Someone in some faraway place has my Social Security number. Or so suggests a notice I received recently from the US government. Along with an offer of one year of free credit monitoring, the notice informed me that my personal data was compromised in the 2014 breach of the Office of Personnel Management (OPM) computer network. The compromised data included, among other things, detailed personal information – including mine – from the SF-86 forms (for obtaining security clearances) of millions of current and former government employees and contractors.
Large databases of aggregated information such as the OPM databases, Amazon’s customer databases, and the soon-to-be-created French identity database are ‘honey pots’ since they are very sweet targets for hungry hackers. (The term ‘honey pot’ is commonly defined as a decoy set up to catch hackers but here it refers to non-decoy aggregated databases.)
The OPM hackers were certainly nation-state actors engaging in espionage and the data they stole included very detailed personal information that the foreign government could use to design very convincing spearphishing emails enabling the deployment of malware compromising even more government computer networks. The OPM hack compromised unencrypted fingerprint data. This is by far the most serious aspect of the breach and is probably the best illustration of data aggregation dangers.
The criminal class of hackers attempt to steal from single databases aggregating personal information which bad actors can use to open financial accounts under stolen identities. Such data includes Social Security numbers, credit card numbers, and other information which the hackers can use themselves or sell to others. Amazon, for example, stores credit card numbers in its databases and consequentially, their network is under constant attack.
For a secure, well defended network such as Amazon’s, the hackers may resort to spearphishing to gain access. But consider that this is merely a step in the process for accessing what the hackers really want – a single source of personal data on hundreds of thousands or millions of individuals.
Instead of spending huge sums of money fighting the incidental spearphishing problem, why not remove the hacker’s ultimate target by eliminating databases of aggregated personal information?
Smartphones, by now ubiquitous in modern society, can store – in encrypted form – Social Security numbers, credit card numbers, billing addresses, birth dates, and other personal information traditionally kept in large, centralized databases. They also store the reference data used for biometric identity verification.
Besides biometric reference data, personal information is important data that its owner remembers or is recorded on a physical card (e.g. Social Security card) which exists in owner-controlled physical-space as opposed to cyber-space. If the smartphone is lost or stolen, the owner can just store the lost information in a new device. Since the information is always encrypted when at rest, bad actors cannot exploit it as long as encryption keys are properly managed.
To illustrate, let’s say an online bank uses Social Security numbers as a means to verify a customer’s identity as required by customer regulations. The customer’s Social Security number is stored ‘at rest’ in three places – the customer’s smartphone, in the Social Security Administration’s databases, and the IRS databases. The online bank could receive the customer’s Social Security number in encrypted form, decrypt it, and then immediately query the Social Security Administration’s database through an API. For the online bank, the Social Security number honey pot and its associated liability are eliminated with clear and favorable impact on cyber insurance actuarial calculations. (There is more to say about the encryption/decryption procedure in this scenario but I’ll save that for another post.)
It will not be easy to implement this decentralization. As with so many cybersecurity problems, solutions are difficult and will require actions on the part of both the private and public sectors. Government agencies must upgrade both their technology infrastructure and procedures and, along with private businesses, adopt standards. No doubt this will be a very tough task but once solutions are in place, the payoff will be a dramatic drop in cybercrime.
Difficulty aside, the decentralized smartphone storage of some personal data is already happening. With its biometric and payments innovations, Apple offers proof that the technological foundation is in place and the new business processes are practical.
Private and public sector bureaucracy, public resistance, and entrenched business practices may slow decentralization but with coordinated action, liability for both private companies and government agencies will diminish along with thousands of starving hackers.
This article is published as part of the IDG Contributor Network. Want to Join?