T-Mobile: Yet Another Breach That PKI Would Have Prevented.
It’s only after T-Mobile’s customer information went on sale on a hacker’s forum that the company came out to admit that they had suffered a data breach. According to Drew FitzGerald, the breach involved the exposure of the social security numbers and personal information of over 40 million of T-Mobile’s customers.
The stolen data included names, birth dates, social security numbers, phone numbers, account PINs, and driver’s license information. We all know the kind of damage malicious actors could do with that set of information.
In his 18th August post for MarketWatch, FitzGerald reported that T-Mobile said that it had reset the PIN codes of all the affected accounts.
The question is,...
... how will that prevent another breach from happening?
It’s most likely that the cybersecurity team at T-Mobile is on an overdrive trying to find and patch up a vulnerability in their systems that they believe the attackers exploited – as well they should.
But why do security technology experts keep doing the same thing while expecting different results? The fact is that there is a well proven platform that could prevent all this – and yet T-Mobile and others use only bits and pieces of that platform.
Let’s turn our attention to what the hackers were after – customer information. They are after people’s information because it's valuable in the current internet ecosystem.
If you are a customer of T-Mobile, your personal information in their database is like a digital replica of you. Unfortunately, you have absolutely zero control of your online self in T-Mobile’s space. If an attacker steals your personal information from T-Mobile’s database, it’s like they’ve kidnapped your online persona, and they can do with you whatever they please.
The solution to all these challenges has been hiding in plain sight all along. We need a different trust anchor other than passwords and PINs. People’s digital personas need to be attached to who they are in the physical world via PKI identity certificates.
Passwords and PINs both introduce vulnerabilities that inevitably result in breaches. Let me repeat: breaches are inevitable in a system where authentication uses passwords and PINs.
There is a solution. PKI identity certificates solve the problem. They have to be done right, and there’s a lot of friction involved in getting users to do things a different way; but it solves the problem. Because it solves the problem it’s time for companies to bite the bullet and solve the problem by going to PKI identity certificates.
Defenders of passwords like to point out that they are sent from your phone or browser using hashing techniques that obscure the password very effectively. So what’s the problem?
Here is the problem: if I capture your hashed password, I can log in as you even though I don’t have the actual password. That’s called a “pass the hash” attack. I simply grab the hashed password, log in as you, and have my way with your account.
Defenders of passwords will also point out that attackers tend not to bother with such sophisticated techniques because 1) people use weak passwords and 2) people are careless about where they store their passwords.
So… no problem for the company because it’s the user’s fault? Believe it or not, that’s how a lot of companies think.
OK, let’s cut to the chase and talk about identity certificates.
Here’s how they work.
When you sign up for an identity certificate, your phone or laptop or tablet or other device generates a pair of very large mathematically related numbers. One of the numbers never leaves the device – it’s very secret and typically it’s not even disclosed to you.
The other very large number is public – it accompanies your username or for that matter it can replace your username.
Now, here’s the magic. When you log on, the server uses your public number to make a puzzle, and then sends the puzzle back to you. Since the only way to solve the puzzle is with that secret number that never leaves your phone or other device, the server knows it’s really you when it receives the solution to the puzzle.
Here’s another important part: every puzzle made with that public number is different. A hacker can capture everything: the public number, the puzzle, the solution to the puzzle – and will not be able to do anything because the solution to a previous puzzle is useless.
Your secret number is only made available for puzzle solving if you present a fingerprint, facial image or PIN, so if your phone is lost or stolen it can’t be used to authenticate as you. Importantly, the fingerprint or face or PIN is matched right on the phone. Like that secret number, it never goes anywhere.
So that’s how PKI identity certificates work.
But who says that the person who enrolled is actually who they claimed to be? Here’s one of the many places where the “Done Right” part of PKI Done Right come in. Your identity certificate is universal, so you can use it anywhere. In fact, you own it; it doesn’t belong to T-Mobile or your bank or your healthcare provider or the government or any other relying party. It is yours.
But how did you establish that you are really you?
The fact is that universal credentials need an authority to back up your identity claim. It’s a certificate, and a certificate, whether on paper or on bits, consists of authority attesting to a claim. In this case it’s your claim of who you are.
A department of motor vehicles attests to the claims on your driver’s license; the State Department or its equivalent in your country attest to the claims on your passport, and a vital records department in some government entity attests to the claims on your birth certificate. As Lawrence Lundy-Bryan has wisely noted, “There is no such thing as decentralized governance.”
The Need for Digital Buildings
Another word for PKI Done Right is AUTHENTICITY. Authenticity means that your personal information, the prize that the attackers are after, is your intellectual property and is kept in a digital vault that is accessible in whole only to you, and in little pieces only to people you have specifically licensed to have. So for instance if your car needs tires then you might license anyone in the category called “tire vendors” to know what kind of car you drive, how many miles per year, etc. Soon as you buy those tires you revoke those licenses.
This personal information vault is like your file cabinet inside your home office inside your residence.
Let’s think about buildings for a moment. Buildings are about more than keeping the rain off your head; buildings are actually sets of accountability spaces. You tend to know who’s in a room with you, and you tend to know who has access to the files and other resources in a building.
Think of the security of a physical building. What if you asked the receptionist in your building to establish the character and intention of everyone who walks in? That would just cause chaos. Right?
We secure physical buildings by reliably identifying everyone who walks in. That makes everyone in the building accountable for their actions while in the building. When T-Mobile and the rest of Silibandia collect your information, they’ve not reliably identified who you really are. They’ve just collected a set of information that can create an online persona. Anyone else with the same set of information could create another you online.
Buildings are our spaces of accountability. In order to make it impossible for anyone to create online personas that are detached from the actual owner of the information used, we need digital buildings. Digital buildings will allow us to have measurably reliable digital identity certificates. That will mean no one can masquerade as you regardless of what information they have about you. The demand for stolen personal information would die and with it the need for hackers to infiltrate systems to steal such information.
Also, it’s not that these infiltrators are using brute force hacking to get into company systems. Security technology experts have already done a good enough job on that front. Unfortunately, that will never be the solution to the cybercrime menace.
If you care to look a bit closer, you’ll realize most of these breaches are a result of social engineering, more specifically phishing. There’s no information on what caused the T-Mobile breach, but I’d be willing to be bet my bottom dollar that it was another phishing incident.
AUTHENTICITY would solve phishing once and for all. If there’s a trust anchor that helps us reliably identity anyone who tries to make correspondence with us, no one is getting access to systems they are not authorized to access.
Going back to our buildings analogy, think about it and you’ll see we’ve simply been using the internet the wrong way. Sometimes back, the internet was nicknamed the information highway. That name perfectly fits. The internet is still an information highway, but we don’t have online buildings. As such, we’ve extended its use to functions that should typically be carried out inside a building. We are holding meetings, banking, exchanging confidential information, etc. by the side of the highway. Heck! we are even letting our kids play by the side of the highway.
PKI Done Right (PKIDR)
The technology that will make Authenticity possible was invented half a century ago. It's called PKI (Puzzle Kit Infrastructure).
Have you heard about PKI? Watch this video.
PKI provides the construction materials that we need to construct digital buildings. Construction materials by themselves cannot provide shelter. They have to be turned into buildings. Similarly, PKI by itself cannot offer measurably reliable digital identity certificates. Measurably reliable digital identity certificates will be made possible by a combination of PKI and a duly constituted public authority. That’s where the city of Osmio comes in. That combination is what we call PKI Done Right (PKIDR). PKIDR translates to AUTHENTICITY.
Watch this video to learn how PKI construction materials can be turned into PKIDR.
In the PKIDR world, people will act as who they are online. Everyone will be accountable for each one of their actions online. And the best part is, everyone gets to guard their privacy as much as they want to. You’ll remain anonymous for as long as you don’t do anything illegal or unethical that might necessitate the disclosure of your identity.