Ever since Facebook acquired WhatsApp (in 2014) I have wondered how long it would take before we found that our supposedly “end to end encrypted” messages were being mined by Facebook for its own purposes.
It has been a while coming, but I think it is now clear that end to end encryption in WhatsApp isn’t really the case, and will definitely be less secure in the future.
Over a year ago, Gregorio Zanondescribed in detail why it was that end-to-end encryption didn’t really mean that Facebook couldn’t snoop on all of the messages you exchanged with others. There’s always been this difference between one-to-one messages and group messages in WhatsApp, and how the encryption is handled on each. For details of how it is done in WhatsApp, see the detailed write-up from April 2016.
Facebook’s model entirely bypasses the encryption debate by globalizing the current practice of compromising devices by building those encryption bypasses directly into the communications clients themselves and deploying what amounts to machine-based wiretaps to billions of users at once.
Some years ago, I happened to be in India, and at a loose end, and accompanied someone who went to a Government office to get some work done. The work was something to do with a real-estate transaction. The Government office was the usual bustle of people, hangers-on, sweat, and the sounds of people talking on telephones, and the clacking of typewriters. All of that I was used to, but there was something new that I’d not seen before.
At one point documents were handed to one of the ‘brokers’ who was facilitating the transaction. He set them out on a table, and proceeded to take pictures. Aadhar Card (an identity card), PAN Card (tax identification), Drivers License, … all quickly photographed – and this made my skin crawl (a bit). Then these were quickly sent off to the document writer, sitting three floors down, just outside the building under a tree at his typewriter, generating the documents that would then be certified.
And how was this done: WhatsApp! Not email, not on some secure server with 256 bit encryption and security, just WhatsApp! India in general has a rather poor security practice, and this kind of thing is commonplace, people are used to it.
So now that Facebook says they are going to be intercepting and decrypting all messages and potentially sending them off to their own servers, guess what information they could get their hands on!
It seems pointless to expect that US regulators will do anything to protect consumers ‘privacy’ given that they’re pushing for weakening communication security themselves, and it seems like a foregone conclusion that Facebook will misuse this data, given that they have no moral compass (at least not one that is functioning).
This change has far-reaching implications and only time will tell how badly it will turn out but given Facebook’s track record, this isn’t going to end well.
We all know how service providers validate the identity of callers. But, how do you validate the identity of the service provider on the other end of the telephone? In the area of computer security, the inexact challenge response mechanism is a useful way of validating identities; a wrong answer and the response to a wrong answer tell a lot.
Service providers (electricity, cable, wireless phone, POTS telephone, newspaper, banks, credit card companies) are regularly faced with the challenge of identifying and validating the identity of the individual who has called customer service. They have come up with elaborate schemes involving the last four digits of your social security number, your mailing address, your mother’s maiden name, your date of birth and so on. The risks associated with all of these have been discussed at great length elsewhere; social security numbers are guessable (see “Predicting Social Security Numbers from Public Data”, Acquisti and Gross), mailing addresses can be stolen, mother’s maiden names can be obtained (and in some Latin American countries your mother’s maiden name is part of your name) and people hand out their dates of birth on social networking sites without a problem!
Bogus Parking ticket
So, apart from identity theft by someone guessing at your identity, we also have identity theft because people give out critical information about themselves. Phishing attacks are well documented, and we have heard of the viruses that have spread based on fake parking tickets.
Privacy and Information Security experts caution you against giving out key information to strangers; very sound advice. But, how do you know who you are talking to?
Consider these two examples of things that have happened to me.
1. I receive a telephone call from a person who identifies himself as being an investment advisor from a financial services company where I have an account. He informs me that I am eligible for a certain service that I am not utilizing and he would like to offer me that service. I am interested in this service and I ask him to tell me more. In order to tell me more, he asks me to verify my identity. He wants the usual four things and I ask him to verify in some way that he is in fact who he claims to be. With righteous indignation he informs me that he cannot reveal any account information until I can prove that I am who I claim to be. Of course, that sets me off and I tell him that I would happily identify myself to be who he thinks I am, if he can identify that he is in fact who he claims to be. Needless to say, he did not sell me the service that he wanted to.
2. I call a service provider because I want to make some change to my account. They have “upgraded their systems” and having looked up my account number and having “matched my phone number to the account”, the put me through to a real live person. After discussing how we will make the change that I want, the person then asks me to provide my address. Ok, now I wonder why that would be? Don’t they have my address, surely they’ve managed to send me a bill every month.
“For your protection, we need to validate four pieces of information about you before we can proceed”, I am told.
The four items are my address, my date of birth, the last four digits of my social security number and the “name on the account”.
Of course, I ask the nice person to validate something (for example, tell me how much my last bill was) before I proceed. I am told that for my own protection, they cannot do that.
Computer scientists have developed several techniques that provide “challenge-response” style authentication where both parties can convince themselves that they are who they claim to be. For example, public-key/private-key encryption provides a simple way in which to do this. Either party can generate a random string and provide it to the other asking the other to encrypt it using the key that they have. The encrypted response is returned to the sender and that is sufficient to guarantee that the peer does in fact posses the appropriate “token”.
In the context of a service provider and a customer, there would be a mechanism for the service provider to verify that the “alleged customer” is in fact the customer who he or she claims to be but the customer also verifies that the provider is in fact the real thing.
The risks in the first scenario are absolutely obvious; I recently received a text message (vector) that read
“MsgID4_X6V…@v.w RTN FCU Alert: Your CARD has been DEACTIVATED. Please contact us at 978-596-0795 to REACTIVATE your CARD. CB: 978-596-0795”
A quick web search does in fact show that this is a phishing event. Whether someone tracked that phone number down and find out if they are a poor unsuspecting victim or a perpetrator, I am not sure.
But, what does one do when in fact they receive an email or a phone call from a vendor with whom they have a relationship?
One could contact a psychic to find out if it is authentic, like check the New England SEERs.
But, what does one do if a psychic isn’t readily available? Doesn’t it make sense for service providers (who are concerned about my privacy and information security) to come up with a mechanism by which they can identify themselves to a customer?
A simple thing that each of us can do!
Most service providers treat this question answer session as a formality, if you give them a wrong answer they will give you a couple of tries till you get the stuff right (that in itself should tell you how serious they are about this stuff). More specifically look at the following exchanges. When I setup my relationship with this provider, here is what I provided them.
My name: <My Name>
Passphrase for account: <some reasonable passphrase, say “heinz58”>
My mother’s maiden name: <made something up, let’s say “Hoover Bissell”, the vacuum cleaner happened to be nearby that day>
Last four digits of SSN: <they only asked for last four so they weren’t doing a credit check, they got a random string like 2007 (the year when I setup the account)>
Date of Birth: <none of their business, Feb 29, 1946. Really, I’m an old fart and I’m amused how many people accept that date>
Intentionally incorrect responses are underlined.
Agent: For your security please verify some information about your account.What is your account number
Me: Provide my account number
Agent: Thank you, could you give me your passphrase?
Me: ketchup
Agent: Thank you. Could you give me your mother’s maiden name
Me: Hoover Decker
Agent: Thank you. and the last four digits of your SSN
Me: 2004
Agent: Just one more thing, your date of birth please
Me: February 14th 1942
Agent: Thank you
Agent: For your security please verify some information about your account.What is your account number
Me: Provide my account number
Agent: Thank you, could you give me your passphrase?
Me: ketchup
Agent: That’s not what I have on the account
Me: Really, let me look for a second. What about campbell?
Agent: No, that’s not it either. It looks like you chose something else, but similar.
Me: Oh, of course, Heinz58. Sorry about that
Agent: That’s right, how about your mother’s maiden name.
Me: Hoover Decker
Agent: No, that’s not it.
Me: Sorry, Hoover Bissel
Agent: That’s right. And the last four of your social please
Me: 2007
Agent: thank you, and the date of birth
Me: Feb 29, 1946
Agent: Thank you
The exchange on the right really validated that the agent was in fact the company they claimed to be. It appears that most companies are similarly lax with their security and the question answer session is as much a challenge response as the question answer session on the NPR show “Wait Wait, don’t tell me; the NPR news quiz”. Hints are common. I am not sure whether this is lax by accident or by design. If it is the former, it is unfortunate. But if it is by design I am very impressed.
The one on the left is a reasonable indication that the person on the other side either is a fraud or is giving you no indication that they have received the wrong answers (that has NEVER happened to me). I have had at least two situations where the former has occurred (see below).
Why is this relevant?
Here is what happened this morning. I called a service provider because I saw an advertisement on cable TV about a service that I could receive. The number that was provided was not the number that I had on my bill but heck, the provider in question was my cable company! So, I called the number they provided. They gave a URL in the advertisement as well but that site was “temporarily unavailable”.
Agent: For your security please verify some information about your account.
What is your account number
Me: Provide my account number
Agent: Thank you, could you give me your passphrase?
Me: ketchup
Agent: Thank you. Could you give me your mother’s maiden name
Me: Hoover Decker
Agent: Thank you. and the last four digits of your SSN
Me: 2004
Agent: Just one more thing, your date of birth please
Me: February 14th 1942
Agent: Thank you. Could you verify the address to which you would like us to ship the package.
(At this point, I’m very puzzled and not really sure what is going on)
Me: Provided my real address (say 10 Any Drive, Somecity, 34567)
Agent: I’m sorry, I don’t see that address on the account, I have a different address.
Me: What address do you have?
Agent: I have 14 Someother Drive, Anothercity, 36789.
The address the agent provided was in fact a previous location where I had lived.
What has happened is that the cable company (like many other companies these days) has outsourced the fulfillment of the orders related to this service. In reality, all they want is to verify that the account number and the address match! How they had an old address, I cannot imagine. But, if the address had matched, they would have mailed a little package out to me (it was at no charge anyway) and no one would be any the wiser.
But, I hung up and called the cable company on the phone number on my bill and got the full fourth-degree. And they wanted to talk to “the account owner”. But, I had forgotten what I told them my SSN was … Ironically, they went right along to the next question and later told me what the last four digits of my SSN were 🙂
Someone said they were interested in the security and privacy of my personal information?
We people born on the 29th of February 1946 are very skeptical.
Hype Cycles 