What ‘access denied’ means and why nobody should be exempt
What you need to know:
- Senator Moses Wetangula demanded – and succeeded in accessing – a service without authentication and authorisation.
- We need to see that exemptions to the rule are an opportunity to be exploited by fraudsters, criminals and terrorists.
- Imagine a terrorist, well familiar with such a procedure that allows public figures to fly without auditable identification.
- We must look beyond the individual and begin to appreciate that “systems” and “procedures” maybe be inconveniencing, but are there to keep each of us safe and sound.
The recent stand-off between Kenya Airways and my very own Senator, Moses Wetangula, brought to mind the questions of authentication, authorisation and access to services.
What is the meaning and role of these terms within the framework of ICT security in particular, or physical security in general?
Authentication is defined as an activity which confirms that you are whom you claim to be.
In most ICT systems, authentication relies on your password, Personal Identification Number (PIN) and many other variations of these two attributes
For example, in online banking, having a password is not considered sufficient, hence the need for what are known as secret or personal questions.
After your password is validated, you are expected to answer a personal question such as “What is your favourite word in your mother tongue ?” Upon receiving the correct answer, the system grants or denies access to the services sought.
However, access once granted can still restricted to perhaps just reading the bank statement rather than actually transferring money between accounts. This is authorisation at work.
FORGETTING YOUR PIN
One may have access to the account, but may not be authorised to execute some services depending on previously agreed configurations with the bank on how the account will operate.
All this is standard procedure expected to enhance the security of your financial assets while reducing the risk for fraud.
Remembering your many passwords can be, and is indeed, the cost or inconvenience that you have to live with it in order to protect our money.
So what happens if you forget your banking password or your MPesa PIN? Do you cause fracas and demand to access your money with neither the PIN nor the password?
How will the bank be able to attribute the transactions back to you, given that they were executed without being authenticated nor authorised?
'EVERYBODY KNOWS WETANGULA’
This is basically what Senator Moses Wetangula was asking Kenya Airways to do. He demanded – and succeeded in accessing – a service without authentication and authorisation.
If something untoward had happened to that flight, Kenya Airways would not have been in a position to authoritatively state that the person who boarded the plane claiming to be Moses Wetangula was actually who he claimed to be.
Of course there is the argument that “everyone” knows the very able Cord principal, Minority Leader and Senator Moses Wetangula, and so he should have been left alone to enjoy his flight without authentication.
Such thinking would present the biggest security hole in any system, including the very sensitive airport security system.
Imagine a terrorist, well familiar with such a procedure that allows public figures to fly without auditable identification.
A LOOK-ALIKE TERRORIST
Then imagine this terrorist undergoing a makeup transformation to look and act like one Moses Wetangula in order to exploit this weakness, and then successfully boarding a Kenya Airways flight from Nairobi to Mombasa without valid identification.
Imagine further that this terrorist, having been exempted from the irritating authentication mechanism, takes over the flight and directs it to land right inside one of our leading tourist resorts.
Who would be blamed for this turn of events? Would it it be Kenya Airways or the real, Honourable Senator Moses Wetangula, who at time of the tragedy may innocently have been transacting national business at the Senate?
We must look beyond the individual and begin to appreciate that “systems” and “procedures” maybe be inconveniencing, but are there to keep each of us safe and sound.
ARE BIRTHDAY CARDS ID?
We need to see that exemptions to the rule are an opportunity to be exploited by fraudsters, criminals and terrorists.
But others would insist that the Honourable Senator produced other forms of identification. These included credit cards, National Assembly cards amongst others.
However, unless these “other” forms of identification had previously been documented by Kenya Airport Authority as acceptable forms of identification, they remain null and void (not acceptable) for the purposes of travel.
The nature and form of valid identification remains the prerogative of the service provider. Otherwise travellers may decide to come with all manner of identification ranging from insurance cards to birthday cards, and demand to fly.
JOHNNY CARSON’S CAR
Before concluding, the following story may provide further insights. Many years ago, when Johnny Carson was the US Ambassador to Kenya, I found myself queuing for a visa interview at the American embassy.
His car came along, and I noticed that it, with him inside, underwent exactly the same security checks as the other cars before him, including sniffer dogs all over his car.
He, however, sat patiently in the car and did not look like he was getting irritated or about to complain – despite the fact that he “owned” the Embassy.
It took me years and some information security training to understand that it was NOT about the Ambassador. It was about the security of the Embassy, his staff and thousands of Kenyan customers waiting to be served.
This is how we should all try and see it.
Mr Walubengo is a lecturer at the Multimedia University of Kenya, Faculty of Computing and IT. Twitter:@jwalu
