Protecting your sensitive data for over 20 years - Netlib
Share |

Monday, March 3, 2014

As Data Security Grows More Complex, Snapchat is a Cautionary Tale

I have to confess, I am not a big app user.  In fact, I can’t recall the last time I made any such download, whether to my phone or iPad.  This aversion doesn’t merely stem from a lack of interest in their functions.  Rather, I remember one particular time when I went to install a certain app, saw that it required full access to my phone and its data, and hopped right on the “nope” train.  Now, maybe (probably) that was just me being paranoid, but when certain incidents make the news, you begin to wonder if your caution was warranted after all.


Snapchat is an application that allows people to send pictures to each other that disappear after a maximum of 10 seconds (though not entirely without a trace).  Late in December, the app was the target of a data breach, in which hackers were able to breach its security and gather the usernames and phone numbers of 4.6 million users, which they then posted online as a downloadable database.  Call me crazy, but considering how hungry companies are for our personal information  these days, one might fairly expect steps to be taken to ensure a strong level of protection for people’s personal data (well, maybe you wouldn’t, but we should), especially when they were warned, and continue to be warned, by experts..  On August 27, Australian security research group, Gibson Security, had alerted Snapchat to the flaws in the app’s programming and data protection, and just days prior to the publishing of the database, Snapchat posted a blog entry that indicated their awareness of the vulnerabilities, and claimed it had implemented various safeguards to make exploiting them more difficult.  Clearly, it wasn’t enough. 

Following the incident, the anonymous website SnapchatDB.info said of Gibson’s alert and Snapchat’s response: “Even long after that disclosure, Snapchat was reluctant to taking the necessary steps to secure user data.”  And the warnings continue to trickle in: 16-year old wunderkind Graham Smith, a high school sophomore who taught himself computer programming when he was 12, was able to directly contact Snapchat co-founder Bobby Murphy thanks to the dump of phone numbers.  He reached out to Murphy to warn of the holes in the app’s security that were being exploited, concurrently demonstrating this weakness personally.  “I don’t want to be the bad guy,” Smith told The Daily Beast in late January. “I just want to make sure users are getting the end of the bargain, that their user information is safe.”  Unfortunately, according to him, the company isn’t “willing to go as far as they need to go to fix security,” claiming that their emphasis on maintaining legacy users prevents them from abandoning the old version of Snapchat in favor of a more secure upgrade that he and others in the industry have suggested.

In the meantime, there are those who opine that data breaches such as this will become more common in the ensuing years.  The race to create and push out the next smash hit social app, as Snapchat is, drives start-ups and their benefactors to focus on speed, functionality, and accruing databases of their own, stored with personal information; security tends to occupy a lower a rung on the priority ladder.  Considering, too, the increasing complexity of encrypting these online databases, the time and resources it demands, and the relatively small crews often manning the ship who may not be equipped for the technical challenge, it is little surprise if this critical facet of a new application gets shortchanged.  Steve Wilson, principal analyst at Constellation Research,sums up the situation for Snapchat, stating they were unlikely to worry much about security, since they are “running and growing at the speed of sound, on a skeleton team, trying to make a big splash in the social market.” 

This should not be an acceptable norm for consumers.  While the overriding goal of most tech companies is naturally, as BeyondTrust CTO Marc Maiffret phrases it, “bringing feature-rich and differentiated technology to market as quick as possible,” companies who hoard the personal and work-related information of millions of people have a responsibility to show a bit more attention to ensuring their users aren’t at risk for fraud or identity theft by eager cyber criminals to whom these databases are a promising bounty; particularly if they want to convince those who are generally not inclined to using them that their products are worth a closer consideration.

No comments: