal account. I work at RSA, and even though the token is made by a competitor, how could I not be a believer in this technology? However, I have NEVER used it. Why? Because when I forget my token, all I have to do is click a link that says "don't have my token" and in lieu of a one-time-password, I can simply authenticate by providing the last 4 digits of my Social Security number and the street I grew up on. Don't have a driver's license? How about a library card instead?

The reason I bring this up is because it is analogous to what is happening in the online world today. We are reaching a point where many websites like online banks have made it increasingly more difficult to trick them when you are asked to authenticate yourself. They have added risk-based authentication, token-based authentication, transaction anomaly detection and increased their scrutiny when opening new accounts. However, for every online bank site that has tightened their security policies, there are numerous healthcare, government, social networking and other sites that don't really bother. And even those organizations with well-protected online sites fail to apply the same scrutiny in authenticating you in other channels such as the call center.

So just like college students (and McLovin!) have always figured out the easiest place to use a fake ID to buy beer, fraudsters will always figure out the easiest place to steal your data. Your organization needs to make sure there aren't ways to get around security controls and that those controls are not too difficult to maintain. Additionally, you must have a culture where people care about upholding the rules. If not, you're just the dive bar around the corner.

Comments

No comments for this blog entry

Post A Comment

Your Name
Your Email Publish email?: Yes No
Your Blog
Subject
Comment
Verification Word
© 2010 RSA Security. All rights reserved | Privacy | Legal | Site Map

RSA, The Security Division of EMC, provides Secure Data, Compliance, SIM, SEM, SIEM, PCI, Consumer Identity, Two-Factor Authentication, Custom Applications, Consulting, Assessment, and other security solutions and services to over 90% of the Fortune 500.
 
Access Control |  Authentication and Identity Assurance |  Credential Management |  Data Loss Prevention |  Data Encryption and Key Management |  Fraud Prevention |  Security Information and Event Management |  Log Management |  IT Compliance |  ISO 27002 Compliance |  Information Risk Management for Financial Services |  Payment Card Industry Data Security Standard | 
 
RSA Access Manager
RSA BSAFE
RSA eFraudNetwork
 RSA Data Loss Prevention
RSA Consumer Solutions
RSA FraudAction
 RSA Digital Certificate Solutions
RSA Encryption/Key Management
RSA Enterprise Data Security
 RSA enVision
RSA SecurID
RSA Smart Cards

 RSA Federated Identity Manager
RSA Adaptive Authentication