In Harry Potter and the Half-Blood Prince, there are a number of new security measures suggested by the Ministry of Magic (as Voldemort and his army of Death Eaters have been running amuk). Some of them are common sense but some of them are much more questionable. Since I’ve also been reading prominent muggle and security expert Bruce Schneier’s book, Beyond Fear, I thought it might be fun to analyze one of the Ministry of Magic’s security measures according to Schneier’s 5 step process.
Here is the security measure I’ve chosen to evaluate, as shown on page 42 of my edition:
Agree on security questions with close friends and family, so as to detect Death Eaters masquerading as others by use of the Polyjuice Potion.
For those not in the know, Polyjuice Potion allows the drinker to assume the appearance of someone else, presumably someone you know. Certainly a dangerous attack. The proposed solution is a “security question”, set up in advance, so that you can verify the identity of the person in question.
- Step 1: What assets are you trying to protect? The Ministry of Magic claims that it’s solution is to the problem of impersonation by way of the Polyjuice Potion. However, this security measure essentially boils down to a form of identification, so what we’re really trying to protect is an identity. The identity is, in itself, a security measure – for example, once verified, it could allow entrance to an otherwise restricted area.
- Step 2: What are the risks to those assets? The risk is that someone could be impersonating a friend or family member (by using the aforementioned Polyjuice Potion) in an effort to gain entrance to a restricted area or otherwise gain the trust of a certain group of people. Unfortunately, the risk does not end there as the Ministry implies in its communication – it is also quite possible that an attacker could put your friend or family member under the Imperious Curse (a spell that grants the caster control of a victim). Because both the Polyjuice Potion and the Imperious Curse can be used to foil an identity based system, any proposed solution should account for both. It isn’t known how frequent such attacks are, but it is implied that both attacks are increasing in frequency.
- Step 3: How well does the security solution mitigate those risks? Not very well. First, it is quite possible for an attacker to figure out the security questions and answers ahead of time. They could do so through simple research, or through direct observation and reconnaissance. Since the security questions need to be set up in the first place, it’s quite possible that an attacker could impersonate someone and set up the security questions while in disguise. Indeed, even Professor Dumbledore alludes to the ease with which an attacker could subvert this system. Heck, we’re talking about attackers who are most likely witches or wizards themselves. There may be a spell of some sort that would allow them to get the answer from a victim (the Imperious Curse is one example, and I’m sure there are all sorts of truth serums or charms that could be used as well). The solution works somewhat better in the case of the Polyjuice Potion, but since we’ve concluded that the Imperious Curse also needs to be considered, and since this would provide almost no security in that case, the security question ends up being a poor solution to the identity problem.
- Step 4: What other risks does the security solution cause? The most notable risk is that of a false positive. If the attacker successfully answers the security question, they achieve a certain level of trust. When you use identity as a security measure, you make impersonating that identity (or manipulating the person in question via the Imperious Curse) a much more valuable attack.
- Step 5: What trade-offs does the security solution require? This solution is inexpensive and easy to implement, but also ineffective and inconvenient. It would also requires a certain amount of vigilance to implement indefinitely. After weeks of strict adherence to the security measure, I think you’d find people getting complacent. They’d skip using the security measure when they’re in a hurry, for example. When nothing bad happens, it would only reinforce the inconvenience of the practice. It’s also worth noting that this system could be used in conjunction with other security measures, but even then, it’s not all that useful.
It seems to me that this isn’t a very effective security measure, especially when you consider that the attacker is likely a witch or wizard. This is obviously also apparent to many of the characters in the book as well. As such, I’d recommend a magic countermeasure. If you need to verify someone’s identity, you should probably use a charm or spell of some sort to do so instead of the easily subverted “security question” system. It shouldn’t be difficult. In Harry Potter’s universe, it would probably amount to pointing a wand at someone and saying “Identico!” (or some other such word that is vaguely related to the words Identity or Identify) at which point you could find out who the person is and if they’re under the Imperious Curse.