Friday, 23 September 2022

The flaws of everyone wanting 100 points of online ID

So weve had yet another massive  cyber  hack that has put people at risk of identity theft. 

Quite apart from the failures of this company’s system for this hack, and the failures of other company’s systems in other hacks, there is a more fundamental question that needs to be asked: 

Do we really need to provide 100 points of ID for everything we are being asked to do so for?

Ive known of people having to provide 100 points of ID to change the details of their phone payment scheme - in ludicrous situations where they have already provided security details. In fact, I changed my superannuation company partly because the new one didnt have the ludicrous levels of superstition-based-security that my now-previous superannuation company did [Note 1]

(What happens when parents need 100 points of ID to collect their child from childcare? Would someone with illegally acquired 100 points of ID be able to take a child even thought the child keeps saying "No, that other one is my parent!") 

I also changed my phone company away from the one that suffered the cyberhack for reasons including their ludicrous levels of superstition-based-security. 

Ive used the word superstition, but it could also be fashion: do these companies think they have to go along with security theatre type actions because other companies are doing that? If so, then apart from the basis for implementing those actions and thus the implementation being questionable, there are other impacts, as I discussed here

The blind mantra of 100 points of ID has, in my opinion, become so universal that its value has been reduced.

And it doesnt help that everyone has a different interpretation of 100 points of ID (and many online systems are incapable of working with provision of such data in home settings - which is a staggering level of incompetence). In fact, are we seeing an endless sequence of one-uppersonship?

There is another issue here, which is the equipment used to collect such information - for example, Australia Post collects individuals’ signatures in their offices, and when delivering parcels (and sometimes ID details such as drivers licence numbers): are the systems, people, and equipment safe for us to entrust such intimate personal details with? 

I had an email exchange with Australia Post over this some years ago, and they either determinedly refused to accept responsibility for those systems, people, and equipment, or they were too incompetent to understand that they had a duty of care around such matters. 

How do I know they haven’t bought a cheap hackable unit that makes it possible for my signature to be stolen and used illegally? 

In fact, that raises my next point: 

Do we need an independent organisation / authority who can and will test the security of departmental and private company online and data security systems - including for human weaknesses, and that data collection requests are genuinely justifiable?

Such an organisation could be used by customers to feel a little more confident that they can trust people delivering a package at the door and asking for a signature and photo ID, and that corporate requests for loads of intimate personal data is genuinely appropriate, and not data mining or unnecessary. 

We cant ask for proof individually as that is an obvious security risk,but we don’t have any other choice, in most cases, and companies have shown they cannot be trusted over security and data harvesting, and the massive stuff up with MyGov - and other problems such as emailing private information out - shows government departments also have problems. 

The everyday person needs an organisation or company of people who are all like Bruce  Schneier to be a preventative bulwark between them and the possibly incompetent, irresponsible, wilful, rapacious people and organisations who are harvesting and storing their intimate personal data. 

Such an organisation would be massive, and would have significant liability risks which may mean it is best viewed as a public good and thus protected from some legal action. Im aware of the ACSC but that makes entirely voluntary recommendations, and I think were at the stage where this is more a public service essential - akin to providing safe drinking water.

So, to sum up, I would like to know: 

  • Given that every piece of personal information provided is immediately and inherent vulnerability, is 100 points of ID genuinely needed in all situations, or would fewer points of ID be OK in some circumstances - which would reduce the inherent risk of providing those intimate personal details? Are these decisions being made to match what others have done, or for corporate image, or as the result of a genuine independent assessment by experts who use data (similar to what Bruce  Schneier does) - rather than superstitious paranoiac fears about the internet - of the risks of both providing and not providing each piece of information?
  • How do we know the systems, people, and equipment being used to collect and store our personal intimate details are trustworthy?
    Do we
    need an independent organisation / authority who can and will test the security of departmental and private company online and data security systems - including for human weaknesses, and that data collection requests are genuinely justifiable (i.e., not data mining nor actually unnecessary)?
    Such an organisation would be massive, and would have significant liability risks which may mean it is best viewed as a public good and thus protected from some legal action. Im aware of the ACSC, but that makes entirely voluntary recommendations, and I think were at the stage where this is more a public service essential - akin to providing safe drinking water. 

Others have asked for better protection as well - see https://www.msn.com/en-au/news/australia/optus-hack-renews-calls-for-better-protection-of-customers-and-their-personal-data/ar-AA129jrR

See also: 

 

PS - An article at https://www.bankinfosecurity.com/optus-under-1-million-extortion-threat-in-data-breach-a-20142 provides good information on the technical details of the breach, and also includes the following:

In a separate story, The Guardian reported that in 2020 Optus argued against giving consumers stronger rights over control over their data during a federal review of the country’s Privacy Act.

Optus opposed giving consumers a right to erase their personal information, citing “significant technical hurdles,” it reported. The company also opposed greater consumer power to take legal action against companies over data breaches, the publication wrote.

What an unconscionable act - which seems to me to be putting profits ahead of the wellbeing of customers. 

Have we got enough pressure now for our (the Australian) government to FINALLY adopt European GDPR style protection? It would be a small but significant righting of the imbalance of power between people and corporations.

PPS - the cult of convenience is the twin sibling of paranoiac superstition - and both are evil. 

Closely related to this the insistence of some that their way of doing things digitally (whether it is using Microsoft or Apple / Macintosh / Linux, types of software / social media platforms, tree displays of networks or use search functions, displays being focused on top or bottom of screen [why does no-one suggest maybe the middle?], full screen display vs having a nice relaxing border, etc [one day I might come up with better examples]) is best, which is the same as when schools forced left handed people to try to be right handed - to the detriment of all, just as these limitations-based-on-lack-of-life-experience also harm productivity, creativity, and people & society all round.


Notes

  1. They also were inept as a superannuation company, and were named as such publicly by the relevant authority.
    Moreover, they routinely sent me requests to confirm my details as if someone has requested a change.
    Now, either their
    ludicrous levels of superstition-based-security were not working, or they were just using what seemed to them like a good formula to coerce people into checking in through their ludicrous levels of superstition-based-security to their system.
    The problem was, both they and some of the companies I had worked for while with them had histories of homophobia, and I had therefore real reasons to fear that such requests could be real. If they were, why were they not getting just kicked out by their
    ludicrous levels of superstition-based-security?
    In any case, why did they never answer my requests for advice as to who was trying to change my account? Given the circumstances - where such requests would have been criminal activity - the criminal making the unauthorised attempt had, IMO, no right to privacy - and that superannuation company trying to hide their identity makes them accessories or even accomplices to a crime (to wit, an attempted theft of identity - the attempt is a crime whether it succeeds or not).
 

No comments:

Post a Comment

Note: only a member of this blog may post a comment.