Corporations that store consumer data are implicitly given trust by consumers. This is a trust they must maintain or risk losing business accordingly. Proactive—not reactive—measures are the hallmarks of trustworthiness, and represent indicators for the future of data handling.
Ambulance Chasing, Cyber-style
Having your data stolen is turning into a rite of passage for browsing around the internet; if you’ve been on the internet, chances are a full set of your credit information (known as a “fullz” when being sold on the Dark Web) is somewhere out there waiting for an identity thief to purchase it. Companies and governments who get breached are starting to feel pressure to comply from customers and laws alike; 80 percent of consumers in developed nations will take their business elsewhere because their data was impacted in a breach.
While a variety of cybersecurity companies have sprung up claiming to be able to detect a threat while it’s happening, few companies offer preventative solutions. For example, Discover card network has offered the ability to freeze your account whenever you like, but this doesn’t do much toward preventing theft in the first place. This is like having a home security system that sounds an alarm after an intruder is already inside, rather than before they break in—it doesn’t go very far towards helping you feel secure.
Another service typically offered in response to cybersecurity breaches is remediation after the fact (for a small fee, of course). They often read like a bad apology letter or reprimand: do better next time; think about what you did wrong; have a free credit report so you can look back and reminisce about the halcyon days before your data was stolen. In practical terms, these are little more than a band-aid for your ego; they do nothing to solve the issue of your being violated. Like a lawyer chasing an ambulance in order to offer legal counsel while you are being patched up in the ER following a car accident, these services may make you feel better about what happened, but they don’t stop the accident from occurring.
In an effort to strengthen the authentication process across the cybersecurity industry, the FIDO Alliance has redesigned vulnerable login systems of the past to be virtually resistant to human error. The Alliance has published a number of papers since its inception in 2014 addressing the integration of FIDO architecture into industry use cases, and thus far, the only reported vulnerabilities in FIDO systems happen because information structured in external topologies must traverse the cloud to do its work.
While many systems have succeeded in implementing partial FIDO security measures, they ultimately fall short in severe threat models. Phones are increasingly biometric in their authentication methods, but this only protects the phone, and does not govern content outside the phone. Websites, games, and applications use a variable range of security, leaving the user guessing more often than not as to the fidelity of their connection. Devices with biometric authentication methods are similarly vulnerable, since the authentication is to the device (versus another device or app); once outside their own protection, your data is fair game. If stolen, biometric data can be used to replicate your identity as long as you live—and maybe even after you’re gone.
Back on the Chain Gang
If you are on a site you know uses strong authentication to protect its users, check to see if third-party content is likewise guaranteed.
The EU’s General Data Protection Regulation (GDPR) includes a caveat for supply-chain vulnerabilities: anyone involved in the processing chain is liable if a breach occurs. In early 2018, 99% of EU-based websites had content from third-party domains and issued third-party tracking. This means the website you deliberately visited would load things from other websites, possibly even recording that you visited the other sites—maybe even tracking you afterwards. Between April 2018 (pre-GDPR) and July 2018 (post-GDPR), the number of third-party cookies per page dropped by 22% across all European news sites. That this number has diminished is indicative of at least some responsibility for the risks to which companies expose consumers.
Less insidious (but still concerning) is the fact that almost half of Internet users can’t readily tell the difference between Pay Per Click ads and the actual links generated from their search criteria, ending up visiting sites that may exist just for click-through revenue, and have little or nothing to do with their searches. Coupled with the fact that the first three items to list in a search get the most clicks—and often the first three items on Google are ads—millions of people end up going to websites about which they know nothing, except perhaps that Google vetted them prior to posting their ads.
Are We There Yet?
Google, which has also had the misfortune of being breached, finally decided to make Chrome detect if a site has a history of being compromised, and warning users to take what measures they may (usually changing login credentials). Mozilla FireFox has a similar plugin. Since you know your login info is already out there, changing it is one of the few measures you can take to make the stolen data less useful. Firefox also has an anti-tracking policy that prevents cross-site tracking and “unintended” tracking. Apple’s Webkit has also enacted prevention against cross-site and other tracking, with plans to adapt as new methods surface.
StrongKey’s message to companies and governments is this: Don’t let your company fall into the bucket of businesses who have ignored the trust placed in them by consumers. If you take proactive, preventative security measures by following FIDO best practices, maybe you won’t have to list yourself and your customers among the aggrieved.
The industry is sitting up and forcing down a heavy dose of its own medicine, and it looks to be a bitter pill, but one that ultimately must be swallowed in order to lead to a healthier body of trust. This is accomplished by implementing strong authentication and maintaining transparency with users. These two steps go a long way to creating an environment where trust grows and can be easily maintained—and in the end, that’s priceless for everyone involved.
