Mobile does not equal trust
Wednesday, April 30, 2014 at 11:31AM At the Davos Economic Forum, Yahoo’s Marissa Mayer, among others, said 2014 would be the tech tipping point, in which more consumers would access Yahoo’s and other content on mobile devices than on any other platform. Mayer said, “It makes connecting and trusting people easier.”
Whoa. Hang on. Connecting is easier? Absolutely. Trust is another matter.
We already have an environment in which too many people are not who they say they are on the net. I have a very good friend who says Facebook is the best authenticator in the world, since it knows so much about you. And yet a large percentage of FB accounts are bogus, or surplus. And anybody can steal your vacation or kids’ photos and claim ownership.
Mobile devices are also more easily stolen, compromised, appropriated, corrupted. And disposable. They get swiped all the time. And before they can be traced after ill use, they can be dumped.
This is why we in the security world talk about assessing and reacting to RISK. We calculate it, even after authentication. You might have the right creds, and you might even do the right things, to start a session or connection. But then you might turn out to be evil after all. A few years ago, an investigative show sold a “stolen” credit card online, then tracked its use. The bad guys who bought it bought a couple of very innocuous items to start with. Once the transactions went through without a hassle, they started buying junk. So it pays to keep an eye on a user, even after they pass the smell test.
This is why your device should be married to YOU. It should be part of your identity. Just like your IP address, your habits, your authentication method. If somebody else uses your device, the system you’re connecting to should either think twice about letting it in, or prompt for other creds. If YOU use somebody else’s device, same deal. Airports are great places for people to listen in on, physically or in the air, somebody else’s creds, and use them for evil stuff.
So I guess you could accept Ms. Mayer’s statement IF you trust other devices. But heck, as many hackers have stated recently, the Heartbleed bug means that the Internet of Things, that is the connectivity to and from our devices, is at risk. So maybe it’s just bad timing on her part. Just don’t make it bad timing on yours. There’s a wonderful old Arab axiom on this subject. Trust, but verify.