How confident are you in Cloud security?
maxhemingway.com

How confident are you in Cloud security?

Nigel Silver Nigel Silver

Nigel Silver

Published Oct 22, 2020
+ Follow

I had a somewhat surreal experience this week while applying for a mortgage from a Big 4 bank. I will keep the specifics private to protect the not-so-innocent.

So in dealing with our personal banker, I received this email from, ostensibly, a Cloud ID service on behalf of the bank to load up photos of my passport, drivers licence, Medicare card etc. I had never heard of the provider and there was definitely no obvious link to the bank other than the fact that they said they were approaching me on their behalf.

They had a FAQ page and my favorite was "Is it safe?: YES" ......

When I researched the company online, there were a few contenders, but the most likely one was a small Australian private company with no details about their background, credentials, directors or anything else. 

Even less reassuring, was the fact that their very flimsy web page was all about "It's time to party!". Basically a pitch to event managers to manage ID's for large pubs and clubs. So what on earth was a Big 4 bank doing with such a fly-by-night company?

So I went into the bank to physically show my credentials and my banker took pictures of my Id's, I thought, to load them up into the bank's document repository..... but no! She showed me her phone where she had the said anonymous ID App open and wanted me to approve her loading all of my details up into the App.

I said I didn't agree and she commented that she would have to personally validate them but would need to record the fact that "I had refused".

I explained to her that Norton had advised me that my personal Email address was known to the Dark Web (which she hadn't heard of) due to failings across several legitimate websites, but there was little point getting a new one as that was likely to be compromised within days. 

I guess I came away scratching my head and contemplating a few questions such as:

a) If I had used the app and my ID was stolen as a result, given that the ID service was entirely independent of the bank, where would the liabilities lie?

It would be one thing if my dealings with this bank were compromised, but what about any losses caused to me across all of my online transactions outside of the bank's sphere?

b) What due diligence did the bank do to validate the integrity of this Cloud service prior to exposing their customers to this risk? If it is safe, then why would they not make it part of their customer app portfolio (i.e fully branded and underwritten by the bank)?

c) Even if you were going to use a non-branded service such as this, surely you would make your due diligence/validation steps/audit and certification credentials easily available to your customers.... and surely you would train your staff in such matters to be able to reassure your customers or, at least, to allow doubtful customers to validate their identities "the old school way" without any associated opprobrium coming back at them.

So in closing, is it my paranoia or are we in danger of just taking everything in the Cloud on face value? Time will tell, but there have already been some historic failures already along the way, so to the quote the old TV show, "Be careful, it is a jungle out there!".



To view or add a comment, sign in

More articles by Nigel Silver

  • How safe is your data in the Cloud?
    Sep 7, 2020

    How safe is your data in the Cloud?

    This article is not targeted at those already immersed in the Cyber Security industry, but for those non-technical…

    1 Comment

Others also viewed

Explore content categories