Identity theft: The biggest backdoor to cloud security is business policy

By | August 8, 2012
Identity theft: The biggest backdoor to cloud security is business policy

It's no secret that the cloud is not particularly secure. Security gurus have been saying that for ages, and no one has been listening because the cloud is so convenient. Nonetheless, I find it shocking that the biggest 'security hole' may be customer service – not at all a technological reason:

In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification.

If we think for a moment on why that is, it is quite stunning: lack of consistency across business policy among cloud providers means that the barrier for identity theft has been lowered.

Identity verification before the cloud
The ancient 'please provide your mother's maiden name' as an identity verification question, and 'please provide the value of the last transaction in your bank account' in addition to your PIN may not be unfamiliar to those who have used telephone banking at some point in the past (wow, I'm old, there was something before online banking). While extremely annoying, those questions ask for details that, at the time, involved an implicit two-step authentication: bank statements were issued in paper form only back then, and my 'secret answer' was something only I knew – even if my PIN was stolen. Even if I know a bank account number, there's no way I'd get any personal information about the bank account owner from a bank.

Identity with the cloud
The cards are turned when we look online: in a world where most profile information is available somewhere on the web, the only verifiable data about a person are typically a mobile phone number or payment method, there isn't much else that can be used as a requirement to verify someone's identity. So naturally, the minimum requirement for obtaining access to an account (and any data that may be saved with it online) lies below that of the offline world, where physical IDs can still be cross-checked with other information. Weakened by business policies that don't even care to ask for that information in its entirety, or at least by verifying random pieces of information available as opposed to sequences, makes ability to compromise identity much easier – no more implicit two-step authentication is possible with data-hungry cloud policies.

Not just that, but services are so interconnected: access to one service leads to access to the next, like tumbling dominoes for each segment of the digital ecosystem. And not just because the cryptographic tools and server stack aren't secure enough, although there are enough holes there as it stands.

And so what does it all mean?
All said and done, is that going to change how I use the cloud? No. But I'll probably recheck what information is linked where (there's currently two accounts I need to clean up). My mantra has been, put nothing valuable in the cloud – unless absolutely necessary. And that probably makes me a dinosaur: I still live with the problem that when the SATA backup drive falls, all the kids photos are gone with it. No private lifestream, no iTunes, nada. At the same time, it also means that whomever hacks into my account shouldn't find anything that isn't already public or semi-public (yes, there's a class of information that is only protected by an 'it is illegal to misuse information acquired from here' clause).

Sometimes being a dinosaur isn't that bad after all. 🙂

/via +Dominik Mayer

How Apple and Amazon Security Flaws Led to My Epic Hacking | Gadget Lab | Wired.com
In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racis…

Leave a Reply

Your email address will not be published.