Wednesday, June 26, 2019

Desjardins: We are all missing the train.



The last week has been an interesting one from a socio-psychological angle.

I am very pleased with the lessons to be learned from this security event, and I can state firmly that the next classes I teach, and the next conferences I speak at, will include some of these juicy tidbits.

After the first round of press releases, news articles and "interviewed specialists" I can firmly say that we are missing the big picture.

Only a few hours after the week started, class action lawsuits already surfaced claiming 8 billion dollars in damages for the Desjardins members.

This is totally absurd.  It would be nice if everyone involved including the high quality bottom feeding lawyers would wait for the corpse to be carried out before circling above like a vulture tasting blood which will never drip out.

Desjardins was a victim of our failing government.  A government that focuses on doing what is popular and what gets them votes and keeps their "sponsors" sponsoring.

You read that right.

In 2019, birthdates and social insurance numbers are still the central nervous system used to buy property, mortgage a house, get a loan, or get a credit card.

This is a complete failure to understand security and understand risk.

We, as a society, allow government and banks to pawn off our most vital information to companies like Equifax without our consent yet when we consent to give our information to a bank, we take offense if an employee leaves with our birthdate.

Sure, Desjardins needs to review how they let staff extract data.  Why for example would a marketing person need your full birthdate.  Why not just a year, or a range of ages.  So certainly some things can be optimized IN ALL BANKS.  So before we raise or voices with Desjardins, remember that this can happen to any bank and any company.

The big picture remains that our financial ecosystem relies on a VERY broken system of authentication that leaves the citizen scrambling when something goes wrong.  

The system offers NO protection for the innocent, and the innocent must live with the painful consequences when something goes wrong with no wrong doings from their part.  Once their identities have been used to create false loans or mortgages, they live the nightmare with no support.  Unless they subscribe to a credit monitoring and alerting service from lets say... Equifax.  How insulting.  How completely absurd that we allow an entire ecosystem to milk us and treat us like this.  How absurd that the banks hold hands in supporting this sick ecosystem.

This should not be acceptable.

Equifax should not exist.  Minimally, it should be a government run service.  

Now I am chocking as I write this.  Saying the government should take charge of something is rarely my pitch.  Because to be frank, the government always runs things so well ;-)

In this case, the government should not only abolish Equifax and take charge of the credit bureau, but they should actually walk into the 21st century and put in place a digital ID.  They should replace the dependency on birthdates and social insurance numbers since these pieces of information have been leaked and exposed for decades.  Banks use your social insurance number as a primary index key in a slew of their systems because it was convenient 30 years ago when the systems came to life.  In other words, this piece of information is all over the place.

People even post their birthdates on Facebook for all there thousands of friends to see.  And by friends I also include scrapper bots from Russia and China that harvest everything you drop.

So what should be a digital ID.  Simple, a smart card that could include a digital certificate, be fully authenticated when produced (like when you get your passport created), include digital magic like your drivers license and medicare card on the same piece of plastic, and provide vetted identification when opening a bank account, when mortgaging your house, when contracting a loan.

Now do the banks want this..... actually probably not.   It is much easier to have a marketing group signing off new credit card applications in convention center lobbies or airport lounges and relying on paper applications that fall from the sky.

So who wants this?   The citizens want this.  Because it makes sense.

The question remains, why is our birthdate and social insurance number still a critical asset, and what are we going to do about it?



_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies



www.eva-technologies.com




No comments:

Post a Comment

Imagine a Vulnerability Testing tool that defaults to showing you partial results

Well, to my surprise, Tenable.IO has added a new setting that defaults to NOT showing you everything. So when creating a new scan, you are f...