You can never be absolutely secure.
It’s a cliché that drives the cybersecurity industry. The concept of absolute security is a fallacy, and anyone who’s worked in cybersecurity knows this problem all too well. The subtext to this concept is that security is a game of risk. Every day we balance the tradeoffs between how much effort we want to put in to security and the impact of bad things happening to us.
We examine vulnerabilities, look at the likelihood of these vulnerabilities being exploited and consider the effect these exploits might have. We put in place appropriate controls to compensate for these risks. Finding this balance—where our actions mitigate risk to an acceptable level—is the goal of any security program.
Then, time passes. Controls live on long after we’ve forgotten why they’re in place. When asked, “Why is this control here?” we sometimes invent reasons based on conventional wisdom, not risk.
Case in point: I drove to work on Cyber Monday, listening to the radio. The tech journalist provided advice for Cyber Monday shoppers, including where to find the best deals, which products had the biggest discounts and what to avoid buying until later. The piece ended by advising listeners to avoid shopping from public hotspots because it was as dangerous as taping your credit card information to your back and walking around a mall.
This struck me as advice that ran completely counter to what a risk assessment of the situation would indicate. It also stoked needless fear in people who aren’t security aware.
Risk and Reward
In nearly every instance, online credit card theft happens on back-end servers or point-of-sale systems. Criminals make the same risk and reward decisions we make as defenders. They want to spend the least effort and acceptable risk of being caught to get the biggest payout possible. Hacking servers through anonymous botnets is relatively low risk and may result in credit card data breaches for millions of users. This information can be converted to cash in online forums in a matter of days, making online credit card theft a lucrative business.
Think about the same risk and reward decision when it comes to stealing card data through a public WiFi hotspot. Technically, it’s difficult to carry out. Spoofing the hotspot is easy, but you have to somehow compromise the connection in a way that allows you to intercept cleartext data. Although not impossible, your options are limited to reducing clients to weak ciphers, in which case you still need to spend resources to crack the encrypted data, or to perform a man-in-the-middle attack, which will result in an SSL error. Plus, you have to be in range of the hotspot, dramatically increasing the risk of being caught. Finally, you have to be lucky enough to actually intercept a credit card transaction. Tons of data passes through public hotspots, and picking out the transaction that contains a credit card is nontrivial.
All of this work to steal one card. Then you have to do it all over again to get a second. And a third. Hacking a server with millions of cards seems like it would be a better approach for reaching their end goal.
Questioning the Why
Are public hotspots totally safe? No. But one of the last things you should worry about in these situations is having your credit card stolen while you’re picking up coffee or buying presents during the holidays. Better advice to radio listeners may have been never use your debit card online, which is a much bigger risk to the average consumer.
Does “Don’t shop from a public hotspot” sound like good security advice? Sure. But it’s not grounded in the real risk of the situation. Rather, it preys on the idea that public hotspots are totally insecure and therefore everything you do on them is insecure. This advice emphasizes the need to understand why we take an action to reduce risk, not just how.
As cybersecurity continues to evolve, questioning the why becomes more and more important. Vulnerabilities change. Threats change. Risks change. Understanding these changes and adapting our controls ensures we aren’t wasting time worrying about useless controls and ignoring the real issues.
Feel free to share your thoughts with us on the topic.