Cyber security made big headlines again last week with the announcement from Samsung that a company called LoopPay, which Samsung had acquired to set up its payment system, had been hit by a hacking incident. Both companies have been eager to assure customers that no financial information was stolen and that the hackers did not successfully breach Samsung’s servers.
The fact is that high profile hacks happen on a regular basis. Earlier this year, notorious “dating site” Ashley Madison was hacked and millions of user profiles were made public. Before that it was Sony, Target, Home Depot, Neiman Marcus, Adobe, even the IRS, and countless others.
Servers all over the world hold data that is worth billions of dollars to anyone motivated enough to penetrate the safeguards at their obviously vulnerable points. As long as data is centrally stored, hackers will continue to reap massive windfalls.
That is precisely why the way technologies secure personal data needs to be flipped entirely on its head. Instead of being centrally managed, the security of sensitive user account data should be decentralized. Instead of controlling information at central and middle points which are so prone to failure, data security must be pushed to the edge.
If the tech world were to ask users at this time to take responsibility for their own data security, almost no one would know how to shut their windows, draw the curtains, and lock their doors. This is a non-starter. The problem of trading between privacy/security and convenience/ease-of-use has been a real nightmare for digital information. Until now.
The technology is now available to do this on a mass scale; to secure huge volumes of data for millions of users without storing it all pooled together on “cloud” servers. It’s called Edge Security.
Edge Security empowers users themselves, and their devices, to easily and automatically manage their own data on their own terms. Edge Security stands in contrast to enterprise security models whose centralized nature make them relatively easy to attack and incredibly lucrative to compromise. By decentralizing security to the edges–the devices people use–protecting one’s personal data becomes far more effective.
Here are 5 major hacks that Edge Security could have prevented:
Chinese hackers, Codoso, known for installing hidden backdoors and continuing to infiltrate “secure” networks long after their initial breach is discovered, were inside of sensitive networks for five months before anyone at LoopPay knew of the compromise. LoopPay is a crucial piece of infrastructure for Samsung Pay, an Apple Pay and Google Wallet competitor. They claim that Samsung Pay is unaffected by the breach, but considering these hackers’ modus operandi, this story is far from over.
Those who track Codoso know they hunt big targets for specific treasures. Edge Security would have presented Codoso with an ocean of treasure chests to sift through — almost all of them empty — and would be faced with the economically punishing task of cracking endless treasure chests one by one only to find the majority of them empty should they ever get inside. Moving on…
The credit rating bureau, Experian, was hacked recently exposing the personal data of at least 15 million T-mobile customers. Experian apparently held this pool of data unencrypted behind one common lock. With Edge Security, each individual chunk of consumer account information gets its own lock with user-controlled access by default. To compromise 15 million accounts would require cracking 15 million locks.
In this case, Experian admits that the hackers got off with names, addresses, social security numbers, dates of birth, passport numbers, driver’s licenses, military ID numbers, etc. But rest assured, Experian says, “there is no evidence that the data has been used inappropriately.” See, nothing to worry about. Unless you consider that hackers are incredibly patient, and Experian conducts credit checks for many dozens (hundreds?) of corporations, not just T-mobile. In fact, 200+ million Americans have trusted Experian to secure their private information. Oops. Another hack, another story far from over.
Out of all these egregious hacking stories, this one stands as a clear reminder to the average person that even if they are doing nothing wrong, perhaps they do still have some things they wish to hide. This infamous breach affected ~100 celebrities. Their undeniably private photos found the thirsty eyeballs of millions of Internet voyeurs, but the hack itself was not some great technological feat. It used publicly available information to identify its targets, and exploited known weaknesses in certain Apple products (in this case, Find My iPhone) that were ostensibly there to “help” law enforcement.
Because Find My iPhone doesn’t limit unsuccessful login attempts, the attackers were able to make unlimited guesses on their targets’ passwords. Easy. Because so many people — celebrities included — reuse passwords across multiple services, the attacker used the same password from Find My iPhone to get into iCloud. Bingo. Because Apple decided weak encryption for iCloud accounts was a good idea, and also did not provide Two-Factor Authentication (2FA) protection for iCloud and iOS backups prior to this hack, anyone able to guess your password can see and use and share your personal information.
Edge Security would have thwarted this particular attack in a few different ways, but even better, we’re developing solutions to address the core issue facing digital security today; the lose-lose compromise between security and convenience. We designed Edge Security to happen automatically in the background of the user-experience. That’s a win-win for security and convenience.
Even the largest bank in the US and fifth largest in the entire world cannot keep your personal information safe from digital Bonnie and Clydes. Hackers breached 90+ servers achieving levels of penetration that affected 76 million households and 7 million small businesses. The venerated corporation claims that no fraud has occurred, nor were customers’ financial details compromised, just their names, emails, and phone numbers, of course.
Banks decry new and disruptive technologies for being high-risk and deleterious to “consumer protection,” but they can’t even protect their customers’ data within their own networks. Edge Security is the ultimate consumer protection.
Ah, yes. Ephemeral picture messaging. This service has its users thinking the pics they send will self-destruct and disappear after they are viewed. Now, that sounds like a security and privacy feature, doesn’t it? Well, in late 2013, Snapchat was warned about some exploits found by a white-hat cyber security research firm that could allow hackers to link usernames and phone numbers for use in stalking targets. The warning was ignored so the firm, Gibson Security, decided to publish the exploit publicly to spur Snapchat into action to patch the vulnerability and avoid embarrassment. Snapchat’s response was to downplay the disclosure and allude to some flimsy countermeasures that did practically nothing to address the exploit method now loose in the wild.
The inevitable happened days later. Hackers posted 4.6 million users’ personal information on a website called SnapchatDB.info, including real names, usernames, and phone numbers of both “private” and public Snapchat accounts. The hackers appear to have been motivated by Snapchat’s callous disregard for the disclosures of security researchers. They even called out the startup for lying to its investors and users about its purported 70% female userbase. Indeed, the disclosures show that Snapchat’s own API can be exploited to generate hundreds of thousands of false accounts.
Edge Security would have prevented any pieces of user data from being linked, as well as the targeting that results from that. With Edge Security, users are in complete control over their data, until they choose to share it with another user. Ethical questions surrounding services that retain access to data that its users think has been deleted aside, Edge Security means the service in question can be tasked with transmitting — but not seeing — users’ private data.