Facebook has been hacked…

I notice that Facebook has been hacked. Apparently, some 30 million people had their phone numbers and personal details exposed in a “major cyber attack” on the social network in September. Around half of them had their usernames, gender, language, relationship status, religion, hometown, city, birthday, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches all compromised. Wow.
 
Now, I don’t really care about this much personally. Like all normal people I have Facebook and enjoy using it to connect with family and close friends, but I don’t use my “real” name for it and I never ever gave in to their pleading for my phone number. Not because I was unsure that it would at some point get hacked (I assumed this to be the case) or because I thought that if I used it for two-factor authentication they might use it for advertising purposes, but on the general data minimisation principle that’s it’s none of their business.
 
(We should, as a rule, never provide data to anyone even if we trust them unless it is strictly necessary to enable a specific transaction to take place.)
 
One of the reasons that I don’t care is that just as people around the globe are getting spammed by fraudsters pretending to be Facebook, I’m not worried about spammers getting my data and pretending to be Facebook. When I get e-mail from Facebook, it is encrypted and signed using a public key linked to the e-mail address I use for this purpose (pseudonymous access). See…
 

 
My e-mail client (in this case, Apple Mail) will flag up if the signature is invalid. If you want to send encrypted e-mail to me at mail@dgwbirch.com then you can get my PGP key from a public key server (check the fingerprint is 50EF 7B0E FD4B 3475 D456 4D7E 7268 01F2 A1C5 075B if you want to) and then fire away. It’s not that difficult. Facebook asked me if I wanted secure e-mail, I said yes, they asked me for my key, I gave it to them. End of. I really don’t understand why other organisations cannot do the same.
 
Banks, for example.
 
Here’s an e-mail that I got purporting to be from Barclays. They are asking me for feedback on their mortgage service and inviting me to click on a link. I suppose some people might fall for this sort of spamming but not me. I deleted it right away.
 

 
This of course might lead reasonable people to ask why Barclays can’t do the same as Facebook. Why can’t Barclays send e-mail that is encrypted so that crooks can’t read it and signed so that I know it came from the bank and not from spammers. Surely it’s just a couple of lines of COBOL somewhere ask me to upload my public key to their DB2 and then turn on encryption. Right? After all, it’s unencrypted and unsigned e-mail that is at the root of a great many frauds so why not give customers the option of providing an S/MIME or PGP key and then using it to protect them?
 
Well, I think I know. I can remember a time working on a project for a client in Europe who asked, because of the very confidential nature of the work, that all e-mail be encrypted and signed. We spent all morning messing around with Outlook/Exchange to get S/MIME set up, to sort out certificates and so forth. But we eventually got it working and sent the first encrypted and signed mail. The client called back and asked if we could turn off encryption because the people working on the project were reading the e-mail on smartphones and didn’t have S/MIME on their devices. The next day they called and asked us to turn off signing because the digital signatures were confusing their anti-spam software and all of our e-mails were being put in escrow.
 
So we know absolutely everything about security and so did our counterparts and we still gave up because it was all too complicated. It’s just too hard.
 
(In Denmark, however, that excuse won’t wash. The Danes have decided that e-mails containing “confidential and sensitive persona data” — which certainly includes bank details — must be encrypted. The Data Inspectorate are reasonable people though, they note that this change “will require some adjustment in the private sector” and so the new rule will be not be enforced before 1st January 2019.)
 
Let’s not use encrypted and signed e-mail. I’ve got a better idea. Why don’t Barclays STOP USING EMAIL AND TEXTS since they have an APP ON MY iPHONE that I use ALL THE TIME and they could send me SECURE MESSAGES using that. It’s time to move to conversational commerce based on messaging and forgot about the bad old days of insecure, spam-filled, fraudophilic and passé e-mail.