What does email security have to do with credit cards? A lot, especially when you consider that their information system implementations share the same structural vulnerabilities. And this time of year, when we are all using our credit cards a lot, that should give us all a pause for both reflection and concern.
Just last September, over a hundred million CapitalOne credit card accounts were compromised in perhaps the largest breach of private information to date. The card data was stored on the Amazon Web Services cloud. The attacker, an AWS employee, broke into the server through a misconfigured firewall.
Peoples’ concern was legitimate. How could CapitalOne have been so careless with its firewall settings? Shouldn’t they have been more careful in maintaining their security?
While accusations of negligence appear valid, there was also a deeper structural vulnerability: the centralization of all that sensitive data stored on the cloud server. And CapitalOne’s method for storing customer data was not unique.
Google’s Gmail has the same structural vulnerability, as do most cloud-based email services. If an attacker can break into a server, all the data stored there is compromised. I’ve made that argument to lots of IT folks whose response basically goes along the following lines: “Google is a huge company with massive resources and lots of smart people. I trust them to keep my email secure.”
But software and networks are complex things, we all know bug-free code is a virtual impossibility. Furthermore, much of the security of your email is beyond Google’s control. Most breaches start with a password compromise through a phishing attack or password guessing algorithm. And if the compromised party happens to be an admin with super-user credentials, all bets are off.
One solution is to use a service that implements end-to-end encryption, where information is encrypted on a client device and never decrypted on a server. The server becomes just a repository for encrypted data. That means that an attack such as a misconfigured firewall or a password breach merely results in gibberish.
Last fall’s CapitalOne breach was a wake-up call for all of us in information security. There were many lessons to be learned about the vulnerability of not just credit card data but also the vulnerability of other services that centralize plaintext data, like email.
I’m a paranoid tech guy. I care a lot about privacy and information security. I also happen to work at PreVeil, which uses end-to-end encryption with no central point of attack to secure email and files. You can reach me at [email protected].