[ 31.01.2018 ]
While John McAfee’s Twitter hack claim may be tied to his over-inflated ego, its implications still speak to an industry-wide problem.
Whether or not the recent news about John McAfee’s Twitter account being hacked was real, or a just a marketing ploy to promote cryptocurrency stocks, his assertions impact an entire ecosystem of businesses that go much farther then McAfee itself.
When announcing the ‘John McAfee Privacy Phone’ in 2017, it was claimed that the phone would be untraceable and un-hackable because it allowed the user to physically disconnect or disable various telltale components, including the battery, Wi-Fi antennas, Bluetooth and geolocation services, the camera, and even the microphone. It was also claimed that that the phone would be able to identify and avoid a Stingray or any other IMSI ‘catcher devices’. It also claims to feature a web search anonymizer. Clearly, it was marketed as the perfect device for shady black-market cryptocurrency transactions, terrorists, or just your everyday conspiracy theorists. But if John McAfee’s own privacy phone was hacked – clearly, it’s not living up to his own hype.
While the phone’s privacy features may seem cutting-edge, what kind of innovative security did McAfee really bring to the smartphone market that we hadn’t seen before? After all, Google Play and the Apple App Store offer similar ‘privacy’ solutions for free. In a world that needs to be able to connect the dots between software, hardware and the CSP services itself to deliver an integrated approach to identity security, McAfee’s Privacy Phone comes up short. Clearly, what we are seeing here is an example of a company that stayed in its comfort zone and just connected the “software dots” to attempt to address what in reality is a much bigger problem.
Many in the industry want to use the smartphone as the primary ‘token’ for Identity and access management (IAM); in other words, for confirming our identities. These ‘Phone-as-a-token’ methods may appear to meet the needs of most every-day use cases, thanks to recent advances in identity security that require some form of biometric authentication – such as a thumbprint or facial recognition. After all, anyone can type a combination of characters on a keyboard or number-pad, but each person’s body is unique. But in reality, things just aren’t that simple. Aside from the benefits, we should also be aware of the safety concerns that come with biometric features. Some common forms of biometrics use finger/palm print readers and retina scanners. In the past, this form of authentication could only be found on things that required the highest level of security, but it has become quite common with a variety of smartphone vendors.
Despite all the consumer confidence brought by innovations in biometric security, we’ve already seen researchers using inkjet printers and conductive ink to print imitations of fingerprints accurate enough to unlock phones. Looking back to just last November, it took only one week from when the iPhone X was launched to fool Apple’s Face ID by using a composite mask of 3-D-printed plastic, silicone, makeup, and simple paper cutouts. And if you rely on TouchID for mobile banking apps because it makes it easier and more convenient for you to manage your finances on the move, are you willing to follow to same approach when it comes to publishing a certified “tweet”? IAM and security leaders must ensure that one or more additional security methods are implemented, while providing an acceptable trade-off between trust and User Experience, all while maintaining consumer confidence.
One great way to enhance body-detection features is multi-factor authentication (MFA). It simply means requiring multiple inputs for layered security. Essentially, in addition to scanning your thumbprint, you might also need to type a password or link it to your phone’s PIN. These methods are commonly adopted in the Fintech market – but what needs to be assessed is the kind of tradeoff between user experience and security when embedding MFA functionality natively into your own applications - such as Twitter.
While some may blame service providers when their phones are hacked, the fact is that CSPs often provide one of the first – and best - lines of defense. For example, embedded SIMs (eSIMS) provide another layer of protection. Instead of storing user authentication details on physical SIM chips, which can be swapped out and put into other devices to avoid detection, each eSIM is embedded into the handset, along with its user’s unique biometrics and security passcodes. This way, each phone is only able to be accessed by the owner.
What we have to ask is, what has John McAfee's 'hack-proof' phone really brought to Identity and access management (IAM)? Was it anything more than just an eccentric businessman creating a product that allowed him to surf the wave of security concerns? I believe that this time, John wasn’t paranoid enough to connect all the dots. That he took the easy route, and instead developed software that exposes what happens when you don’t have an integrated risk management solution that is applied to a wider ecosystem that encompasses hardware vendors and CSPs as part of the solution.
Let me know your thoughts and please feel free to Contact Us should you have any questions.