by Brian Kelley
Late-breaking news: Company X unintentionally exposed X million customers in latest breach. If you’re not used to that headline already, you probably should. Fool me once, shame on you. Fool me roughly 250 times, and well, we’re beyond shame at this point. It’s time for an authentication overhaul. Now the headline should be: “Company X got hacked. Your passwords should be changed, but they’ll work this time. Honest.”
Verizon has done an incredible job of documenting unauthorized intrusions, bringing the issue to the forefront of news and security institutions worldwide. That’s why it’s such a shame that they are at least partially responsible for the latest exposure of customer service PINS. Roughly seven million users have been put at risk because, well, someone just forgot to lock the door.
We’re all human, and the blame doesn’t rest on any one. Everyone makes mistakes, but when it comes to the complicated matter of information security and cryptography, little mistakes like “forgetting” to lock up data have incredible repercussions. It’s not the math, the science, or the data that’s failing us; it’s ingenuity outpacing persistent surveillance. Blind spots will inevitably give way to an intrusion.
And just what ARE businesses doing to curb these intrusions? There’s more than enough security companies willing to set up secure servers and monitor users as well as the network for anomalies. But when speaking about numbers, it’s just statistically improbable for humans to keep other humans out.
If people are the element to watch out for, then here are a few profoundly human ways to keep breaches in check. So here are five ways that companies and service providers are working to protect your data (besides making you change logins again):
1 — Behavioral monitoring
It’s not just names and addresses anymore. Elements of your life and identity are on our devices, and they track behavior more than we think. You could hold a near-endless debate about the ethics and privacy of metadata, or whether or not it’s even a good idea. But as a way of determining the difference between a true user and an intruder, it works surprisingly well.
2 — Automating Security
If there’s anything we’ve learned from our constantly-connected devices, it’s that we are entirely predictable. Similar to tracking metadata, we know almost everyone has a pretty set routine that phones and devices are tracking. Automated systems that regularly check for password, server and firewall settings for unusual activity can catch an intrusion with surprisingly high reliability.
3 — Remote location and device wiping
Owners being able to locate their phones with a secondary GPS program and then remotely wiping it is like modern spy-fiction. And it’s almost a necessity. It may sound dour, but be prepared to destroy a device before you let it’s critical information be exposed.
4 — Employing Universal Security Standards, For Everyone Who Stores Data
In Verizon’s case, it looks like a third-party vendor left data unencrypted, leaving customer service PIN codes in plain text next to names and phone numbers. Two identifying bits of information like these are all it takes to hijack a smartphone, along with any number of exposed accounts.
Service providers can take all the right precautions, but if another company that accesses that data leaves their doors open, then those efforts are irrelevant. There is a push to standardize security measures so that these efforts don’t go to waste, although nobody is even close to adopting a comprehensive and encompassing set of requirements for every industry. Sure there’s compliance for finance or medicine. But Telecom companies don’t necessarily follow them with their contractors.
5 — New ID systems
There was a time when social security numbers could be used as ID numbers. Thankfully, that’s fallen out of practice for obvious reasons. But it’s not like other common personal identifiers, such as phone numbers or email addresses, are any better to keep on file.
For almost every unique online account, a unique username is recommended. If it has to be one unique ID, then it should have absolutely nothing to do with the person signing on. Logging in and personal information can’t and shouldn’t ever mingle.
Security token technology that could quickly lock users accounts with a particular key device is another method. It wouldn’t be that complicated to make a login device as easy as using a bank card. With the amount of successful network-based hacks, it makes sense to keep as much critical information — especially login information — off of networks as much as possible.
