Juha Saarinen: We need to remodel online for privacy and security

Necessary work engineering privacy and security into our online lives is moving much too slowly. Photo / 123RF

OPINION:

Ours is the era of never-ending data breaches which can be devastating to people suffering fraud through identity theft, or have their reputation ruined, or both.

It isn’t acceptable that we are in this situation, but it will be a tough nut to crack.

I am of course talking about the recent Latitude data breach which has now ballooned to almost 8 million driver’s licences being taken by hackers along with more than 6 million records, and tens of thousands of passport numbers belonging to Kiwis and Aussies.

To put it mildly, that’s far worse than was reported initially and could be one of the biggest data breaches in the region.

If you haven’t come across Latitude before, it was born out of GE Consumer Finance in 2015, when a consortium comprising Deutsche Bank and investment funds Värde Partners and Kohlberg Kravis Roberts bought the financial services company for A$5.8 billion.

Latitude reaches far into New Zealand’s credit markets; for example by being Kiwibank’s personal loan provider among other things.

As anyone who has tried to take out a loan recently, anti-money laundering laws and regulations have really been tightened up. Due to that, lenders are required to gather vast amounts of information on borrowers. That’s one big part of the problem, ironically enough.

Organisations keeping the information might have a handle on how to keep it safe themselves, but this being the interconnected and outsourced world, there are third parties that supply services to consider as well.

Latitude blames the hack on two third-party providers, one of which looks set to be revealed soon.

This type of attack is becoming more common. In the United States, massive telco AT&T was breached recently through a third-party vendor, with 9 million customer accounts being leaked.

For borrowers, the defence mechanisms for dealing with data breaches look like a complicated set of hoops to jump through, in different locations as well.

The IDCare organisations in Australia and New Zealand provide good summaries of what to do, but really, it’s a mess with no single site at which to pull up the drawbridge for protection.

If and when you spot strange things taking place, it’s usually too late and you’ve been hit.

One piece of advice if you suspect something is wrong is to get a credit report to see if someone’s tried to for example get a loan in your name.

That’s not so difficult these days, and some agencies do it in one working day, whereas Equifax takes 10.

Leaving aside the obvious question as to whether or not the credit checking agencies are able to handle 8 million or even half that number of worried Latitude customers wanting to know if they’ve been defrauded, the potential victims have to of course identify themselves.

How? Usually through providing current NZ driver’s licence or passport details. If you’re comfortable with that, I have a gigantic 2017 Equifax data breach that affected over 163 million people to tell you about.

The problem here is that while using automated online systems are convenient for customers, and give providers the internet scale that lets them handle large volumes of transactions at a low cost each, there is a flipside.

Criminals know where to look for information, which if captured, they can use for multiple types of attacks thanks to some poor systems design choices we made in the past like using email addresses as users’ login names.

When criminals get in, boy does that internet scale come back and bite users or what, as an incredible amount of abusable information becomes readily available. Putting that genie back in the bottle is almost impossible for data breach victims.

Some of the thinking around how to fix this really serious problem involves not passing on and storing information on goodness knows how many servers somewhere on the Internet.

Instead, providers verify that you are indeed the person you claim to be through local authentication, with no personally sensitive information leaving your devices. The technology for this exists already, but needs more refinement (and legislation) for everyone to start using it.

Hiding sensitive information like that would also devalue the data for providers, who can no longer easily mine it for insights, reuse it for other purposes, or resell it. This applies too to information like single-use credit card numbers which stop working after a transaction is completed, so there’s no data to be compromised.

That and changing large, existing systems, will meet with resistance from providers.

In essence, it seems we need to fundamentally remodel the Internet and services provided through it with privacy and security in mind to sink the growing criminal enterprise of lucrative data breaches.

This, incidentally, does not mean decentralisation, blockchain and web3 whatever, but perhaps just spreading out the attack surface so that a single hack doesn’t net so many accounts in one go.

There’s no simple answer to how we could engineer privacy and security into our online lives, but it’s necessary work that we’re moving much too slowly on.