We are at a time in history when data breaches are becoming more prevalent and more frequent. Equifax was compromised for 143 million people. Uber has been in the news this week for hiding knowledge of a data breach of 57 million customers for over a year (the rotters; if only the fines in GDPR were based on market value not annual revenue), and of course the 500 million odd user Yahoo breach (added to the earlier one billion user data breach). It is probably fair to say that if you alone know your personal and sensitive information, you are now in the minority. Someone will have access to personally identifiable data on you.
There are some things we the people can do. Use different user names and passwords to get access to the various services we access, thereby reducing the impact of account compromise in one service on the others. Although that’s pretty hard to do practically, especially if we are supposed to change our passwords or pass phrases for every service every month. With the increased number of services we all access, that’s not a very realistic expectation.
We could delegate the task of remembering passwords to a password manager, and we should, but if these get compromised (ahem, Lastpass), we are back at square one. And even with a password manager, changing passwords is still a manual process that can’t be done automagically on schedule for all consumed services by the password manager. The user with 100 services would still have to go through and manually update all services monthly. It’s not going to happen.
We could use two-factor authentication, and we should, but it’s a bit binary in its approach: always ask before allowing access, or trust this browser, computer, device, or session. If the same person uses the same device to access the same services from the same location, there are probably few red alert signals. But if those factors diverge, there could be weird anomalies that need an additional layer of checking.
In the enterprise IT security space there are intelligent security tools that look for anomalous usage of enterprise login credentials, assessing various threat factors to decide if additional access and authentication information should be requested before allowing access to requested services. For example, if the user is logged in via a device in one country, and a second login is requested by a device in another country, that is a signal that something could be amiss, and therefore a higher level of access checking is enforced. Likewise for login attempts at weird times of the day or night. Or from weird devices. Each login attempt is risk assessed before approval or denial (with the appropriate alerts to the powers that be for denied attempts).
I wonder if those enterprise oriented tools could be used at cloud scale – or at Internet scale – to pay attention to any use of personal and sensitive personal information?
Or what about this idea: what the credit card companies can do with artificial intelligence for identifying fraudulent transactions for credit cards, we the people could use for identifying fraudulent use of compromised personal data or account credentials?