Whenever new technologies are introduced, the issue of security is always of paramount importance. Especially today, as more and more parts of our lives are absorbed into an interconnected world, it is vital that we should retain control of our own data and be protected from others who seek to invade our privacy without our consent or use our identities for their own purposes (usually to our detriment).
The media regularly tell us how dire the current security situation is. Articles and TV documentaries – frequently sensationalised – love to pull new technologies to pieces, unsettling their readers or viewers. This often results in a negative mindset, especially among anxiety-prone Germans.
No doubt many of these presentations are justified; certainly there is plenty of potential for improvement in various areas of IT security. This applies, for example, to many of the IoT (Internet of Things) devices used for home networking purposes, designed to be remote-controlled by users. The reasons for these – sometimes flagrant – security loopholes are, first, the time pressure on developers to keep “time to market” as short as possible, and second, inadequate knowledge of security technologies, resulting in products with critical vulnerabilities. This is especially commonplace when cryptographic technologies are used, such as encryption or digital signatures.
Several reports from the smartphone industry highlight instances where e.g. fingerprint or iris scanners have been outwitted. In principle, the reasons are identical to those listed above, with one addition: Cost pressures often prompt manufacturers to install components that are not hardened to the required level of security, such as fingerprint scanners that respond to excessively coarse resolutions. Another example: Procedures used in online and mobile banking are constantly being undermined. The list of examples is potentially endless.
Unfortunately, reports are often presented in the media in such a way that inexperienced users are unable to properly assess the significance of the information, so tend to overestimate the negative aspects accordingly. In addition, one sometimes has the impression that the purveyors of this information themselves have not correctly understood what they are reporting on. For example, journalists rarely mention that the vulnerabilities they describe can only be exploited in very specific circumstances that are simply not relevant to the vast majority of users.
As a rule, the reports focus on portraying the alleged hazards of the technologies using dramatic examples accompanied by expert commentaries. By the end, the reader or viewer is usually convinced that the technology in question is not secure. In the vast majority of cases, however, these reports fail to mention a fundamental principle: No technology can ever be 100% secure!
Even if a technology is secure at a given moment in time, this may change at a later date, e.g. because a new technology or method has been developed that is capable of overriding existing security mechanisms. One example of this is cryptography, regularly disrupted by increases in computing power, as well as the development of quantum computers.
To illustrate the problems associated with technology-based security, let us take a closer look at the Threema messaging service, renowned for its high level of security. Messaging partners using Threema are assigned to one of three security rankings. The most secure ranking is only achieved if both messaging partners have confirmed their identities by exchanging personal keys. The Threema app displays the key as a QR code on the first user’s screen, and the second user then scans it using his or her own Threema app. Thus the physical presence of both messaging partners represents an additional element of security in the authentication process. However, this physical presence is not double-checked at the technical level. Both partners could also take photos of their QR codes and e-mail them to each other, meaning that third parties could also gain possession of this information.
Thus Threema’s security does not depend on technology alone. Instead, messaging partners must follow a predefined process that relies on mutual authentication. Both partners must be familiar with and comply with this process. Otherwise the security of their messaging link cannot be guaranteed, even though the app indicates that it is secure.
This example demonstrates that security cannot be assured by technology alone. True security requires two components: the human being, and the organisation. The human being must – by his/her knowledge, mindset and resulting behaviour – assist in ensuring that the technology is used securely, as in the example above. If s/he is unaware of the authentication process, or does not care, or fails to adhere to it (e.g. for reasons of convenience), then the technology cannot be used securely. The organisation, on the other hand, must define the processes for ensuring (as far as possible) that the technology is used securely, and provide the associated control mechanisms. Thus security can only be implemented through the coordinated interaction of technology, human beings and organisation. Technology alone cannot guarantee security.
The biometric methods that are rapidly gaining in popularity are another example. Multiple examples have been published of ingenious criminals successfully fooling fingerprint scanners, facial recognition systems, iris scanners and palm vein scanners. In some cases, high-quality devices were involved. However, if one takes a closer look at the (often very sophisticated) attacks, it becomes clear that they were usually made in eminently preventable circumstances. For example, an attacker who is left completely alone with a fingerprint scanner, and is under no time pressure, has many more opportunities to make a successful attack than if the process took place in a supervised area where unusual behaviour would immediately cause the process to be aborted.
So in practical terms, it makes sense to create processes that correspond to the level of security required by the relevant application. To ensure users comply with these processes, control mechanisms should also be put in place.
As mature users, human beings must assume responsibility for their behaviour and actions. The more important technology becomes in the lives of individuals, the more reasonable it is to expect users to have the knowledge required to handle this technology effectively. Ultimately, it is up to each individual to decide whether this should result in security-aware behaviour, but in any case, users should in certain circumstances also take responsibility for the consequences of what they do (or fail to do).
With this in mind, it would be beneficial to discuss the whole theme of security more openly. Hence the fact that reports of security flaws and loopholes place pressure on manufacturers is in certain respects a good thing, in that it encourages them to invest more heavily in product security. On the other hand, reports that neglect to mention the fact that technology alone cannot guarantee adequate security may rapidly result in undesirable outcomes. One possible outcome, for example, would be to scare off potential users and create a climate of mistrust in technology. And if too much pressure is placed on manufacturers, they could react by overloading their products with security functions, so that users cease to find them convenient and they effectively become unusable.
In this sense, it would be helpful if reports not only focused on – often far-fetched – security issues, but also provided greater clarity concerning each user’s personal contribution to security, together with tips on the most secure ways to use the relevant technology. Simply deterring users from using security would be the worst outcome of all.