[CQ-Contest] LotW - Needs More Participation

Dick Green WC1M wc1m at msn.com
Sat May 22 13:41:56 EDT 2004


Online confirmation of identity is a complex subject. In the security biz,
we call it "authentication". The bottom line is that pure online
authentication of identity is not possible without using certain special
techniques. After all, anyone can logon to a website and claim to be someone
else. You need something extra.

One way to do it is by asking the user for some piece of information that
he/she, and only he/she, is supposed to know -- such as a social security
number, driver's license, credit card number, etc. This is the method used
by the online financial institutions you mention. It requires that they
somehow know your identifying information. If they permit you to supply the
information over the Internet, the system is not very secure -- as
demonstrated by the escalating nightmare of identity theft. 

A more secure method is to use an "out-of-band" (non-Internet) channel
through which information can be passed. The channel is usually the mail or
in-person. In other words, you have to either send the identifying
information by mail, usually with your signature, or give it to them in
person. Mail is less secure, of course, and neither method can resist
determined attack.  Still, it's better than pure online authentication. Once
you send in the information, the rest of the transaction can take place over
the Internet. This approach is more of a hassle, but you can't get the
security without the hassle. This is a golden rule of security: there is a
tradeoff between convenience and security (note this the next time you have
to wait for screening before you get on an airplane.)

Note that LoTW probably wouldn't be able to use these methods due to
restrictions on who can verify your social security number, credit card
number, driver's license, etc.

For USA hams, LoTW uses the FCC database and U.S. Postal service as an
out-of-band channel. The system relies on the fact that the address in the
FCC database is the actual address of the person who holds the callsign and
not the address of an identity impersonator. If not, then someone
perpetrated a fraud on the U.S. Government -- which is a very
low-probability event (most rational people wouldn't risk jail to get Honor
Roll.) Once LoTW has the address, the password can be sent through the
out-of-band channel (snail mail) to ensure that only the true holder of the
callsign can get the certificate.

Unfortunately, the same method can't be used for non-USA hams because most
DX licensing authorities do not maintain online callsign/address databases.
LoTW therefore requires a copy of the license and a government-issued
identification document to complete the identification. Although the license
could be faked, in theory it is much harder to fake a government ID and is a
serious crime in most countries. This reduces the probability of fraud. The
copies must be mailed in, not scanned and e-mailed, to verify that they come
from the DXCC entity in question.

No security system is perfect. However, LoTW has been designed to
substantially reduce the probability of identity theft, to detect when it
has occurred, and to recover (back out bogus data) when fraud is detected. 

Incidentally, the 128-bit encryption channel you mention has nothing to do
with verifying identity. It's used to prevent someone from eavesdropping on
the connection and stealing your identification information, user ID,
password, etc.

73, Dick WC1M




> -----Original Message-----
> From: K3FT [mailto:k3ft at starpower.net] 
> Sent: Thursday, May 20, 2004 6:55 PM
> To: CQ-CONTEST REFL
> Subject: [CQ-Contest] LotW - Needs More Participation
> 
> 
> I wonder..
> 
> HOW do institutions that I transact financial business with 
> on the Internet (like my bank) manage to do all that stuff 
> without a snail mail original registration?
> 
> I seem to recall that they have me connect to their server, 
> and by using a SECURE 128-bit encryption system , have me 
> supply the information they need to get me validated to look 
> at my personal finances.
> 
> Same with DoD!  They use some type of on-line authentication system.
> 
> Why is THAT acceptable for MORE important things while the 
> ARRL requires snail mail??
> 
> I dunno. Maybe I'm just not hip to the way things are done.
> 
> K3FT
> 
> 
> 


More information about the CQ-Contest mailing list