21st November 2018

Internet Security – Part 3: The impact on users

What does all this mean for users?

I started this article with an example of a fictional – though real-world – bank securing its premises with locks and keys. Round the circle and I have provided an example of appalling systems design and operation with a real bank operating in the virtual world –exposing all its customers to wholly unacceptable security risks and relying on security technology that was at least a decade behind the times.

To all appearances Credit Agricole is a long-standing, reputable bank that operates throughout France and has hundreds of thousands of customers – most of whom I can only assume carry on in blissful ignorance of the bank’s wilful disregard for the security with which it treats their personal data and their money. The simple fact being that it should not be trusted with either personal data or money.

I can imagine a CA customer phoning the bank to report that all their accounts have been emptied or that their statement shows transactions that they have not performed. And I can imagine the bank’s assured reply that it takes its customers’ security very seriously and is entirely content with the security of its systems. The fault must, therefore, lie with the customer.

To any CA customers reading this who find themselves in a situation similar to that I describe do not take the bank’s word as worth a cent. Challenge them to prove that the transactions are due to your actions and not due to the appalling insecurity of the bank’s IT systems and the way it operates them. In short, the utterly disgraceful disregard it has for the customers that feed it.

I feel the need to repeat what I wrote at the beginning of thisarticle. The reality is that nobody can be trusted.

Looking more broadly this lesson applies across the board.

No Internet based service can reasonably be trusted to keep your personal data or possessions safe. Though organisations (eg; thesearch engine DuckDuckGo or the Swiss email provider ProtonMail) are starting to appear that place customer privacy and security above the grasp for naked profit sadly none of these organisations are offering banking or shopping services.

It follows that the prudent user proceeds through the Internet taking the greatest care of the personal data he or she leaves in their wake and – whether you are looking for a place to post your daily activities and innermost thoughts, update your calendar or contacts, deal with your banking or the weekly shopping work on the assumption that whatever data you provide – from your name and address to your credit card details, photos, confidential documents and list of friends and contacts – will become “lost” at some point to the villains that take advantage of the “profitfirst – customers last”culture that drives the design and operation of the computer systems with which you interact.

As a simple example, many on-line retailers ask your permission to retain your credit card details “to make checkout faster in the future”- or some variant. NEVER allow an online retailer to store your payment details – for the simple reason that if they don’t have your credit card they can’t lose it. So when you read that retailers such as eBay (145 million customer credit card records “lost” in 2014), Target (110million), Sony (77 million), Home Depot (40 million) … [the list goes on and on] have lost their customers’ credit card details you should have less cause to worry – as long as you can trust ther etailer NOT to store your card details under some other pretext.