The niner noteworthy and the 12 recaps of 2016 (day 8)

Data breaches are getting common place, but are the companies responsible for keeping their data and our identities secure actually better off doing nothing to achieve that or do we need to punish them harder if they fail to do so in the first place?
Who trusts companies and government to actually keep that data secure and not misuse it for marketing purposes? And what about our own willingness to provide sensitive and unchangeable data in security questions and for biometric authentication?
Or is the ever growing ability for 2-factor authentication the silver bullet we were looking for?
And how about our seemingly online vs. offline live, or is that myth slowly but surely disappearing, converging, as well?
Read today’s instalment and you may be surprised at the answers to these questions.

In chronological order:

Sad reality: It’s cheaper to get hacked than build strong IT defenses


There is unfortunately one major difference between the Pinto (Ford’s big risk management mistake) and current day IT security breaches, accountability and costs. You don’t have to look that far back as the Pinto incident to see that this still holds today, Volkswagen has a major issue and financial as well as reputation problem with their diesel emissions scandal, yet on the flip site companies with major recent data breaches hardly feel the pain. Except for some dips in their stock price which is overrated in most cases anyway, certainly in the tech sector.
So as much as I hate to say it, as long as companies will not feel the pressure to comply either by massive public outcry and financial reputation damage or by massive fines and regulations, nothing will change.
As for the first choice, since most big internet companies are not paid by their users, except for payment with their privacy, the financial impact of breaches is not felt by the company but by it’s users (or products if you will).
As for the second option, their is one major issue with that as well and that is indicative for why I’m writing about this in the first place, risk management. If there will be regulations and big fines, companies will still do just enough to fulfil their compliancy obligations and that’s about it. We will have to see how or even if the GDPR will change this in Europe coming 2018.
source: The Register (external link)

Punish companies for cyber security failures, directors say


So, directors themselves apparently say: “if you don’t punish our companies we will not take data protection seriously at all so please do fine us”. The outcome from research presented in this article which underscores what I just wrote with the previous story.
Unfortunately the author of this article misses the point of this research though, because it shows clearly to me that data protection is not taken seriously enough, because that will only happen when and if big fines are introduced.
As for the UK because of brexit trying to lure companies to them with lesser strict data protection regimes then set forth in the GDPR (general data protection regulation coming into force May 2018), as long as those companies do business in the remaining EU Economic Area, they have to comply to the GDPR anyway so that won’t help them. Unless the UK Information Commissioners Office is going to play hide and seek with the regulation.
The most worrying bit though will be the power the national data protection agencies will have in the end to enforce and penalise companies, which will be greatly depending on their budget and size of staff, as that is barely enough at this moment in most countries the question will be how much the new breach notification rules and fines will actually change in boardroom complacency on this topic.
source: The Telegraph (external link)

Customers ‘bewildered and fearful’ about use of their data


In all honesty, it is often the marketing department that screws things up in this respect. That 92 percent don’t exactly know how their data is used is hardly surprising considering the often not only lengthy privacy policies, but often also written in legal language which is merely always incomprehensible.
That only 51 percent responded with the fact that their data was misused may be a direct effect or may even be actual misuse. I have seen that a lot of times as well, even very respectable organisations who I shell not name in this article.
Unfortunately I predict this trend and mismatch only to grow in the coming year.
source: BBC News (external link)

TIME TO KILL SECURITY QUESTIONS—OR ANSWER THEM WITH LIES


Precisely my comment as well on twitter after the Yahoo breach, which got me a BBC World Business report interview as bonus, and precisely why earlier in this series I commented on the Paypal 2-factor authentication bug by commenting that security questions may not be the safest fallback method to when your phone has no coverage.
The problem with answering security questions with lies is that you have to store those answers somewhere as well to be able to recover your account. Which, because you can’t apparently store or remember your password, will be an issue for account recovery.
Other methods are obviously better, but would you really send a copy of your passport to Yahoo or Facebook to authenticate your account? Think not, although they would like that very much for obvious reasons.
Maybe we should look at 3rd party authentication services that also can handle anonymity when required, but that may be shifting the problem and hacker focus to those parties in the long run. This is a difficult topic which could have big implications either in account security or user privacy or both.
source: Wired (external link)

TWO-FACTOR AUTHENTICATION – ARE YOU SAFE?


All the commercial bits within this article aside, no system is fool proof. The fact is that 2 factor authentication generally is more secure then any one-factor username/password only system can ever be.
Unfortunately with most 2 factor authentication systems we also need to trust on secure communications for that 2nd factor over traditional telecom networks in the form of a voice call or text message. This is somewhat misplaced as these networks are certainly not secure.
Can a 2-factor system be secure? If the tokens are fully generated on a dedicated hardware token or on your mobile phone itself without relying on any internet communication from the server to either supply the code or trigger the generation process. It is not trivial but it can certainly be done.
source: VeriClouds (external link)

Fingerprint tech makes ATMs super secure, say banks. Crims: Bring it on, suckers


This is indeed a worrying scenario which can already be exploited with several banks and creditcard companies who are using selfie based biometric authentication systems. The biometric data stored in your modern passport is not really secured either, losing it therefore is a potential nightmare scenario not only for future use of biometrics in authentication but for identity fraude as well.
Even worse, some UK banks are using voice recognition as authentication method. Yet at the same time Adobe is developing software that could make such systems completely useless, apart from it’s privacy implications which I will write about in tomorrow’s instalment in this series.
If even more and more companies are going to use and store biometric data, the potential for data breaches including those bits of information increases substantially, the impact of which will grow exponentially worse as biometric data can never be reset.
Can’t biometrics never be used securely? Not entirely but as long as the data is kept in one place, e.g. in a secure chip inside your mobile phone, and that data is used for authentication together with other mechanisms it would greatly reduce the risks associated with it’s usage.
source: The Register (external link)

Insider Threats To Data Have Gone Up In Past Year


And I would say both data management solutions (not specifically identity management only) and employee training combined would best serve the purpose of reducing insider threats of this kind. That goes only for the careless part not the malicious attempt part obviously.
With this kind of surveys you also have to take the numbers with a grain of salt either, as certainly not 100 percent of breaches are detected. So they can say that breaches are detected faster then last year, but are those all breaches that have occurred? probably not.
The problem is however that which percentage of breaches is detected is hard or maybe even impossible to guesstimate.
source: Dark Reading (external link)

Op-ed: Stop pretending there’s a difference between “online” and “real life”


I could simply say

no comment

and just let you read the article for yourself as I can’t but fully agree what the author is saying.
There is of course still a difference between offline live and the online world, however that difference is quickly becoming less and less obvious in a lot of cases, even so that sometimes we don’t even realise anymore that some stuff would simply break the moment the internet connection stops working.
It therefore is quite disturbing to see how many companies, organisations and governments still lack behind in adequately securing their computer networks and, even more important, valuable data or information (note: information is data too only it has gotten sorted and analysed).
source: Ars Technica (external link)

Guessing valid credit card numbers in six seconds? Priceless


So much for the PCI DSS (payment card industry digital security standard), apart from the fact that creditcards are inherently insecure. Yes and even that CVE code on the back (or front in case of American Express carts) is not secure eater, if you add it once on a site and it gets leaked it can be misused as well. So it certainly is no prove at all you have the physical cart in your possession.
Why then are we nearly all using creditcards on internet? because if we, as customers, get ripped off the cart company almost always will reimburse us so we don’t feel the financial pain of our card information being misused.
Apart from standard cart number, CVE code and expiration date, some creditcard companies are using online passwords, e-code or safe-key solutions to complement the basic cart information. Ultimately though systems like ApplePay may take over as those are more secure and less costly for online shops or us if those shops charge us extra for using our creditcards on their site.
source: The Register (external link)

Other articles in this series