A Canon advertisement at the International Consumer Electronics Show (CES) in Las Vegas, Monday, Jan. 4, 2010. (AP Photo/Paul Sakuma)

This year’s Consumer Electronics Show brought us some interesting trends and ideas.   In his review of the show, Lance Ulanoff lists 9 things he’s learned there.  In the last point in that post, he makes the observation that “the marriage of technology and content took center stage”.

There is a fundamental change in how we’ve been turning every possible device into content delivery or presentation mechanism.  You can read your email or a book on you PC, on your phone or on TV.  I can now watch a TV show on cable, on my iPod, iPhone or on Hulu Desktop.  I happened to be in an Eastern European country during their parliamentary election.  The ruling party rigged the election and when the students came out protesting, they were using Twitter and Facebook to organize themselves and broadcast the latest news.  The government promptly shut down Internet access to these websites.  However, I was pleasantly surprised to learn that the Facebook app on my iPhone continued to work.  Multi-channel communication rocks.

As our life becomes more digitized, we are being asked to get used to reading and sending information via a multitude of devices and services.  We’ve been conditioned to open up our private lives and share (some more, some less) our life experience with our online social networks.  Various companies are now hording more and more data about who we are.  I laugh every time a bank asks me to select “What year did you graduate from high school?” as one of my security questions.  Come on, there are at least 1000 people who know the answer to this question.  Besides, about 50% of half of all identity fraud crimes are committed by people who know the victims personally.

As we enable more types of devices to access our private or paid content, the identity access technologies will have to evolve in order to make sure we have consistent usability and security across all information delivery platforms.   The users also need to know that the service they are accessing is authentic, based on the mutual authentication principle, where the service provider will first reveal a secret which will assure the user of the integrity of the communication channel.

There are these clever little ways to send money through text messaging – Yele does it to help humanitarian aid after the quake in Haiti. Just text “Yele” to a specific number to donate $5 bucks to relief efforts. What’s wrong with that? In this case it’s for a good cause, but the very same technique could be used by others with less-than-honorable intentions. Misplace your phone? Before that was a hassle of immeasurable proportions, but now it could mean more – the same level of financial vulnerability as losing your wallet and credit cards. You can read more on the worrisome tactics of post-disaster funding scams at CNet’s post by Caroline McCarthy.

And what about email? Did you know that you can be held responsible for transactions over email? These annoying post-transaction marketing ploys are promoted by sites like VistaPrint who offer seemingly countless offers after completing a sale, all of which will lighten your wallet a bit (or more). The offering site already has your payment information saved, and their ‘special offers’ from affiliate sites push transactions through that were never authorized, or were authorized through the sharing of an email address, but no disclosure of credit card information.

It makes me wonder… when will authentication for mobile phones actually make sense – for security and usability? And will there ever be a day when the majority of companies have scruples? I’m just sayin’.

In an interesting twist of events, a rogue app called “Droid09” was uploaded to Android Market, claiming to be an official online banking app from First Tech FCU. The fake app then attempted to collect user login information – thus becoming the first phishing app for Android.

It makes me wonder whether there is any way for an Android-phone user to know whether a downloaded app is authentic or not. While we usually go to the websites of the companies we know and trust to download software patches and upgrades, both Apple and Google are essentially the middle men in delivering web apps from various service providers. You can’t just go to the Electronic Arts’ website and download a game for iPhone. Consumers will be at risk as long as there is no mutual authentication mechanism that would authenticate the service provider (and/or their app) before the user is asked for their security credentials.

The debate on usability vs. security somehow always leans towards usability as the obvious choice (we all like “simple”).  Yet every day, all around us we are faced with the very same dilemma:

• Airport security. Yes, I want to just show my ticket at the counter and go straight to the airplane door … no frisking, please.  Unfortunately, not all people are getting on the plane just to travel from A to B.  Some of them try to carry explosives on board.  Our concern for safety will allow for more stringent access control to the planes.

• Government. The Bolshevik revolution started with the social ideal of universal equality.  The Communists believed that every man is inherently good, if he was only given the right tools and opportunities.  Give everyone an equal amount of food, money, clothes, housing, work, and paradise will descend upon us.  Of course, the masses should be defenseless because the State will protect them.  Being different or more gifted than others is also uncool, because you just make the others look bad (remember – universal equality).  If you had to live through that atrocious Communist experiment, would you rather have a meager, but stable and predictable existence where most of your basic needs are met, or would you chose total freedom and personal responsibility for your own success (and failures).  It is incredible, but usability (so to say) wins here too.  People want it easy when it comes to government – basic needs trump individual freedoms.  In a recent poll, 60% of Russians still regret the break up of the Soviet Union.

• Online Privacy. There’s been a major paradigm shift in how our society views personal issues.  We now easily discuss very private events and feelings with hundreds of our Twitter and Facebook followers.  Our trust in online privacy created a new (false) sense of security in believing that we still control the information. How much inconvenience would you bear (in terms of access security) to make sure that your social networking accounts are never compromised and misused?  My LinkedIn account is connected to many people I respect and appreciate.  The last thing I want is for someone to hijack my credentials and discredit my reputation or my network.

-       Zack Whittaker asks “How would you fix it?” (the password clutter vs. security issue).

I’d like to suggest that G.K. Chesterton’s response to the famous question “What is wrong with the world?” applies in this case.  Chesterton’s response was written in a form of a letter to “The Times” which initially posted the question:

Dear Sirs,
I am.
Sincerely yours,
G. K. Chesterton

What is wrong with the username and password?  I am.  The user is.  As long as the user has the ability to share authentication credentials, he is vulnerable to social engineering (phishing) attacks.  We assume (much like the Communists did) that the user is generally smart and responsible . . . we just need to build higher walls for the enterprise technology or web services (firewalls, etc.).  I agree that the usability has to remain high, and mutual authentication, specifically graphic passwords, is one of the few security approaches that increases access security, while targeting the weakest link – password shareability.  When using graphic passwords, the user has no ability to easily share his password by typing it, disclosing it on fake websites, sending it by email or even writing it down on a piece of paper.

Our use of technology in everyday life has changed how we live now, 45 years after the first mainframe computers were built.  Yet, we continue to use a 1960s access control mechanism.   Passwords have evolved into the 21^st century and it’s time to benefit from it.

In light of this interesting story, I wonder what fate awaits the author of this video should he be the proud owner of a Lockface USB security token.  The device itself depends on the ability of the webcam to recognize the person, which would serve as an authentication credential for site/system access.  However, if a computer you are using does not have a webcam (or fails to “see” you as in this video), defying all logic, the token reverts to a simple password entry . . . still wandering what the whole point is . . . why spend $110 for the privilege of typing your password? Especially when the guy who lifts it from you can revert to his well-honed tactics of password hacking.