Twitter confirmed that the recent data breach that exposed data of 5.4 million accounts was caused by the exploitation of a zero-day flaw.
xxx
The vulnerability allows any party without any authentication to obtain a twitter ID(which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibitted this action in the privacy settings.
From Twitter confirms zero-day used to access data of 5.4M accountsSecurity Affairs.
In response to this breach, Twitter posted a statement saying that they understand the risks that an incident like this poses and recommend “not adding a publicly known phone number or email address to your Twitter account”. Basically they recommend burner phones and disposable e-mail addresses (kind of like the Apple pseudonymous e-mail addresses).
Wise precautions I suppose, although not everyone has access to a burner phone.
How much longer are we going to put up with this? You know the drill. Step one: App or website asks for personal information such date of birth, phone number or mother’s maiden name for “security” although none of the information contributes in any way to transaction security. Step two: App or website gets hacked and your personal information is now in the hands of scammers, nation state cyber warriors and perverts. Step three: Rinse and repeat.
Now what’s strange about this situation is that the technology to stop the loop is well-understood and widely-available. We all know what to do, which is to shift to the world of verifiable credentials, the reputation economy. Here’s how this works: I want to know something about you, but I don’t want any of your personal information because that is toxic waste that will inevitably leak from my systems because I will always spend more money on marketing and stock buybacks than detailed risk analysis and appropriate countermeasures. Hence I ask you to present a credential, which is a fact about you that is digitally-signed by someone I can trust (by which I mean, of course, someone I can sue). If you tell me that you are over 21, whatever, But if you present a credential from Wells Fargo that says that I am over 21, great.
If you are interested, what actually happens is that you present the attribute I am interested in (eg, IS-OVER-18) together with a public key and an expiration date, all signed by Wells Fargo. Since I know Wells Fargo’s public key (which is, after all, public) I can check this digital signature and know that it is real. I can then extract your public key, encrypt a random number with this key and send it to you and ask you what the number is. Now, of course, the only person who can decrypt this message is the person with the corresponding private key: You respond to this challenge and now I know that not only is the credential real, but that it belongs to you.
There’s no point in calling for “people to be in charge of their own data”, however it is phrased, because as the leading security guru Bruce Schneier has long maintained, given the choice between security and dancing pigs, people will always opt for dancing pigs.
We need to stop requiring personal data to enable transactions and instead require the relevant credentials necessary to enable to the specific interaction. There is a world of difference between me asking for your date of birth and me asking for proof that you are over 21, between me asking for your address and me asking for proof that you are resident in the continental United States, between me asking you to find pictures of tractors in a confusing array of blurred photographs and me asking for proof that you are a person.
That latter example, proof of personhood, is at the heart of the Twitter debacle. Since there is no IS-A-PERSON credential that Twitter can ask for
Snippings 