EBay hack underscores need for a more secure internet
Rise of quantum computing in next 20 years could empower future data thieves, expert warns
Cyber threat analysts have some other ideas — retina scanners, fingerprint sensors, so-called "two-factor authentication," and a futuristic "uncrackable" encryption technique involving photons transmitted through optical wires.
Individuals need to ask when they purchase security products, ‘Will this be secure?’ And in the future when there’s quantum computers, the answer will probably be no.- Michele Mosca, director of the Institute for Quantum Computing at the University of Waterloo
It’s all part of a suite of protective measures being used to combat cybercrime in an era when would-be thieves have targeted the databases of online auction sites, exploited the Heartbleed bug and hacked into computers running Internet Explorer.
Although biometrics have been touted as an alternative to passwords, physical identification tools aren’t necessarily infallible either.
"If you look at the eBay attack, that wasn’t a flaw of passwords; that was a flaw of their perimeter security," said Ben FitzGerald, director of technology and national security at the Centre for a New American Security.
FitzGerald noted that the cyberattackers used "social engineering" techniques like phising to trick people into helping them commit fraud, and were able to "spoof" legitimate eBay credentials to access the online marketplace’s database.
"People could have had very strong passwords and still had those stolen," he added.
Hackers could 'steal your fingerprint'
Yan Zhu, a staff technologist with the Electronic Frontier Foundation, agreed the eBay case was mainly a problem of vulnerable infrastructure. Although eBay stated in a memo that the passwords were encrypted and financial info was not compromised, Zhu said the attack may have been even scarier had the material in the databases included biometric profiles rather than just passwords.
"You can imagine if they were storing a fingerprint scan in plain text and somebody broke into the database, they could also steal your fingerprint scan," she said. "And if somebody stole your fingerprint scans … they could reuse it on other sites as well. And that would be harder to change than a password."
As for why the uptake on biometrics on the consumer level has been so slow, Zhu said backwards compatibility poses a major obstacle.
"If you’re a website like eBay, you have to support the lowest common denominator of users, and of course you have users and in countries where it may not be easy to update your technology," she said.
That convenience factor is one of the big challenges with adopting new computer security, said Kevin Albano, the director of threat intelligence for FireEye, the global network security firm that first flagged the Internet Explorer bug last month.
"It’s always been about the balancing act between two principles — the human and convenience," Albano said.
A cut or burn on a fingertip could confuse finger-scanning technologies, as could dust accumulating on a laptop sensor, he said. Laser-eye corrective surgery might also change the the way an iris is mapped in 3D, or if a hoarse throat due to a cold might confound voice-recognition software.
Then there’s the possibility of biometric fraud.
"I’m looking at my iPhone right now and I can see my fingerprints all over it," Albano said. "So you can take a piece of tape, lift that fingerprint … We’ve seen different hacks to mimic a fingerprint to defeat that principle."
One verification method Albano believes to be solid is multi-factor authentication, which would require customers to supply at least one additional piece of information in order to log in. That could involve a secondary device like a cellphone that would generate a numeric code. The Google Authenticator app, which users can install on their phones, is an example of this kind of system.
"Sometimes it texts you the PIN number, and it’s only valid for so many seconds," Albano said. "To me, that’s one of the most convenient and most successful authenticators that’s been out there."
The biggest global IT menace may still be about 10 or 20 years away, however, with experts warning about the rise of quantum computing.
Rise of the machines
Michele Mosca, deputy director of the Institute for Quantum Computing at the University of Waterloo, said the threat of such machines — powerful computers that use the tiniest units of light to process information and calculations at unprecedented speeds — can’t be overstated.
"This thing that happened with eBay is a small, fixable mistake. Other things like the OpenSSL problem [with Heartbleed], there was a patch for that. The Internet Explorer problem from a days ago? There was a patch for that, too," he said.
- EBay 'cyberattack' prompts password change warning
- Personal data stolen online from 1 in 5 U.S. internet users
"Here, there’s no patch. The fundamental building blocks of internet security could be broken."
Mosca is working on developing quantum encryption tools to keep data from being intercepted as the light particles, or photons, go down a fibre optic wire.
Barring human error, this quantum cryptography technique would allow for "uncrackable" information exchanges, Mosca said.
Anyone who tries to "eavesdrop" or even observe that data when it’s in a quantum mechanical system "would disturb the system," Mosca explained, rendering the information useless. A receiver on the other end would have a "secret key" to measure whether the quantum states of the light beams were compromised.
Mosca believes the only way to protect future online infrastructure from quantum computers is to create a market demand for "quantum-safe" security products.
"Governments need to start asking for solutions to this medium-term threat. The timescales for this era to come are comparable to the timescales to prepare for this era, and it takes one to two decades to properly fix this problem," he said.
"Individuals need to ask when they purchase security products, ‘Will this be secure?’ And in the future when there’s quantum computers, the answer will probably be no."