Last September, Facebook reported that it had discovered a vulnerability in their “View As” feature, which enables the user to see how others view his/her profile. That vulnerability enabled potential attackers to gain access to the user's Facebook access token, thereby gaining full access to the user's account. According to Facebook, the vulnerability had exposed at least 50 million accounts. This recent Facebook incident and other similar incidents in the history of the Web notwithstanding, central identity verification databases will remain with us for a long time.
Access tokens are the technological element that enables Facebook to become an identity verification agency for the user throughout the web. In this way, logging into online services becomes easier and quicker. To log into a service, you simply press the button with the Facebook logo and Voila! You gain access to the accounts of a range of services with no need to enter your username or password. The problem, however, is the fact that this convenience is a double-edged sword. As convenient as it is for the user, it is equally convenient for the attacker. The attacker, too, needs nothing more than an access token to gain access to all of the accounts of the services the user logs into throughout the Web.
“Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don't need to re-enter their password every time they use the app,” a Facebook spokesperson explained. “Since we've only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed. We also don't know who's behind these attacks or where they're based.”
Beyond the fact that this incident could cost Facebook about $1.6 billion owing to the GDPR, the General Data Protection Regulation (according to online reports, at least 10% of the users affected are European citizens), the more important question is where we go from here with the concept of a central identity verification authority for the Web.
The tokenization of the identity verification process is not unique to Facebook. Google, Twitter, and other companies operate in the same manner. Every one of these major companies wants to be an identity verification source. Recent reports indicated that US Internet vendors also want to become identity verification sources. Governments also head in this direction with biometric databases and smart identification devices intended to serve as a central identity verification source for services the government provides. Once again, the primary catalyst, be it for the government sector or the commercial sector, is user convenience and prompt access to services, “reducing red tape” in the access to online services, if you will.
The Price of Convenience
The problem with a central identity verification source is centralism. Even if we put aside our concerns about governments or business corporations taking advantage of the situation to spy on users, we are still looking at a central source of data that will eventually become a target. Only recently, the world's largest biometric database, the Aadhaar database of India, has been hacked. In that incident, investigators found that a $35 software patch had enabled any attacker, anywhere around the world, to remotely access the database and register new users as he/she wishes. Without a doubt, this seems like the “wet dream” of any intelligence agency or terrorist organization interested in using fake Indian passports. In this case, the person for whom the passport was issued did not have to report personally to the Indian Ministry of Home Affairs to identify himself/herself, as his/her photograph had simply been uploaded into the database.
Biometric databases have been springing up in recent months like mushrooms after the rain, worldwide, and the installations of biometric systems in airports are spreading like wildfires. The objective is to use the central source of authority in order to prevent the use of fake passports. On the Web, the objective is similar – to verify the identity of the end user.
Along with biometric databases and tokenization, the concept behind the certificate-based Public Key Infrastructure (PKI) falls into the same traps. This infrastructure consists of elements that issue certificates for domain names, thereby ensuring that the Web user has reached the correct website instead of a fake website. The Secure Sockets Layer (SSL) encryption of modern browsers also utilizes the certificate concept. Once again, the problem is what happens when a malicious party issues or exploits a legitimate certificate. Who is responsible for lighting the “red light” indicating that something is wrong? Regrettably, no one. In most cases, they realize that something wrong had happened in retrospect, and then start an investigation. Even in the case of Facebook, as in other cases in the same context, they discovered the vulnerability by chance.
The Business Model as a Catch
Is it possible to change the situation? Well, in order to change it, we must go back to the reasons why central identity verification sources had been created in the first place. The main reason was user convenience. The owners of the online services do not really care about the user's convenience. All they care about is the profitability of their service. Almost every business model of online services depends on a high user count. If the service has a sufficient number of users, it will be possible to use that service to sell something to those users: advertisements, fundraising from investors, paid features, or – God forbid – selling the users' data to advertisers.
To develop a high user count, the service must ensure the users' convenience. A Web user will devote only a few seconds to the attempt to log into an online service. If he/she fails, they will prefer another, more convenient service. In the case of a profit-based service, a decrease in the user count or in the intensity of use will be a problematic indication for the investors or for the profit line. In the case of a government service, the reports will indicate a decrease in the use of online services. Regardless of whether the service is profit-oriented or intra-organizational promotion-oriented, inconvenient access to an online service constitute a problem that must be resolved, and a central identity verification source is a very effective solution for this problem.
Another school wants to keep the situation as it is – decentralized verification. In other words, the user provides his/her identity details, without central databases. The challenge that evolved in connection with this method is how the verifying party can ensure that the person providing the details is actually who he/she claims to be. This leads us back to the central identity verification source and to Square One of this discussion, one hell of a catch. The Internet has become a source of livelihood, the users of the service are the providers, and the verification process is the Holy Grail. It is for a good reason that every business corporation, social medium or government wants to control this Holy Grail. Tokens, certificates or biometric data, regardless of the method – as long as the user's identity data is accessible to the verifying party.
Going back to the question of changing the situation, apparently, it is doubtful whether such a change is possible. Assuming that software codes will always be hacked (full-proof protection does not exist); any central identity verification source will have the potential for a leak or abuse. On the other hand, without a central identity verification source, verifying the identity of the other party will not be possible. We have already tried the method where every person identifies himself/herself, so central identity verification databases will remain with us in the coming years. Consequently, regulators should come to terms with the situation and devise ways to reflect the reality to the public. At the same time, they should seek ways, in cooperation with the industry, to enable the most effective and secure central identity verification possible, including mechanisms for recovering from attacks and preventing damage during incidents. One thing is certain – hackers will continue to attempt to hack these databases, even more than before.