August 14, 2012 -
Mat Honan was playing with his daughter when his iPhone suddenly shut off. Little did the Wired staff-writer know this was only the first sign that his digital identity was actively being extinguished.
Hackers, intent on stealing Honan’s 3-character twitter account (@mat), carried out a carefully-calculated and swiftly-timed attack exploiting significant security flaws in two major cloud services and their customer service systems: Apple’s iCloud and Amazon.
“Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification,” Honan wrote in a piece for Wired.
This story has spurred a number of very different reactions online, and its obvious Apple and Amazon’s security measures need to be reconsidered, but this story also begs the question:
What does this say about the extent to which we trust these tools and services to protect our information?
“The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices,” writes Honan.
He’s right – everything is in the cloud, and attacks like these are only going to become more common. I can barely remember the last time I needed an optical drive or worried about harddrive capacity. As a writer, I do everything in the cloud. Whether I’m using one of my tablets, my laptop or my phone, I can always access my files and I’ve unified that experience across all of my devices. In fact, I’m writing this article in Google Drive. If you aren’t dependent on the cloud yet, it’s only a matter of time before you won’t have a choice.
“In many ways, this was all my fault. My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened,” Honan writes.
Two-factor authentication is a security process in which a user provides two means of identification — one is typically a physical token, and the other is typically something memorized, such as a security code. These two means of identification are often referred to as “something you have” and “something you know.”
As Computerworld reported last week, Matt Cutts, head of Google’s Web Spam team urged users to consider Google’s two-factor options to mitigate attacks like those experienced by Honan.
“I … advise everyone to turn on Google’s two-factor authentication to make your Gmail account safer and less likely to get hacked,” said Cutts in a post to his personal blog, shortly after the Honan hack story broke online.
In the case of Google’s two-factor authentication service, a second password for you account is sent to a pre-determined phone number, usually a user’s cell phone. This is the second key needed to access your account, adding an additional barrier for entry.
Click here for directions for enabling Google’s two-factor authentication system.
Honan’s attack, made possible by a combination of precarious systems relying on as little as a 4-digit sequence, has brought many viable security solutions into the spotlight and has had many users and service-providers alike debating the best solution.
But, what about biometric authentication?
Writer Jason Perlow, an advocate for the use of biometric authentication in computing (he wrote a blog about this, and you can read it here), wrote an article this week for ZDNet in which he asks independent security researcher Dr. Markus Jackobbson to consider the plausibility of biometrics as a solution for cleaning up security flaws like those experienced by Honan, and he agrees that biometrics would play a role in improving security measures.
A universal biometric security solution for cloud computing, though secure, would be slow to implement and widespread adoption is not likely to occur overnight. That being said, if Apple’s recent AuthenTec acquisition as well as Facebook’s high-profile acquisition of Face.com are any indication of where the mainstream is headed, biometrics are quickly becoming a prevalent part of our computing experience.
In an interview with Biometric Update, LockStep Group CEO Stephen Wilson warned that there is a lot to consider when talking about online authentication and the use of biometrics online could increase the likelihood of these kinds of attacks and increase the cost to users.
“I’m afraid biometrics could make such hacks even more likely. The Mat Honan story is a precautionary tale about cloud authentication. The enormous temptation with biometrics will be for web single sign-on.” said Wilson. “Unattended remote authentication by biometrics is a very high stakes game. We need high security storage of the templates, tamper resistant and spoof-proof scanning, and end-to-end encryption from scanner through to the backend. The client side infrastructure will be very expensive.”
Wilson also suggests that if biometric cloud authentication were to become a widespread solution, two likely scenarios will occur: “There will be large biometric template databases and the value of the templates will increase,” said Wilson. “Organised cyber criminal attack will be inevitable, and it will be successful if the experience of credit card storage is anything to go by. Biometrics will be more valuable than card numbers because they will grant universal access. I am sorry to say the security industry has not got a good track record protecting big databases. And with biometrics, so far we don’t know how to make them cancellable in practice, so large scale theft will catastrophic.”
What do you think? Are biometrics a viable solution for cloud authentication? Have you implemented Google’s two-factor authentication for your Gmail account? Let us know in the comments.