It’s December 23rd, Sunday morning. I just finished brewing my coffee and I’m checking my emails. There are some late pending Christmas gifts to be delivered and I want to make sure they will be delivered the next day.
While checking my emails, I’m seeing a strange email. In fact, there were two aspects about that email message that were strange. The sender, was an IP address and the subject of the email which was the one of my passwords. Once I opened the message, a third strange aspect came up. I was being blackmailed.
The sender of the email was asking for $939 (please observe the amount, right below the KYC limit) in bitcoin, to be sent to a specific address, otherwise all my email contacts and friends on Facebook would receive a movie with me watching some porn movies. My heart rate was sky high and I was thinking about how this could be true. It wasn’t about if I was or not visited porn sites. It was about how wrong this was and how it could have destroy someone’s live.
I decided I’m not going to “negotiate” this and I will not be a victim of the blackmailer and in a couple of days all the incident was settled in. I was not thinking about it anymore, but I was thinking how this could have been possible. And then, it hit me.
From November 2018 to December 2018, personal data of more than 800 milion people were hacked in what we know now as “Quora hack” and “Marriott Hack”. When someone is saying 800 milion people is hard to get a grasp on the number how many people this would mean. It’s juts a pretty big number. It’s like trying to visualize 800 milion USD. For most of us is impossible. But 800 milion people is like having the entire population of USA and Europe plus a few other not-so-small countries, exposed on internet. Now you can realize what 800 milion people looks like.
A few days later, listing music on my phone, using a service like Spotify, I’ve noticed that the music had stopped for some time. Checking my phone to see what’s wrong I saw a message saying that I’ve reached the maximum number of devices that can use simultaneously the service. It was strange because I was not sharing my account and I was the only one listening. Well, it appears that I was sharing unwillingly my account.
I started immediately to change my passwords and even creating new email addresses, one per each service, so in case there is another security breach, I could contain the damage only that email address and that account only.
The process of changing the passwords and creating new, unique email addresses for each webservice/application I’m using took some days. While I was in the middle of it, I receive an email from Fitbit, letting me know that based on my request, they changed the email address under which my FitBit watch was registered. I was, WTF?!?!I did not requested this. It’s not me!
Now, somebody else was having access to my Fitbit account and also my watch. Cool! I’ve turned off the watch and asked for help from FitBit and after a while I took control over my account. What was good is that I was not using services like Strava, to pin-point my GPS coordinates.
How this was even possible?
Well, is not entirely the fault of Marriott or Quora or even Equifax. They were doing what everybody is doing. They were playing the custodian role for our personal details, collecting customers data, every time an account was created or a room was booked.
The technology development and progress came on top of us at such pace, caught us off-guard, in the sense that even today, in 2019, we are using old type of technologies to authenticate or to prove that we are who we say we are. No matter if we are creating a Gmail or an Amazon account, or we rent a car or book a hotel room or an AirB’n’b apartment, we are providing some personal details about us. But Gmail or Amazon or AirB’n’B, they are not in the business of securing our personal details, even if it’s common sense that they are supposed to do all they can to maintain that data.
They are asking for mobile phone number, email address and home address among other details, because this is the industry standard or they need some of those details to provide their service/product.
Where they’ve failed and continue to do so?
They’ve failed maintaining our details secure. Just days ago, Facebook acknowledged that for some time, they’ve maintained in clear text the passwords of ~600 milion users. We would have expected more, right? (not more users ;), but better security in place from an entity like Facebook)
They’ve failed by using such an anachronic system, of username and password that once known can expose their users to a whole new set of threats. If I was going to accept being blackmailed and I would have paid $939, would I have been able to come back to Quora or Linkedin or Marriott and ask to be paid back? Who is paying back for all those illegal credit cards issued, or accessed loans using exposed user’s personal data?
The solution is to stop perpetuating this system of collecting personal data in the name of having access to that particular service. Today, the technology allows us to prove that we are who we claim to be without actually giving access to our details, or depending on the regulations, maintaining an encrypted private share in public domain with our details, but without having the bank or the car-renting company holding a copy/registry of our details.
By choosing this approach, businesses would not be a target anymore for the hackers, because there is no more data to be stolen. They are not managing anymore our personal details, it is us, the individuals, who actually own the data, that we get to control to whom, how much, for what reason and for how long we are sharing our personal details. And that’s the reason why applications like Persona exist. To put us, the individuals in control over our data, so we can finally stop being the victims.