I notice that Facebook has been hacked. Apparently, some 30 million people had their phone numbers and personal details exposed in a "major cyber attack" on the social network in September. Around half of them had their usernames, gender, language, relationship status, religion, hometown, city, birthday, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches all compromised. Wow.
Now, I don’t really care about this much personally. Like all normal people I have Facebook and enjoy using it to connect with family and close friends, but I don’t use my “real” name for it and I never ever gave in to their pleading for my phone number. Not because I was unsure that it would at some point get hacked (I assumed this to be the case) or because I thought that if I used it for two-factor authentication they might use it for advertising purposes, but on the general data minimisation principle that’s it’s none of their business.
(We should, as a rule, never provide data to anyone even if we trust them unless it is strictly necessary to enable a specific transaction to take place.)
One of the reasons that I don’t care is that just as people around the globe are getting spammed by fraudsters pretending to be Facebook, I’m not worried about spammers getting my data and pretending to be Facebook. When I get e-mail from Facebook, it is encrypted and signed using a public key linked to the e-mail address I use for this purpose (pseudonymous access). See...
xxx
My e-mail client (in this case, Apple Mail) will flag up if the signature is invalid. If you want to send encrypted e-mail to me at mail@dgwbirch.com then you can get my PGP key from a public key server (check the fingerprint is 50EF 7B0E FD4B 3475 D456 4D7E 7268 01F2 A1C5 075B if you want to) and then fire away. It’s not that difficult. Facebook asked me if I wanted secure e-mail, I said yes, they asked me for my key, I gave it to them. End of. I really don’t understand why other organisations cannot do the same.
Banks, for example.
Here’s an e-mail that I got purporting to be from Barclays. They are asking me for feedback on their mortgage service and inviting me to click on a link. I suppose some people might fall for this sort of spamming but not me. I deleted it right away.
This of course might lead reasonable people to ask why Barclays can’t do the same as Facebook. Why can’t Barclays send e-mail that is encrypted so that crooks can’t read it and signed so that I know it came from the bank and not from spammers. Surely it’s just a couple of lines of COBOL somewhere ask me to upload my public key to their DB2 and then turn on encryption. Right? After all, it’s unencrypted and unsigned e-mail that is at the root of a great many frauds so why not give customers the option of providing an S/MIME or PGP key and then using it to protect them?
Or, better still, why don’t Barclays STOP USING EMAIL AND TEXTS since they have an APP ON MY iPHONE that I use ALL THE TIME and they could send me SECURE MESSAGES using that. It’s time to move to conversational commerce based on messaging and forgot about the bad old days of insecure, spam-filled, fraudophilic and passé e-mail.
Comments
Post a Comment