Thursday, September 07, 2006

The futility of online security....

I got ripped off this week on eBay - as did a bunch of others (many of whom probably don't realise it yet). In short I collect fine art photography, and eBay can be a good source. What appeared to be proofs or press prints signed (autographed really) by Helmut Newton (not a photographer or style of photography I would normally collect ironically) were on sale at a low, but not ridiculously low rate. I bought six - to find out that they were cheap and nasty computer forgeries. I am down about $300 - and the scamsters are probably up many thousands by now...

This painful and annoying performance led me to reflect just how easy it is to commit crimes on the web. It's interesting (I think) to reflect that such a scam as this was near impossible to pull off (on this scale) prior to the Internet. For one thing the forgeries would have had to be a heck of a lot better than these. The scamsters used psychology, and imaging technology to make crude forgeries appear very convincing on the screen. They also used simple psychology and the skills of old fashioned con-artists to pull in the buyers. Most security issues relating to technology fall into this category, and yet we spend little time doing anything about this.

Whilst at Ovum I wrote a commentary on the futility of much computer and internet security technology. Its not that you shouldn't use security features, simply that in the main crimes are committed using good old fashioned con's and techniques. The 'crackers' that the IT community loves to obsese about, generally do little damage other than to expose security flaws in commercial software, that only other crackers and hackers would have the wherewithall to do anything with. Its a circular mini industry of software developers doing their level best to develop secure software, 'crackers' exposing their mistakes, developers developing patches, and security focused technology vendors making a buck on the side.

likewise the theft of credit card information generally falls into three categories:

  • It is copied/stolen from a secure location by somebody with secure access to it
  • It is inadvertantly lost by somebody leaving a laptop containing the data somewhere it should not be (like a bar for example)
  • It is a genuine transaction for a potentially embarrasing transaction (online porn for example). This small transaction provides details used for larger illegitimate transactions - though typically still small enough to ensure the owner of the credit card will not put up too much of a fuss (blackmail or sorts)

All of these rely on people screwing up, and technology can do little to prevent these things happening.

In fact technology at times, far from making life more secure, actually provides a highly efficient platform for crime. With ever more data stored little control or regulation, that platform can only become more efficient. In particular I think the likelihood of Internet blackmail will become more prevalent. The incidences of small credit card fraud above is a worrying new development in this direction. There will always be a thin line between freedom and security, but I for one think that there is too much data held on too many people, by organizations who have little moral or in some cases legal rights to have it. We freak out when credit card information is lost to criminals, but I really do think worse is looming.

What my eBay experience taught me is that if something looks too good to be true, it probably isn't true. And also to trust our instincts more - for you see what really caught me out here was that I trusted eBay (not the seller), despite nagging doubts that in a one to one situation would have led me to walk. Security is at the end of the day our business, its our job to ensure that we are secure - and it always has and sadly always will be the criminals job to catch you unawares. Likewise holding vast amounts of personal data on members of the public is huge responsibility, with potentially cataclysmic fallout if it ends up in the wrong hands. Yet anyone in this industry knows that few firms in possession of these vast data mountains truly appreaciate the burden of responsibility on their shoulders.

There appears nothing much that eBay can about my scam - I have been in touch with the Helmut Newton Foundation and am currently helping them track down these miscreants, but likely they will get away with it. As many more will in future....

No comments: