Early October in Paris. The weather is great and we just finished the first day of our ng Connect member event themed around transportation. The first day of these two-day sessions is usually labeled “education day”, as we get industry experts to speak about the trends and problems in their sector. It’s great learning material for attending members, and fresh perspective and candid feedback for the experts. Stéphane Garson of Altran threw a perfect first pitch as he delivered a great keynote on air transportation, followed by presentations from Peugeot, Transdev, CDC and ADEME to name a few.
It was in a rather upbeat mood when I went back to my hotel room to check my emails and US news. That’s how I found out about the theft of data from no less than 16 million mobile customers. I did not have all the details, but read that it was not the mobile providers’s infrastructure itself that was compromised, but a server from one of the credit reporting agencies. Stolen data included names, email and physical addresses, social security numbers, and more. Allegedly no account, credit card or other sensitive financial information was retrieved.
As an impacted customer I was – and still am – quite upset. And I don’t know if it’s more by the fact that companies can run credit checks on our backgrounds just like that, or by the fact that one of the three organizations that can make the sun shine or make it rain on so many important aspects of your life (buying a car, a house, getting a new credit card, a new phone etc.), and that you would expect to be totally secure, is in fact just as vulnerable as your Ashley Madison next door.
When you think about it, it is even more revolting taking into account that you are charged when you want to access your own information (not withstanding the free copy you’re “entitled” to once a year). To make matters worse, if you happen to simply request this information too often (shopping for mortgages or other financial facilities), you actually degrade your credit rating, even if none of this access resulted in contracting new debt or liability. Credit reporting is probably a great business model, but a horrible user experience. These type of situations usually tend not to last…
Well, gone was the upbeat mood, reborn the frustration and anger at some of the misguided practices of the financial ecosystem. And I am not talking about fiscal evasion, obscure financial mechanisms, embezzlements or Ponzi schemes here. I am talking about “simple” things like mortgage contracting and refinancing. And I have an unpleasant – yet unfortunately not unique – recent experience to relate there.
If you recall, there was a lot of hype this summer about the Federal Reserve raising its rates this fall in light of a stronger US economy. As many others, I thought it’d be the right time to refinance a mortgage that we contracted just a year ago, as we acquired our new house. Instead of relying on a broker as we did the first time – where speed was of the essence, I decided to shop around for rates and got quotes from various companies, including our bank.
As they all came back relatively close, I basically retained two options: the cheapest quote from an online mortgage company or contracting a mortgage from our bank. Interestingly, my intuition was to go with our bank, even though it was a more expensive deal (higher closing costs and about .3 higher APR) because it would act both as the originator and mortgage servicing party, and because we would have someone to physically go to if anything happened. Plus, I did not like our initial mortgage being transferred to a new mortgage servicing company just 6 months after closing.
Listen to your intuitions!
Is that what I did? Of course not.
I like to try new things – maybe because I work in an innovation environment, and I do tend to be accepting of glitches, knowing full well that they happen whenever you launch new products or services. So I took a good look and spent quite some time on the phone with their sales representative to capture the value proposition (beyond simply the better APR) of the online company. One argument struck home: the simplicity and speed of the process, as all the transactions could be concluded online. I still had in mind the countless documents, meetings with our broker, signatures we had to go through for the mortgage a year ago.
So let’s go! We got our Good Faith Estimate right away and the appraisal was performed hurriedly thereafter (at our expense obviously). Then we received a link to a “secure” – will I always use the word secure between quotes from now on? – portal where we could electronically sign and upload documents. Things were going rather smoothly as both my wife and I followed the instructions. Too smoothly for our liking, as the mortgage company started blindly calling my wife’s work to verify her employment situation, which resulted in a rather embarrassing email thread. Think about an email from a mortgage company circulating between your HR, operations and then your department and your boss to find out if you work there… They offered a half-hearted apology, almost like my son when we reprimand him on poor conduct. Too smoothly again, when we received a letter from our home insurance company saying they changed our policy and assigned the mortgage to the new company. Not only was the mortgage not closed, but we did not give explicit approval! Again, I would have let it go, and viewed that as an effort of a young and growing company to get things done fast in the interest of the customer. That is if we had been able to close the deal…
Enter the UNDERWRITER. I like the full caps spelling – kind of DEATH in Terry Pratchett’s Discworld novels. All of a sudden, we started getting requests for additional information, bank statements, ID documents etc. I still have the folder on my PC: 48 MB of scanned documents. I was almost making the case for 10 Gb/s access to the home. And still more. I had a business in France that I – quite logically – closed upon relocating to the US in 2013. I sent them the official creation and dissolution acts: simple one-page statements with official seals. Any pair of eyes could clearly read my name, the name of the business and the date. But they wanted me to go seek a translator and obtain a certified translation of the document. Not even the USCIS requested anything like that. I said no. If they need the translation they can go and get it themselves. I provided the original piece. And what did they do? They sent me an email asking me if I wouldn’t mind asking my CPA to write a statement on company letterhead that the entity in France was indeed dissolved. I believe dumbfounded is the word for my reaction. What a pathetic attempt to find a potential scapegoat or throat to choke should something go wrong. I left my CPA (who knows nothing about this past business) out of this and we backed out of the process and all our dealings with this mortgage company there. I am monitoring my credit card statement to make sure that no “processing fee” suddenly gets charged.
In all this, I have not told you how solid our case was. We paid over 70% of the house value upfront, it was appraised 15% higher than what we paid for it, my wife and I both work etc. All of this was documented and it was not enough to earn the trust of the UNDERWRITER. I hope for their sake that all other cases are better than ours, but I somehow doubt it.
In the end, I am glad that it didn’t work out. After all this, there is no way I could trust this company. Yet they have collected so much personal information about my wife and I, that it leaves me worried. The fact that they did not respond to my request to find out how they subsequently handled this data does not help. But I also won’t deny that it hurt – it always does, when you are earnest and your word is doubted, especially by someone hiding behind layers of administrative contacts and processes. This UNDERWRITER never bothered talking to me, it was not his job to verify my information, or was it?
Shake it off and move on. Back from France, and back to work. The jet lag and ng Connect projects keep my mind occupied. And then I receive a letter. A campaign mail for Lifelock identity protection. At $9/month! Well the first month may have been for free. I did not read the details – my eyes saw red! -, maybe I should have. Would this plan cover the entire family or is it per individual? But paying to protect against theft of your identity! I don’t think it can actually be stolen – you are who you are, aren’t you? -, but most certainly usurped by leveraging personal information or credentials/authentication tokens, which are far more likely to be stolen from systems not under your control.
My computer cannot be trusted. Can your website be trusted? Can your application be trusted? Can your datacenter be trusted? As standard defenses (firewalls, antivirus, malware detection, intrusion detection, data encryption etc.) have improved and can now negate all but the most sophisticated attacks, I would contend that it becomes less attractive for hackers to randomly target end users to collect random data. Why not rob data banks instead? There are so many of them nowadays, with apps, e-commerce platforms and other websites collecting our data and putting them somewhere in the cloud. Is it a surprise that there are continuous reports about businesses, institutions and corporations being hacked? They are easier and more lucrative targets.
It seems to me that the burden of trust should shift from the user to the provider. I would be literally delighted to see my providers proactively tell me how they value and protect my business and information. I would like to know that my utility provider, my bank, my insurance company etc. take security measures and I would like to make sure they pay particular attention to where and how my data is stored and who is granted access to it. As an impacted customer I would like a letter explaining what steps are taken so that the recent breach won’t be reproduced. I did not get such a letter. Does it mean my information was not concerned? I’d be very happy to find out.
At ng Connect, as part of the work we’re doing in financial services, but applicable way beyond, we have had several conversations about how to secure information and data centers. Usually we would look at network access control and other security mechanisms, but more recently we’ve been toying with a few different ideas.
The first one is all about distribution. Files should be encoded and distributed in various data chunks on the file system. The file system itself should be distributed across multiple virtual and physical machines within the data center. And now, with broadband speeds as high as 10 Gbps becoming routinely available, data can be spread across multiple data centers in different geographies. Better reliability (redundancy / disaster recovery) and better security as you would need to successfully and almost simultaneously penetrate multiple data centers to obtain, recoup and decrypt sensitive information.
The second idea is about making the entire system – not just the storage piece – dynamically distributed across multiple data centers. The network and the data center are now fast enough to instantly (ok that’s relative) provision new machines. The idea would consist in virtual machine hopping where applications, databases and storage would run on multiple virtual machines that would be moved, deleted and recreated with different network parameters, according to sequences and patterns known only to authorized clients (not unlike frequency hopping in wireless communications). The networking automation of data centers via SDN solutions as well as the growing speed of data center interconnections (way beyond the 10 Gbps access technologies) make this an interesting and potentially viable use case.
In law, the burden of proof falls upon the prosecution: we are innocent until proven guilty. And not only that, but throughout the entire process, law enforcement and judicial systems at every level (police, correction officers, prosecution, courts etc.) should be beyond reproach.
In business, I’d like to be considered a “bankable” customer until proven otherwise – after all, a restaurant does not ask for a credit report before serving you a beer. And I expect all these providers who probe my identity, solvability, honesty, to be equally beyond reproach in the way they handle all the sensitive data they collect in the process.