Security – it’s all about risk
Security is a game of managing risk – pure and simple. Organizations (or individuals) should assess risk and take appropriate steps to mitigate the risk as they deem necessary. There is a huge range of risks to be mitigated, such as risk of theft or other loss, risk of destruction, risk of being known to name a few.
Each of these risks has methods and products suitable to the item being protected that can be implemented.
The traditional way of protecting data is through two factor authentication, firewalls, encryption, and so forth. For the purpose of this article I’m going to call this “hard security” – that is you are putting in hard fences as it were to protect the data. For most of us, unless the data is protected by these sorts of fences it should be regarded as insecure.
However there are some good reasons to question this mindset. Firstly you don’t know what you don’t know. Any secured item is only as secure as the threat modelling done on it. Every secured item is vulnerable to something – no security is perfect because no one knows all the risks and attack vectors. Secondly who’s to say that these things are always worth the overhead they impose? These fences must be purchased, maintained and users have to be educated about how to get to and through the gate.
Security experts have long talked about improving the user experience of security; however while products continue to be created and the user experience does improve somewhat (even if the implementation sometimes mitigates these improvements), the overall experience of security is still one of fences and barbed wire to keep the nasties out.
Secure, but no fences?
Recently I came across a financial organization that created a service for its customers that would effectively serve as a digital wallet. The concept was simple – just as you’d go to an ATM and get some cash out and give it to friends as required, so you’d charge the digital wallet up and give money out to people as required.
In real world use this means from my mobile phone I can send a text message to the organizations number stating “Pay [mobile number or email address] [amount] [comment]. This might translate to “Pay 0213456789 $40 for that bet you won”.
When the organization receives this they will put it into the wallet of the receiver and send them a text message to say they’ve received it. If the receiver doesn’t have a wallet the organization will send them a message telling them they have money waiting and that they should sign up for a wallet to receive the money.
The first question you have to ask in this circumstance is “how is this secured?” In the world of hard security you’d probably expect to see two factor authentication (perhaps the mobile phone and a pin number) as a minimum or perhaps some sort of software on the phone that authenticates with the back end system via the internet.
However, in this case, the process I outlined above is exactly all that is required. Initially I thought this was horribly insecure, but after consideration of the risks and mitigation, it may not be as bad as I first thought.
What’s the real risk?
Is it insecure? Sure it is. If you lose your phone and it is not locked, anyone can pick it up and send money to his or her own account. But then, if I lose my wallet, and it has money in it, you could pinch the money from that too.
Having said that, what is the target market? Obviously this is aimed at youth and young adults – those aged between 14 and around 35. This group are the most comfortable with text messaging and using these types of technology as a rule. Looking at the way these people use their phones is interesting.
Consider these questions:
When was the last time you lost your mobile phone?
How long was it missing for before you found it?
Didn’t find it?
How long before you called your provider and asked them to kill the connection?
Most people in this age group just don’t lose their phones – except for perhaps leaving it locked in a pocket of a jacket in the car or something similar. And if they do lose their phone, they generally get it cut off and replaced pretty quickly. Why is this? Simply because without our phones we feel naked (perhaps I’m speaking for myself here). Our phones have all our friends’ numbers, and form a vital part of our communications on a daily basis. Similarly I feel naked without my wallet.
OK, so let’s say we agree that the key risk is losing our phone – how can we mitigate this risk? Continuing the wallet analogy, how much money am I likely to have in my wallet when it gets lost? In my case, not much money at all. Similarly in this case the maximum that can be transferred from the wallet in one day is about US$125. And again – just like a wallet the electronic wallet has to be replenished when it’s empty. So if you don’t keep much money in it the risk is limited to that money. My phone alone is worth more than that to me.
This is not the “hard security” that we are used to, but more of a softer approach where the risk is managed by the user. The fences are there, but they are not the fences we are used to having to deal with. The fences are transparent – the user doesn’t notice them, and they don’t get in the way. The solution is modelled after a familiar real (non digital) world equivalent where we manage the same property (money) in a similar way.
Evaluating costs and benefits
Let’s weigh up the pros and cons of hard security against this soft security approach:
In this case the organization has modelled their service similarly to a real world item (our wallets) that we all deal with everyday. The risks are similar both in size and mitigation methods to leaving money in your wallet lying around (or your phone) and the device being utilized is already habitually carried and managed by the target audience.
This soft security approach is not appropriate for many situations, so I’m not recommending it, (nor am I recommending the hard security approach), rather this is a good example of where an organization has thought through and researched the scenario (in lots more detail than I have above), understood the risks through threat modelling and made a conscious decision about what risks they can mitigate and what risks the user is responsible for.
Should you jump in the deep end or paddle for a while?
I’m sure there are many people who are reading this who are suspicious that I’ve taken the blue pill and headed down my own rabbit hole, but my point here is that we need to think through security more than we do:
• What is the valuable item?
• Why is it valuable?
• What are the risks?
• What mitigations are already in place?
• Is there something simple I can do to mitigate the risk?
• What price (money, time, effort, education, for instance) am I (or my users) prepared to put up with to mitigate the risk and is it worth it?
It’s easy to jump in the deep end, but we often don’t stop to consider whether we need to or not.