The Verge reports yet another data breach. This one likely affects few people but made the news because the "victim" - Ubiquiti - ironically sells technology that is designed to protect user privacy.
The notice that Ubiquiti sent to users reveals a host of contradictions in the tech industry that we have yet to confront head-on.
We recently became aware of unauthorized access to certain of our information technology systems hosted by a third party cloud provider.
It is widely believed that one of the benefits of "cloud services" is security. Anyone who has experience with accessing both (old-school) corporate networks and cloud services appreciates that cloud access is a lot easier, more convenient. More convenience is usually associated with less security. Installing 10 locks on your door is more secure than having just one lock but it slows you down each time you enter and exit.
We are not currently aware of evidence of access to any databases that host user data, but we cannot be certain that user data has not been exposed.
The tech company professed it doesn't even know what the perpetrator did after gaining unauthorized access. This claim implies that it could not trace the actions of a trespasser, even after his/her identity is revealed. If true, this itself is a security weakness.
At the same time, the tech industry is selling our identities and actions to marketers, not only mouse movements, clicks and purchases but also moods, personalities, and inclinations - the user profile is the product, we're often told, and that's why they can gift us services for free (or below cost). Those two things can't both be true! Either they log precise details of each user or they don't.
This [potentially exposed] data may include your name, email address, and the one-way encrypted password to your account... The data may also include your address and phone number if you have provided that to us.
I've always wondered why some companies require you to use a valid email address as your user name. It is not convenience since the email address almost surely takes longer to type than a pseudonym. It is certainly not security. And I'd like to draw your attention to the last sentence. For this vendor, it appears that some users volunteer their addresses and phone numbers.
Finally, we recommend that you enable two-factor authentication on your Ubiquiti accounts if you have not already done so.
***We take the security of your information very seriously and appreciate your continued trust.
As someone working in IT, I feel compelled to comment on two points:
1. User tracking is usually implemented on client-side code (in browser or mobile app). Backend code usually doesn't have a way of executing such code, as it uses completely different interfaces. Administrative accounts for backend systems usually are not in any way tied to normal user accounts (in fact, backend systems might connect to different user database/dictionary). While backend actions monitoring is not exactly novel concept and I would expect security-oriented company to have it implemented, it definitely is possible for both statements to be true at the same time.
2. Using SMS (which requires providing phone number) was standard for 2-factor authentication some 5 years ago. In recent years, token-based 2FA became increasingly popular. In that system, you first exchange keys (usually by scanning QR code) with your "authenticator" app (usually on your phone), and then use code generated by app to authenticate. Such system doesn't require providing phone number to vendor. Having said that, I have no idea if Ubiquiti supported token-based 2FA.
Posted by: Mirek Długosz | 01/14/2021 at 05:50 AM
MD: Thanks for the useful comments.
Reading behind the lines, I see one of the key underlying problems, which is that there exist different technologies to do the same thing, and some of them are better in terms of data privacy (or the lesser standard of data protection) than others - and so the existence of a better method doesn't mean that it has been adopted or it is commonly adopted.
I have an experience related to point #2. For a particular app, I finally set up 2FA after learning about hardware keys a few months ago. In the process of setting that up, I was forced to set up the phone 2FA first. There was no way to avoid it. As you indicated, this experience isn't true in general.
As regards point #1, I'm a fan of client-based solutions. If the data don't leave the phone, that'd be better. And it's even better if the app informs me that no personal data leave the phone. Today's experience is the opposite, though: many apps require users to allow it to do many things that seem to require transfering data out.
I expect people to hold different views because everyone values security, convenience, etc. differently. So having these conversations help readers sort out their own trade-offs. Thanks again!
Posted by: Kaiser | 01/14/2021 at 10:57 AM