BA Hack Shows That Our 20th Century Methods Have Produced A Fragile Digital World
While there’s little information about the actual technical details of the British Airways hack, there are many significant things that it already highlights. The chaos, for example, around the reporting of the incident has left many unsure about its scope and the risks that we now face.
Overall we live in a fragile digital world, and where we just keep cobbling along the same old ways of doing things. We have been using the same old methods for our information infrastructures for decades, and just apply sticking plasters to cover the bits that we discover that are at risk. We are thus a long way from having a proper trusted infrastructure for every transaction.
The recent hack on the SWIFT network for $20 million was detected by a typo in the word “Foundation” (after $81 million had already been cleared). If that is the authentication and trustworthiness of our new information world, then we had better get ready for a large-scale collapse of our financial infrastructure, as the hacks are just going to get greater.
A potential breach of the full credit card details of over 380,000 people, over a period of two weeks — and a company with a turnover of £12 billion per year — should NOT happen in a world which now has the tools to properly protect transactions.
Overall the technical reporting of the breach has been very poor, and there’s very little for experts to go on. To open up an incident statement with the things that it did not cover, and then not actually mention that things that “might” have been breached (until the FAQ part) is a report which tries to put a positive spin on very bad news:
It may still be a traditional database hack — such as with SQL injection or a compromise of an unpatched back-end component — but the scenario of a complete playback of user keystrokes would rock the foundation of our e-Commerce infrastructure to the core. It would be a world that you could not guarantee that anything you typed into a browser, would not call into question our complete digital world.
So why does this type of hack still exist? Surely if we used encryption to protect the transactions at every part of the process we would not be faced with a hack of this scale. Every single part of the process from a single keystroke on a computer, to the eventual processing of the transaction, should be encrypted and verified at the core of the data, and where we do not rely on protected the tunnel for the data.
While HTTPs is a step forward in trust, it is only a small part of the overall protection of the data. Overall it just protects the data as it leaves the computer to the server, and gives trust that the user is connecting to a valid system. It takes no part in securing the actual trustworthiness of the data exchange with the back-end infrastructure
Why in the 21st Century are we even passing our credit card details of the world? Why should the browser even see our CVV number in clear text? Why can we not just prove that we know something about our credit card details, without actually revealing them? There are so many questions that are unanswered.
GDPR is not all about the fines for companies. It was meant to clean-up a generally poor industry which has often refused to change its old ways. Our systems and processes should have thus been vastly improved in the run-up to the implementation of GDPR, but for many companies, it was business as usual and where they have just taken their existing methods and built a few more defensive layers around their infrastructure. As long as some implement enhanced security for encryption, while others do not, and some employ 24x7 monitoring and third-party information sharing for their infrastructure, and others not, there will always be an uneven playing field.
We need to move to a digital world which is secure by design, and the integration of proper encryption is the move towards that. Our problem is that we are using 20th Century protocols and methods, and just patching them as we go. This is not building a new world, but taking an existing world and making it digital.
Our world must adopt the blockchain approach for a 100% trusted infrastructure, and where encryption is used at every point, and where smart contracts secure transactions. Within zCash and Ethereum we see ways of protecting identities, and the strive is towards making every single part of the transaction safe and trusted.
People like money, and where’s there’s money, there are criminals. They may be external to your business or working right beside you.
Our public sector, our industry, and our society needs to adopt new ways, and build something for future generations to build on. If we don’t, they will spend more time fixing our the problems that we have caused than building a more trusted world.