Broken Trust – it’s time to ask why
I entered the Cybersecurity space when someone close to me went from being digitally engaged to disengaged overnight. How did this happen? Today – it’s a fairly normalised story. They’d received an email from their bank, logged in, updated their details as requested by this trusted entity, and then logged out. Two days later, their account was empty, and two days after that, their laptop was in the bin – never to be touched again. It wasn’t their bank – it was a scammer.
This occurred over 10 years ago and caused a fair bit of navel gazing for myself as I looked at the why – why did they fall prey to this? I’d dedicated my life to solving problems via digital technology and somehow, my industry, my passion, it had let them down. We’d failed the very people we believed we were helping.
The problem ended up being fairly straightforward, as was uncovering why.
- As a person, an employee, a customer, a citizen, I am expected to simply trust my service providers, my government, but whenever I interact with them, I am expected to jump through ever increasing hoops to prove who I am. On one side there exists no trust, on the other, an insistence in blind trust to a faceless digital interface. We got here because we simply digitised existing processes and flows. 30 years ago, the bank teller knew me and my parents by name. Today – my own kids have never interacted with a bank teller and my eldest is already an adult.
- As a person, I have been indoctrinated into this blind trust approach – I must divulge information in order to prove myself. I must give away immutable identity information such as my voice, my face, my fingerprints, age, place of birth, etc etc etc… I must be prepared to answer questions about my life. We got here because systems needed a match – something that allows them to believe it’s me.
Organisations, their security groups, and associated identity providers, want to own everything about you. They want you to perceive them as your saviour – but if anything goes wrong – it’s your fault. Even the most recent great news from the big tech giants would have you believe that they are implementing a passwordless world to save you. (It’s not…it’s so they can maintain their business model and continue to track you without breaching new and upcoming privacy laws – but that is for a different day)
Is there a solution to this problem? Absolutely!
- Provide people with the ability to verify the other side of an interaction. This enhances confidence when interacting, but more importantly, it completely foils attempts to scam either side.
- Remove all dependency on secrets. This one is less obvious but given the recent spate of big name breaches and bypasses it should resonate pretty strongly. Any time a secret is required to be kept secret then it’s open to exploit, transfer, and misuse. This is the reason that 2FA (two factor authentication)/MFA (multi-factor authentication) exists – to try and validate you are in control of the secret.
It’s time for everyone to question the why behind the ever-growing cascade of data breaches and the fact that all the band aids aren’t solving anything except checking compliance boxes and making sales targets.
Until we move away from one-sided approaches, trust is, and will remain, broken.
Tony Smales is the founder of Forticode and this article is his own personal opinion.