Skip to main content
August 3, 2016

To Weak Authentication, A Thief Looks Exactly Like A Cop

Here's an uncomfortable truth for IT to internalize: enabling access for a friend facilitates access for an enemy. This is what was behind the anti-backdoor argument that Apple aggressively made, albeit for non-altruistic sell-more-hardware reasons. In effect, if you provide an easy way for government investigators to access data, there's no reason to believe that bad guys won't use a variation of that to steal data.

I'm reminded of this while noting some new rules coming from Russia. Consider this report from Global Compliance News. As of July 20, companies may be required to "retain and store data on users, user activity and user communications on Russian territory for one year (previously six months), to retain and store the contents of user communications (including text, audio and video communications) on Russian territory for up to six months (as from July 2018); and to enable Russian security agencies to decrypt such correspondence" and "Failure to comply with the above requirements may result in administrative fines and access to a non-compliant service being blocked in Russia," according to that report.

Although it's certainly true that Russia's environment is more open to such government mandates than some other parts of Europe and the U.S., the point is that there are going to be an increasing number of governmental as well as industry attempts to access a wide range of data types.

From a security perspective, access is access. Does a thief differentiate between a weak remote access system for a network of franchisees and a security hole in your firewall? Want to make VPN access easier for lazier employees or those who are resistant to learning new authentication systems?

CISOs get zero brownie points because the weak authentication deployed was done with good intentions of making life easier for contractors. Thieves are also remarkably fond of companies who think that the nature of their business generates little of thief interest. Trust me: Let them in and they'll find things you never thought of.

I recently worked with a chain of car washes (no, this has nothing to do with Breaking Bad and money laundering, although it would be a lot more cool if it did) who in fact deployed consumer-level remote access because franchisees didn't think their data was going to be attractive to thieves. As they subsequently learned, their payment processors felt quite differently.

There is no one way around this: Authentication needs to be strict and it needs to be strong. This is one of the reasons that passwords have got to go, replaced by different kinds of biometrics and pattern recognition. Strong and complex passwords are self-defeating as it simply increases passwords being written down or memorized by a program that itself has a password.

As long as we have passwords, strong authentication means difficult and time-consuming authentication. That gets us back to ease of access. To make access easier for any friendlies—be they employees or law enforcement—you are necessarily making access easier for data thieves.

Actions like government—or your parent company—insisting on backdoor access means easier bad guy access. If you don't want to resist such efforts on principle, resist it for data security.

Evan Schuman has covered IT issues for a lot longer than he'll ever admit. The founding editor of retail technology site StorefrontBacktalk, he's been a columnist for, RetailWeek, Computerworld and eWeek and his byline has appeared in titles ranging from BusinessWeek, VentureBeat and Fortune to The New York Times, USA Today, Reuters, The Philadelphia Inquirer, The Baltimore Sun, The Detroit News and The Atlanta Journal-Constitution. 

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.