What is Security?
Security is any protocol or measure that is used to protect our information online. This is one of the scarier aspects of the Internet. We have all of our information in the cloud where we can access at any time. This was such a great idea when the web first came out. You could just put something or rather, upload it online. Then later you could just connect to the Internet and retrieve that data at a later date whenever you wanted. You never had to keep the data on you all of the time or worry about it ever going missing. The data was always there. Sounds great right? Accessible data any time? However, not only could you access your data, but so could anyone else. Yes, you have to have an account to access your data. So the data is tied to your account. What if someone else could get into your access and get to your data? Sounds scary right? That is the point of this article, to discuss privacy versus security and whether or not we should sacrifice our privacy to feel “safe”. I would like to talk about user authentication because it involves making sure that we know who we are. How do we know that you are the actual owner of the account that you are trying to access?
Multi Factor Authentication: How Many Layers of Security Do We Really Need?
Protecting your information is very important, especially confidential financial information. With the growth of e-commerce, people are buying more products online than ever. That convenience of being to purchase products without ever having to go to a physical brick-and-mortar store, is not without its issues. Just how safe is it when you make an online transaction? Is anyone trying to intercept your purchase? Is your financial information safe? Sometimes too much inconvenience becomes an inconvenience. How? That is where multi-factor authentication (MFA) comes in. Before data breaches were prevalent and called the need for ever-tightening security, it used to be simple and easy to just access your account. Typically, you just need a username and a password. This is how we authenticated, or verified your identity. Once the pairing of those two pieces of information were accurate and verified, you accessed your account. Due to data breaches, people had gained access to so many accounts, alarming people of having their information compromised. This caused the need to apply multiple layers of user authentication.
Soon after these data breaches, a password was not the only piece of your information that was needed to verify your identity. A second piece of information was required, maybe your email, your phone number, or some other piece of your information. Depending on how secure the system that you are accessing it, even two pieces to verify you is not enough. A third or fourth piece of data became necessary. This is how two-factor authentication (2FA) became MFA. The rising need to build even more secure systems is why two-factors are not always enough to verify your identity. Some people welcomed this idea because the more pieces or factors involved, the more secure the user authentication process was. Many people feel safer using a system that is more secure. Security gives us a piece of mind because we can go on with our lives knowing that our information is safe. You only have to give up your e-mail or your phone number, right? Does extra security come with some strings attached? Some other people think that too many factors means giving away more of your privacy. So you need a password, your email, your phone number, etc. Every factor takes aways another piece of information from you. So this is why some are wary of MFA. Many advocate that privacy is more important than security.
Where I Stand on Privacy vs. Security
Probably based on the previous paragraph, you know where I stand on this issue. I prefer privacy over security because I think that we should not be so eager and willing to give away our information so easily. The problem with too much security is that I always feel that no matter how secure a system is, someone will always find a way in. This is why I would like to talk about a couple of popular data breaches that happened recently. Even the largest companies fall victim to security breaches. So this tells us that no matter how large an entity is, someone will get in. As they say, “If there is a will, there is a way”.
Reviewing a Popular Data Breach: Target
The first data breach that I would like to mention is the Target one. According to the articles that I just linked to as a reference, the Target data breach occurred in 2013. The damage done was quite extensive and illustrates how the consequences of a data breach can be very resounding. The cost of this data breach was about 40 million credit cards and 70 million customer records stolen. Other damages included an $18 million settlement and corporate losses amounting to $200 million. I will not go into the details of the breach as I have the link above for the details. I merely wanted a reference to show some very hefty numbers on what can happen when someone gains unauthorized access to a system. My thought on this data breach is that when you have so much data to protect, it becomes very hard. Why? There is so much data to keep safe. How can you possibly shield all of it? In the simplest terms, think about this example.
Imagine you are carrying a lot of things by yourself. You need to bring these things over to another place. We have all done this. We are going somewhere and we have to bring a lot of stuff with us. Sometimes we run out of space to carry everything. We use every single last bit of space to carry everything at once. Then we realize that we have to move very carefully and slowly so as to not drop anything on the ground. If we drop something, then we have to go back and pick it up. So there is a lot to keep track of at once while doing all of this. Protecting data is the same idea. There is just so much data that you have to keep everything safe and sound. This is not simple because you have overburdened yourself with too much to handle at once. You might forget or drop something without notice. As the data grows, it becomes larger and larger, becoming more difficult to keep under control. This is why large sets of data are easier to break into because their size makes them an easier and more attractive target.
Attackers are very determined to get into a system and get what they want. As a defender, they have to just sit and wait for an attack to happen. Defenders need to constantly monitor any incoming attacks and defuse them. Since defenders have to be on the lookout 24/7, they have the burden of always being on and not letting their guard down. This places a huge burden for defenders to protect the system. An attacker has the advantage that they can possibly find a loophole, or vulnerability that gives them access to the system that the defender left open. Defenders have to protect the whole system and as I mentioned earlier, that system might be too large for defenders to cover everything. Attackers only need a small opening to infiltrate and get inside the system. This is why attackers do not need to cover the entire system. That small little opening is just enough for attackers to enter stealthily. The attack can enter undetected if the defense is not aware of the vulnerability.
If you were to spend your efforts on accessing a system, would you prefer one with 40 million credit cards or one with just a few? Sure the larger system should technically have better defenses up. Then again, we never know until the attack is actually made. More data is more lucrative to attackers. So a more attractive target will be attacked more than a target that offers considerably less. So this is how I view the whole situation with Target. As the web continues to grow in size everyday, the data breaches will only become more severe. Sure we can increase the number of factors in MFA. Each piece of information that you give out to protect your accounts is just another piece of data that someone can take. So that is why I want you to think about how far we should go with pushing more and more ways to secure our data.
Biometrics: How Far Will We Go To “Protect” Ourselves?
At the beginning of the article, I mentioned that MFA now includes your email and phone number along with your password. Biometrics is where you use your actual body as a way to verify your identity. The most common way is to use your fingerprints on your hands. Each person has a unique fingerprint, just like we each have a unique body. This is where things start to get hairy here. Before we were just using pieces of information. Now we are using our own bodies. This can be seen as an invasion of privacy. This is why I said that using more and more factors to identify us would lead to more creative ways of getting our information. It is one thing to just give out your email, but what about your fingerprints? Your fingerprint is a part of your body, it is not just an email address. This is about how much you value yourself and your privacy. Will we really feel safer if we give away our fingerprints too? When does this stop? How much of your very own body are you willing to give away? I pose these questions to you to think and really ponder over. These are some very thought-provoking questions that require serious thought.
What is the Most Secure System?
I talked about attacks that gain access to systems and your data. Have you ever thought about what system is the most secure? What is the one system that no one can get into? That is a very easy question. The answer is that the most secure system is the one that does not exist. Why? Since the system does not exist, then there is nothing to break into. So there is no system with no data for an attacker to gain. By that logic, the most secure system is the one that does not exist. As soon as another system is built, there will be something that attackers will find attractive and target. This is why systems are both good and bad. Systems help us do a lot of things and make our lives easier. We pretty much cannot live without them at this point. Consider how dependent we have become on them. The bad part is that we use these systems so much and place so much data into them that people want access to it.
Recap: Security or Privacy?
I say privacy for the reasons I have stated in this article. I am sure that many feel secure giving away more of their information. This is more about looking back at yourself and saying, “how much more of myself will I give away”? We have already entered biometrics. So you are literally using your own body for verification. Fingerprints are common and you have seen eyes being used in movies. Which part of your body is next to use. This is why I pose so many questions to you. I want to really think about how far we are allowing ourselves to be used just to feel secure. I hope that you found this article enlightening. These are some pretty heavy topics to delve into. I really just wanted to share my opinions and thoughts on the subject while giving you something to ponder about.