Monday, 6 August 2012

Cloud Security

A friend of mine recently mentioned this article in a chat. It involves a US technology journalist who had his apple account compromised and through that, his phone, iPad and computer remotely wiped, his social network accounts compromised and his Google account closed.

Despite the generic security advice at the end of the article, there is nothing that the end user can realistically do to protect themselves from a social engineering attack against the support staff for a vital cloud service they use.

The problem, like many in security, is that security has costs. The cost here is the appearance of good customer service; it seems like good customer service to bend over backwards in order to help a customer in need, especially if they are nice or at just the right level of pushy, it seems like it is good customer service to fix their problem in a single phone call.

Most of the time, it is probably safe to do so, I imagine the ratio of malicious customers to innocent people on the other end of the phone is pretty low. There are plenty of people who have screwed up and just want to get access to their account back but don't have access to their email right now. It feels bad to tell these people that you can't help them right now. Maybe if they could find or contact someone else who can find that important email, you can help them get access to their account/their daughter's (who was recently in an accident, we need to get access to help sort out her belongings).

Good customer service is really important to most companies, they pride themselves on it, it is a major selling point that you can get help, quickly and easily and without stress. The thing is, actual good customer service is more than just helping people in need, it requires care and precision. It means getting things right, not getting things done fast.

Protection against social engineering like most security is a trade-off with convenience. It requires testing staff to ensure that they are appropriately suspicious and it requires policies that support this behaviour and training that makes staff understand why those policies exist.

It is going to be interesting going forward seeing how companies react, email has for a long time been treated as a low priority for security. The underlying sending and receiving mechanisms were not built for security and are still insecure, and yet they are the hinges for most of our online dealings. Most services I use will send a password reset to my email with little to no verification required, meaning that if you get into my email, you can get into pretty much everything I use. This applies more so to smartphone users as those account can be used for remote access to phones, providing location information and also the ability to as seen in the article maliciously wipe out information.

Companies and users need to start looking at what each system they use represent and what someone with hostile intent could do if they gained access and start adjusting where their security priorities lie.

No comments:

Post a Comment