Could you please tell us a bit about your professional background? How did you get involved in the IT security industry and what made you join the award-winning podcast Smashing Security?
I have worked in the infosec industry since 1998, where I started a 15-year career at global IT security company Sophos. During this stint, I held a number of roles, from project management of cool tools to co-founder and editor in chief of the multi-award-winning Sophos Naked Security where we reached over 1 million visits a month. Other than Smashing Security - I’d say that it was my proudest work achievement.
I learned a lot about infosecurity during these 15 years, which serves me well now that I run my own company, where we help IT sec organizations from non-profits to global cyber players strengthen their engagement with their key communities. And with my co-founder and co-host (and pal) Graham Cluley, I run the award-winning Smashing Security podcast, now it its second year and boasting well over 2 million downloads.
During episode 107 of Smashing Security you mentioned about Mastercard and Microsoft’s intentions to provide a universally-recognized digital identity for users, and expressed some concerns about their project. How safe is to have all your personal and financial details in one place?
This is a difficult question to answer. There are pros and cons to all approaches. Saying sayonara to passwords sure sounds blissful, but surely that means we need to put more of our trust into a third party corporation, whose primary goal is to keep shareholders and stakeholders happy. Now, I am not saying that Mastercard or Microsoft have sneaky intentions here, but I do think we need to think very carefully about the pros and cons.
The onslaught of breaches that have compromised our very personal and sensitive information have sadly eroded our faith in corporations, whose primary responsibility is to their shareholders, to look after our personal and private details. Consider the 2017 Equifax Breach, or the 2018 Cambridge Analytica Scandal, just to name a few off the top of my head. Oh and the Marriot Starwood breach that happened in 2018. These types of scandals have eroded trust in companies to protect our personal and sensitive data.
So when you start talking about a universally-recognized digital identity for everyone, I have a lot of concerns...such as what happens when my identity gets stolen or compromised? How will we avoid scoring individuals, ranking them in a bazillion different categories so that algorithms can make decisions for you on whether you should be approved for a mortgage, or get a loan, or insurance, or whatever.
I guess that for all the frictionless transaction benefits, I see way too many opportunities for privacy to be eroded over time.
How should a digital identity scheme look like? Who should be in charge of creating these digital ID schemes?
This is a complicated question. On one hand we have China running a social score that oversees behaviour across many areas such as banking, traffic infractions, social standing, intended to standardise the assessment of citizens’ and businesses’ economic and social reputation. It is a bit Black Mirror for me.
But the alternative of private companies doing it, especially ones that are run for financially motivated shareholders, also leaves me uncomfortable.
There has been a lot of buzz around the benefits of having self-sovereign identities (better control over usage of your data, more privacy, etc.), however are users really prepared to handle/store their own data? How can they be? Very few users actually know what data is being hoovered up from their phones, and being sold to third parties. Even security-minded folks whip through complex GDPR web forms, granting full permissions because they cannot be bothered to read the fine print. And why should they?
The fact is that we have a growing security problem, and people are nervous. I would prefer we focus on sorting out existing privacy and security problems, rather than try and tout the advantages of a single universal sign-on. However, as this investment is likely to proceed, then I urge all parties to really consider the long term impacts on society and digital interoperability. I don’t want it sold to us as the next best thing to sliced bread. It wouldn’t be right for them to take this approach.
And last, could you please give us some advice on how can users protect their digital IDs?
Here is my list of things to do to better protect your ID online:
Use a password manager
Ensure all passwords are unique, long and complex
Employ multi-factor authentication or 2FA wherever possible
Use a reputable VPN
Avoid connecting to untrusted wifi
Delete all unused applications and turn off services you don’t need
Dont share personal details online, and
Become a regular listener to the Smashing Security podcast, where we discuss security and tips every week. :)
About the Smashing Security podcast
A helpful and hilarious take on the weeks tech SNAFUs. Computer security industry veterans Graham Cluley and Carole Theriault chat with guests about cybercrime, hacking, and online privacy. Its not your typical cybersecurity podcast...
Winner: Best Security Podcast 2018.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now