All Things Techie With Huge, Unstructured, Intuitive Leaps

When The Customer Isn't King - Account & Data Security Breaches That Can Be Prevented



The news for two major retailer giants in Canada has not been good for them or their customers in the past few days. Loblaws, a grocer and dry goods retailer, had their PC Points loyalty system breached. One customer had 110 points worth $110 spent in the province of Quebec, and she has never even visited that province. Another customer who is a system administrator, said that he had a different password for every account, had his points stolen as well. News link: http://globalnews.ca/news/3237876/ps-plus-points-stolen-security-breach/

As well, Canadian Tire, a retail giant that sells everything from automobile accessories to sporting goods to snack foods, has been hacked, compromising both loyalty points and credit card balances online. News link: http://globalnews.ca/news/3236903/exclusive-canadian-tire-website-breached-consumer-accounts-in-question/

The financial losses of hacks such as these, are tremendous. When Target was breached in 2014, they estimated the losses to be $148 million dollars according to an article in Time Magazine. In that same year, job losses due to customer data breaches were estimated at 150,000 people in Europe. The global picture is frightening. McAfee, the Intel security company estimates monetary losses of $160 billion per year for data breaches.

Hacking isn't exactly a new phenomena. In 1979, infamous convicted hacker, Kevin Mitnick broke into his first major computer system, the Ark, the computer system Digital Equipment Corporation (DEC) used for developing their RSTS/E operating system software. The most embarrassing privacy breach came when Ashley Madison, the website for having extra-marital affairs, was hacked and over 30 million names and credit card numbers were exposed, causing at least two suicides.

So in this day and age, why does this happen? Can it be prevented?

Aside from an inside job, one of the reasons that hacking is successful, is the antiquated way that servers, databases and accounts are accessed. To connect to a server, one usually must have a username and a password. This is true to gain access to a server as an administrator. However one doesn't need administrator access to hack into data and accounts. Customer account information is stored in what is known as a 4GL database (4th Generation Language). This table-driven database is usually clustered on it own server and is exposed to the outside world so that its data can be accessed by platforms, analytics, and web interfaces. Again, with a user name and password, once can gain entrance to the data store and exploit the data. Many many databases still have "root" as the username to gain God-like access, and all that you have to do is either guess, derive, or gain access to the password. Many administrators commit the cardinal sin of using the same password on all accounts, and it may be gotten from such things as the name of their pet, which is information on social media. For years, the huge database company Oracle shipped their databases with a default account name of "Scott" and a password of "Tiger", left over from one of the original developers, that were never removed. I walked into many data centers as a consultant, and typed in Scott/Tiger and got access to the crown jewels.

No matter how much security that is built into any system, it is still vulnerable to the shaky access of system of a username and password. There is a better way. It is inexpensive, fairly autonomous, easy to use, and orders of magnitude more secure than a conventional database approach to storing customer data. It is a blockchain.

People know blockchain from the digital crypto-currency Bitcoin, and that fact alone has poisoned the well for quick adoption of blockchain technology. Blockchain is a technology & methodology for the digital recording of any transactions, events, ancillary derived meta-data & chronological logging of any business transaction that requires security, integrity, transparency, efficiency, audit & resistance to outages. It is the acme of trusted data. It also stores values like crypto-currency, digital cash and loyalty points, but its main selling point is that it is a true, autonomous ledger. Period.

When a technology evangelist mentions blockchain to the C-Suite level, several things happen. If they have heard of blockchain and its association with Bitcoin, there is pushback, because of how crypto-currencies have been exploited in the press. If they haven't heard of blockchain or have heard of it, but do not understand it, there is a fear of committing to the unknown. There are only about 2,000 blockchain developers worldwide, and most of them are still building proofs of concept. C-Level tech officers in corporations do not have the tech talent to immediately go to this technology, and it is perceived as untested bleeding edge stuff (not true). The other fly in the ointment, is that there is a blockchain consortium built around the Ethereum platform. That may all be well and good, but Fortune 500 is more suited to a private blockchain, controlled by themselves as they are responsible for their data.

So why is a blockchain more secure? For starters, any responsible blockchain incarnation does away with username and passwords. Authentication is done with a private encryption key right on the device. No amount of keylogging or password trapping will allow the breach. On top of it, conscientious construction of the authentication should be done with a tandem collection of MAC address or MDID of the mobile device. A MAC address is the embedded serial number of the network card in the computer that can easily be collected by any web page and MDID is the hardware serial number of a mobile phone or tablet that can be externally queried. Thus, any machine making changes to the data can be identified by device and encryption key.

On top of all of that, each blockchain query agent needs an encryption key just to read the blockchain. No amount of brute force hacking can get you into the blockchain, unless you are authorized to do so, and have a key created for you.

Blockchains can not only hold digital values like money or loyalty points, but they also can contain bits of code that enable smart contracts. In fact, they can store a digital anything. In other words, when certain conditions are met, actions can happen securely because of code embedded in the blockchain. Blockchains are impervious to data being fraudulently altered, because each transaction is linked to a previous transaction using encryption and hashing. You would have to change the entire transaction history to perpetrate a fraud.

The last benefit of blockchains is not that obvious, but highly desirable. You can write any information to the payload of a blockchain. So if you store transactions with a semantic, machine-readable identifiers, one can perform stream analytics in real time on the transactions. This can be coupled to machine learning, not only to identify fraud, but also to enable wallet-stretch to sell the consumer more things that they really need.

Does a beast such as a private semantic blockchain exist? You bet. Ping me.

No comments:

Post a Comment