You call it 'hacking.' I call it 'investigation'
Let's call the whole thing off
Something for the Weekend, Sir? Here's a photo of what I had for lunch! Amazing!!!
No it isn't amazing. It's your lunch.
You gotta see the new 4k TV I bought today!
Thanks for giving me a fascinating, if cursive, inventory of your consumer durables.
Took Jonesy out for his walk and he chased a rabbit.
Nice to have your pet's name. Could be useful.
Your date of birth is gratefully received too. May I also have your mother's maiden name?
Hey john im setting off CUL8R
Thanks. Now I know you're out with John, I can break into your flat and nick that TV.
OMG just got back from the proctologist
Well, that really puts the finger on the problem: nothing is secret any more. As Bette Midler notoriously quipped, the only way we're going to see parts of Kim Kardashian that she hasn't already laid bare to the world is if she were to "swallow the camera."
Various surveys and reports over the summer have highlighted the rise in identity theft and put the blame squarely on the idiot public's misuse of social media. With everyone sharing their most intimate details to all and sundry, no wonder computer systems are so hackable, we're told.
On the other hand, this is a bit like a drugged-up speed racer mowing down a little old lady who steps into the road, and then blaming her for not using a pedestrian crossing.
Or to put it in recognisably politically correct terms, it’s like telling a woman she deserved what she got, going out "dressed like that."
Most IT security currently revolves around the sharing of little secrets. Unfortunately, rather like the secret life of Walter Mitty and James Bond's agent code number, these tend to be the worst-kept secrets you can possibly imagine.
Let's have a look at these secrets, shall we?
- The date on which I was born.
- The place in which I was born.
- My mother's maiden name.
- My pet's name.
- My favourite food.
- My bank account details.
- My phone number.
- The total on my last bill.
Gosh, those are going to present a devilish challenge to a hacker, I must say. Even the slightly more esoteric secrets shouldn't be too hard to guess with a little social media trawling:
- The last film I cried at.
- My favourite holiday destination.
- My favourite subject / teacher / brand of cigarettes while at school.
Basically, what IT security chiefs are saying is that if a hacker breaks into my account, it's probably because I told someone my date of birth.
Much though I'd like to keep such things a total secret, it does make inviting friends to your birthday party very challenging. As for my pet, IT chiefs would rather I give it a name comprised of upper- and lower-case letters, three numbers and at least one special character before I consider shouting it aloud in the park.
I plan to sell the dog and replace it with a correct battery horse staple.
Frankly, the business of blaming people for allowing their very existence to be public knowledge, essentially turning us all into what the newspapers thrillingly refer to as "a bit of a loner," seems an odd way of tackling security failings in the systems supposedly designed to protect us.
Such is the laxity of the IT security that binds the modern world together: we are witnessing a return to the good old days of writing passwords on pieces of paper. And – my favourite – proving to retailers that I am the entirely legitimate bearer of a contactless debit card by merit of holding it in my hand.
Some 17 months ago, I suggested grasping the biometric nettle by issuing "arsewords" to allow access to the company washrooms. While biometrics are just another kind of shared secret, they are rather more difficult to guess at, and DNA chains are impossibly awkward to share by mistake on Twitter.
Even so, as tech-in-the-wild grows equally more sophisticated than the security systems invented to fox serious hackers, it is possible, even likely, that we will become even easier to hack in a biometric future. While it takes some hard graft to go hunting round parish records and government registries, let alone filtering out the white noise of social media, all a future hacker needs is a single hair follicle, and they'll own my entire DNA print.
Very slowly, the industry is beginning to consider the prospect of providing access permissions in ways that don't involve dull passwords, guessable secrets and physically holding an eminently nickable device such as a debit card or a smartphone.
AI systems have been developed to help identify callers in telephone banking, supposedly right down to spotting whether the caller is acting shiftily.
Given that "shifty" is my normal mode of behaviour, this could present a problem. Except, of course, the AI should realise this and only raise warning flags if I begin to act uncharacteristically open and friendly, but only if it knows my usual demeanour – which is something that could be impersonated.
I suggest most criminals will find it easier to do a little acting than to do a lot of IT security penetration. This is just the same as calling up a celebrity's voicemail and pretending to be the dim celeb in question by typing the default 1234 PIN. It's not really the celeb's fault for being dim so much as the telephone company thinking this amounts to a secure voicemail system.
Let's rethink the concept of what counts as access credentials. Passwords and even two-factor authentication just don't seem to do it any more, because the passwords are guessable and the two-factor device (typically a smartphone) is itself easy to hack and even easier to steal.
Until then, our back doors are permanently open to rogue hacker proctologists.
People have lost the art of keeping a secret. ®
Alistair Dabbs is a freelance technology tart, juggling IT journalism, editorial training and digital publishing. When he raised the issue with fintech experts of looming government plans to outlaw end-to-end encryption, they refused to express any opposition to them. So don't expect much advancement in banking security any time soon. FBI Update: 14kg