You don’t know what you’re doing

Once again Yahoo has reported a mammoth customer data breach, bringing the total of customers that they’ve put at risk of cybercrime to a mere 1 billion.  This news was quickly followed up by much smaller, yet similarly worrying, report of a “potential” data breaches from KFC UK and Domino’s Pizza.  KFC were keen to reassure its customers that it had improved its security measures to ensure it wouldn’t happen again and then provided a handy link to take them to the password reset process – proving that they still know little about keeping their customers safe online.
Cybersecurity is a constant battle to remain one step ahead of the criminals – with the web being inherently insecure due to its annoying insistence on exchanging data with human beings in an unencrypted form – resulting in even the best organisations battling to stay ahead.  Incompetent actors within the system are undoubtedly adding to the problem.  The same customer information existing in military grade security systems is undermined when it’s also kept in a minimum-security chicken shop.


Too many organisations are using poor practice – even things that have minimal costs to change – and these exist in organisations both large and small – even those with multimillion dollar IT security functions.  I recently heard of a large multinational organisation who emailed its staff to tell them they were increasing their security by changing their password policy; with the email containing a link to a deep URL that required the users to first enter their existing username and password.  By attempting to increase security they’d actually conditioned their workforce to accept basic phishing attack methods.
A few simple things that we shouldn’t see from any organisation – my 2017 authentication wish list:

  • Uppercase, lowercase and number requirements: “Password1” is no more secure than “password”, as that’s what this policy results in most users doing.
  • Your password is too long: No, your field length is too small. 
  • Your password has expired and must be changed: making me change my password, makes me forget my password, makes me reset my password, creates an unnecessary weak point. 
  • Your password is too similar to your previous one: how do you know?  Oh that’s right you use my password unencrypted so you know throughout your system what it is and creates opportunities for others to steal it.  Hash it when I first give it you and compare the hash when I assert it in future.
  • Here’s an email with your password: Just no.
  • Here’s an email with a link to change/recover your password: See above.
  • Sorry we don’t support 2nd Factor authentication: Use a federated service that does.
  • Sorry we don’t support keychain / password management services: Get better developers who know how to integrate them.

Fortunately, there are organisations who operate good practice – with many of them offering federated services that can be consumed securely by other organisations.  Whilst governments and regulators are encouraging consumer choice and market competition they’ve been slow to enforce standards for keeping customers safe.  As data and systems are exposed using open APIs for the good of the consumer we need to ensure that we have proportionate controls for the organisations seeking to use them.  PSD2 may make it easier for my fast food company of choice to take payment, yet as it seems we can’t trust them with my password how can we trust them with access to my finances?
Under GDPR the Information Commissioner has greater powers to punish companies who play fast and loose – which will hopefully encourage those who currently operate poor cybersecurity to stick to what they’re good and leave customer data management, authentication and payment processing to others who do.  We need continually evolving standards for treatment of customer data that encourage limits of liability for those who apply them, and proactive measures against those who don’t so that they’re stopped from undermining the entire system.

It would be great to find out, before my data has gone missing, who the organisations are who don’t know what they’re doing.

Read my other posts
I didn’t say you could touch me – Biometric authentication and identity
You don’t need to tell me – Impacts of the EU General Data Protection Regulations
Coming together on being alone – The need for a clear government digital strategy
I’m not the person I used to be – Authentication for real world identities
Distributed Identity has no clothes – Will distributed ledger technology solve identity
Bring Your Own Downfall – Why we should embrace federated identity
Unblocking Digital Identity – Identity on the Blockchain as the next big thing
Tick to Agree – Doing the right thing with customer’s data
The Kids Are All Right – Convenient authentication: the minimum standard for the younger generation
The ridiculous mouse – Why identity assurance must be a rewarding experience for users
Big Brother’s Protection – How Big Brother can protect our privacy
I don’t know who I am anymore – How to prove your identity online
Three Little Words – What it means for your business to be agile

Defining the Business Analyst – Better job descriptions for Business Analysis
Unexpected Customer Behaviour –  The role of self-service in your customer service strategy
Rip it up and start again – The successful Business Transformation
Too Big To Fail – Keeping the heart of your business alive
The upstarts at the startups – How startups are changing big business 
One Small Step – The practice of greatness
In pursuit of mediocrity – Why performance management systems drive mediocrity

About me

Bryn Robinson-Morgan is an independent Business Consultant with interests in Identity Assurance, Agile Organisational Design and Customer Centric Architecture.  Bryn has near 20 years experience working with some of the United Kingdom’s leading brands and largest organisations.

Follow Bryn on Twitter: @No1_BA



Connect with Bryn on Linked In: Bryn Robinson-Morgan


Source: bryn blog

Leave a Reply

Your email address will not be published. Required fields are marked *