Wednesday, April 06, 2011

why the epsilon breach shouldn't be an issue

the epsilon breach (where an email marketing company that does business with a veritable who's who of big name corporate brands and financial institutions lost the names and email addresses of the customers of those companies) seems to be on everyone's mind recently, and to tell the truth i find that kind of strange.

it's not as though i'm under any illusion about it not being able to affect me. a colleague of mine at work got a notification about the breach affecting him so while i haven't received one yet myself, the possibility of receiving one certainly exists. yet i find myself completely unconcerned about the possibility. why? because i took steps to protect myself proactively (steps my colleague knew he should have taken such that now wishes he'd been more vigilant).

i have been using disposable email addresses since the fall of 2004. with them i've managed to keep any email accounts i created after that point completely spam free for the past 6 1/2 years, i've come up with a sender authentication protocol to foil phishing, and as it happens i've recovered from email breaches in the past in mere moments.

and that's the reason a breach like epsilon is a non-issue to me. not only is it old hat, recovering is as simple as logging into the disposable email provider and clicking disable or delete (depending on the provider) for each compromised address, and then going on about the rest of your day.

it's dead simple to recover from the breach of something when that something happens to be disposable - you simply dispose of it. what i don't understand is, why aren't more people and especially more security practitioners doing the same thing? why hand out your real personal contact information like candy on halloween if you don't have to (and believe me, you don't have to)?  even if you decide you still want to do business with these companies who saw fit to hand your contact information over to a marketing company (hey, you're already their customer, why do they need to keep trying so hard to sell to you), it's a heck of a lot easier to make a replacement disposable email address than it is to make a replacement real email address. just a couple of clicks and some random typing (or just mash keys if you prefer); no captcha, no verifcation, no profile info, you filled that all out when you created an account at the disposable email provider in the first place.

cory doctorow gave a short talk about kids and privacy and he mentioned that they're being trained to not value their privacy, in part by over protective parents who prevent them from learning how to protect themselves. i don't think kids are the only ones who've been so trained. one of the most regrettable schools of thought that i've seen displayed from users all the way up to security pros is the one that says 'they are (or are supposed to be) protecting me'. there is a profound absence of self-reliance in favour of letting protection be the responsibility of someone else.

most people wouldn't hand their phone number out to every tom, dick, or harry they meet on the street, but when it comes to email addresses somehow people think the rules are different. they trust everyone who asks for it and expect everyone to protect it for them instead of protecting it themselves. this is an absurd position to take, but authorities (ie. people who are supposed to know better) have groomed the masses to systematically take just that position when it comes to anything that has to do with online protection.

i'm not holding my breath but, considering the scope of the epsilon breach, maybe some people will start to think
well if you're going to protect me from the bad guys, who's going to protect me from you?
i know, i'm probably being too optimistic, but surely some people out there will see this incident and realize how truly pervasive the mishandling of personal information is by the people we entrust it to. dozens of companies handed that data over to one completely unnecessary entity which then became a single point of failure, and because most people weren't protecting themselves from those companies (either their intentional bad acts or their ineptitude) many people are now at much greater risk of falling victim to targeted phishing and other related attacks.

a clever reader would probably realize that entrusting your real email address to a disposable email provider is still expecting that provider to protect it for you. the thing is, instead of trusting many entities with your data, under this model you're only trusting one. you also don't have to trust them with the same address you use for personal correspondence (which would be the hardest kind of address to change); i certainly don't.


Brian Krebs said...

Hi Curt. Thanks for the link. You might be interested to know that I published another column today describing steps people can take to minimize the problem from breaches like this. One of the big ones I mention is creating a throwaway account.

kurt wismer said...

"a" throwaway account? oh, brian, one could do so much better than that.