Today we hear about a flaw in Google’s Gmail that stands the chance to leave many user accounts exposed (and this is not a new flaw). The flaw is something like using a sites own mechanisms to allow someone to exploit it. The scenario goes something like this.
A Gmail user receives an email or SMS message claiming that they have won a prize or something similar.
When they click on the link they are directed to a site that states it requires confirmation of the email entered and that it will send the confirmation to the phone/email of the user. They ask that the user click on the link or input the “security” code for verification. Once someone has the email address and code they have your account. They can go to Gmail and with your email address and password they can change your password and temporarily lock you out. By the time you can correct it they can do a lot of damage. If this is a corporate account things could be even worse.
Now, we know what you are thinking; “who would be dumb enough to fall for that?” well we hate to let you in on this, but this type of phishing scam happens daily to thousands of people. We have watched as someone received what they thought was an email from their bank and was getting ready to type their PIN into the fake website before we stopped them. There has also been a successful use of this scheme where someone managed to talk the access code out of users Via Facebook.
So the idea of harvesting pass words using something like this is not out of the question. It also shows a fundamental flaw in cloud based services. To make using these services easier they need to have an automated method for recovering a password in the event it is forgotten. Almost any system for this type of recovery will have the potential for abuse, and compromise of a user’s information.
One of the reasons that this is so prevalent is because of the basic business model behind “the cloud”. Let me tell you a quick story. I was once called in to consult for a business. They were a service company that managed several other companies’ IT systems. They wanted to discuss how to improve a client’s email and storage. I proposed a system that involved increasing their storage, moving to virtualization and updating their versions of Exchange.
I was then told that this was not the direction to move in. I was asked to propose “the cheapest system that could be used to host email and files” in the service providers location. The thought was that “once we have their email and files” on their servers they would “have them”. Have you ever tried to leave a company that has your data? It can be costly and problematic to say the least, but this is the business model of the cloud and outsourcing. Most companies and people are not going to deal with the time, effort and expense of moving. If they complain and get a few dollars off their next bill they are happy and hope that the problem will never happen again. The sad part is that most problems are never resolved properly and you are likely to have the same issues again in a few months. Most companies that offer cloud services know this and in fact bank on it. They are going to do as little as possible to make sure their consumer accounts stay operational (since none actually guarantee the safety of your data) meanwhile they continue to make money on their cloud services, a product that was described by one CTO I worked for as “a cash cow”.
So the next time you hear that “The Cloud” is the future, just remember that the cloud is normally the least expensive hardware, software and security that can get the basic job done. There are no real laws that compel a company offering these services to ensure your data security. As we have said before, your data and personal information security is decided by a panel of lawyers and accountants that determine the risk Vs the cost. Nine times out of Ten; the consumer loses…
Discuss this in our Forum