Monday, April 13, 2009

Users Don't Value Their Own Data

One area of security I find very interesting is establishing secure SSL connections through malicious environments. Ie you should be able to do your online banking from a coffee house, but often there are subtle security mistakes made by the user, browser or website.

All of this is in the spirit of protecting information and providing a secure connection. However, perhaps I'm missing the point....

It's Monday morning and I'm sitting in my local Caribou Coffee House to get some work done. The place is almost completely full. There are a variety of telecommuters, a few people with the newspaper, and two guys dressed in slacks and dress shirts at the one larger table.

Apparently these two have started their own advertising business and work wherever makes sense. Why do I know this? I know this information and quite a bit more because they applied for a credit card for the company while they were here at the coffee house.

Did I man in the middle their application or monitor unencrypted wireless communications? Nope, I listened - with my ears. The guy applied for a credit card over the phone at a fully packed coffee house. I now know his name, address, SSN, previous employer, salary and their new company info. Btw, they are on their second year so they must be making some money.

This is all a little disheartening. If our users don't value the privacy or security of their own information, or are too ignorant to think they shouldn't announce it to the world, then how can we secure their information online? Better yet, if they aren't going to try, why should we?

-Michael Coates