Target, eBay and now Office. Why don't more sites use public key encryption systems like OneID?
“Unfortunately we have been the subject of a security breach resulting in unauthorised access to your Office.co.uk account,” read the email the British shoe website Office apparently sent its customers on 28 May admitting that it has become the latest victim of a crime the industry seems powerless to stop.
The attack gained access to information including name, address, phone number, email address and (incredibly) the passwords of account holders, the firm explained.
But fear not, continued the email with a completely unwarranted sense of self-congratulation, “we can confirm that no credit card, debit card, PayPal or bank details were compromised in any way.”
Of course, had criminals used financial information stolen in the breach to defraud customers the financial consequences would have fallen on Office, not its customers, so the reassurance is pretty moot.
Office might not acknowledge it but as with the eBay hack from earlier this month, the consumer has still lost out in no uncertain terms because the criminals behind the attack have in their possession highly personal information that can’t, unlike passwords, be easily changed. Every data breach apology email I've ever read treats this fact as it if was incidental when it is anything but.
Meanwhile, the world still has only the vaguest idea how many accounts are at risk here or what level of encryption was used on the data Office does not consider to be at risk. We know something happened but not really what. As ever, consumers are not on the need to know list.
Can anything be done about breaches? Plenty of security firms will argue so, usually by pushing their own particular product or technology, but the real issue is how we’ve ended up in a world where an average consumer can hand over an extraordinary amount of information about themselves in the process of buying perhaps one pair of shoes. Now repeat this generosity across dozens of sites whose security-worthiness is anyone’s guess.
The great hope used to be the federated identity systems from large Internet brokers such as Google, Microsoft, Facebook and Yahoo, or Mozilla’s Persona, but these haven’t quite worked out as the optimists thought they would. In theory, a federated log-in (e.g. using Google to authenticate yourself on a website) restricts the data the third-party holds on you in a form that hackers can access. The downside is that the authenticator learns a lot about your web habits. Not everyone buying a pair of shoes necessarily wants Facebook or Google to know about that transaction to aid opaque business models enslaved to advertising.
There are superior alternatives such as OneID, which cure the problem of insecure passwords using a public key encryption system that keeps *ALL* data competently encrypted until It is requested by supplying a private key. That’s the point of OneID; the user holds the key needed to unlock the data not the provider.
On the other hand I don’t recall the last time any site I’ve used offered OneID as an option, probably because it adds cost retailers would rather not carry. If systems like this are the future it’s one that is still some way off or at least until consumers are shocked into realising that an identity management might actually be worth paying for.
That won’t come to pass until users start asking questions about where all their personal data has been going during a grim era of data breaches that looks set to continue for years. Right now it’s anyone’s guess.