“There is no cloud. It’s just someone else’s computer.” – Chris Watterston
It was all my fault. I know that now. Still, they could have made it easier.
One of the major cloud services – pick your favorite – recently suffered a security breach. Shock! Evidently someone hacked the service’s customer database and appropriated several million customer records, including mine. Like any good service provider, the company in question sent an oh-so-sweet email notification to its many millions of affected victims customers politely suggesting that they should, you know, change their passwords. Immediately.
What’s a surprise is that this came as no surprise. Hardly a week goes by that we don’t hear about some company’s database getting hacked and customer information leaked. We’re used to it. The only question we ask ourselves is: did this particular hack du jour affect me personally?
In this case, it did.
Like everyone else, I’ve been swapping files with colleagues and clients using cloud-storage services like this one. They’re easy, they’re convenient, and sometimes they’re even free. So yeah, I had a bunch of stuff stored online, entrusted to “the cloud.”
Looks like it’s time to change my password.
I followed the link in the urgent email, which took me to the “update password” page, as expected. I made up a new password, typed it in, and got the usual “update successful” page. “A confirmation email has been sent…” etc.
Sure enough, here comes the confirmation email. Click the link there to confirm that you meant to do this, etc. Not surprisingly, that takes me back to the company’s website, where I enter my shiny new password.
Then the unexpected: “A confirmation code has been sent to your mobile number ending in -2969. Enter the confirmation code to proceed.”
Wait, what? That’s not my phone number. That’s my old phone number. I’m familiar with the standard two-factor authentication process, but where did this confirmation code just go? Belatedly, I realize that the service has my old mobile number, which I changed a few months ago. I assume the old number has been retired, or if it hasn’t, then someone else just got a text message with my confirmation code. Yikes.
Thinking quickly, I… I have no ideas. I am well and truly nuked. I can’t log in because I don’t have the confirmation code, and I can’t get the confirmation code because it’s being sent to someone else’s phone. And I can’t change the phone number associated with my account because I can’t log in. It’s Catch-22, with passwords.
After going several rounds with Customer Service, their conclusion was, yes, Mister Customer, you’re screwed. There’s nothing we can do for you because we can’t verify that you’re who you say you are. You’re welcome to create a new account, but your files won’t be transferred over. They’re gone.
So let me get this straight. This service, which I pay good money to use, got hacked, made me change my password, and then locked me out of my own account? With all my files still stored on it but now inaccessible? Ironically, those files are potentially accessible to the guy who stole all the passwords, but not to me, the legitimate owner of the account? Is that what you’re saying?
Yup.
Normally, two-factor authentication is a good thing. You log in, you get a code number, and you enter the code along with your user ID and password. It’s significantly more secure than the simple email/password setup. So like a good Boy Scout, I enabled two-factor authentication, especially since I knew I’d occasionally be handling other people’s sensitive legal files and unreleased technical documents.
But there’s a downside. If you don’t have your phone with you, you can’t use the service.
And there’s an even bigger downside. If you change your phone number and forget to tell the service, you are irretrievably screwed. No code, no access, and no way to update your phone number after the fact. It’s a one-way trip to /dev/null.
Who remembers to notify every single person and service when you change phone numbers? Sure, you go through your speed-dial list and update your close friends and family members. But the power company? FedEx? Your old school? Or that cloud service you signed up for three years ago? Who remembers to notify them all?
It’s the modern-day equivalent of mailing out change-of-address postcards. Inevitably, there’s a utility, magazine subscription, or relative you forget to notify. And when your birthday card from Aunt Ruth arrives four months late, forwarded from your old address, you finally remember that you’d left her off the list.
Some companies have a fallback question-and-answer system to verify your identity if you forget your password or lose your phone. I can’t judge the efficacy of such systems, but they do have the advantage of working when your phone isn’t handy. More than once I’ve had to recall the name of my third grade teacher.
If you drop your car keys down the sewer grate, that’s your own fault. Tough luck; you’re screwed. I get that. But modern services aren’t supposed to be like that. They’re supposed to be better, not just 21st Century equivalents of the school custodian’s key chain.
Now my files – actually, somebody else’s files – are trapped in a zombie account that nobody (we hope) can access. I sure can’t, and we assume that the malefactors can’t, either. The cloud service won’t delete the files for the same reason they won’t transfer them to my new account: they don’t believe they’re mine. So they officially belong to no one. Presumably, the account and all of its contents will be deleted after some period of inactivity, probably about two years from now.
The one saving grace is that some of the files were shared with colleagues who have read/write access, so they can either rescue or delete some of the data. But the read-only stuff? It’s stuck there.
Surely this doesn’t happen to everyone – what makes me so uniquely stupid? The company must have an elegant way to deal with customers who change their contact details – especially now, in light of their recent security breach. Well, yes and no.
One alternative is use their mobile app. But that only works going forward, not retroactively. Obviously, you can’t download and install the app and then try to link it to your account when you’ve already been locked out.
The second alternative is to use a computer that’s been previously “authorized,” meaning you allowed a cookie to identify a trusted PC. But that’s inherently insecure, and the cookie expires after a few days anyway. So no joy there.
Third, they can text you at an emergency backup number – but only if that phone was previously on file.
Finally, and as a last resort, you can enter a secret number that was given to you when you first created the account. But that policy is new; older accounts like mine never got a secret code. Dead end.
My sin was in neglecting to update my phone number before I actually updated my phone number. I was hosed the moment I changed phones, I just didn’t know it. From that point on, I was secretly locked out of my account, with no way back. Can’t log in because I can no longer receive the code, and can’t change the phone number because I can’t log in.
But even before that, my mistake was in trusting a cloud-based service in the first place. In a futile attempt to close the barn door after the horses have bolted, they have inconvenienced their customers and demonstrated their negligence. If the cloud is really just someone else’s computer, then there’s no reason to believe it won’t succumb to someone else’s computer problems. Just like our own, but farther away and out of reach.
I’m really amazed they didn’t have alternative ways of confirming that you’re you. There are services that some banks, for instance, use. They present, oh, three past addresses and ask which one is yours. The bank doesn’t know the right answer; they just read the question, put in the answer you give, and the service decides whether you passed or failed. You get a few such questions, based on info the service rummages through the internet to get, building records of where you used to live, old phone numbers, etc. The last time I was asked, they referred to an address I haven’t lived in since about 1984.
The benefit is that the bank doesn’t need to keep all kinds of secrets to identify you. The downside is… it’s kinda creepy. But would be useful in this case. Pity your cloud guys didn’t take advantage of this. (Maybe you could suggest it?)
Of course if they are using internet available data to authenticate, well hummm. And Yes, I’m old enough that my childhood address is probably not on the internet but that’s probably not true for a majority already. As we lose more and more privacy to big data, when will there be no secret codes? Maybe that’s the ultimate fix, when there is no privacy there is nothing left that needs to be secured.
In the mean time don’t lose your gen-code reader enabled phone. Oh and make sure that when you have your gen-code altered to avoid that newly discovered potential ageing problem, that you update your code with all the international global security SafeKeep service nodes.
david brower == curmudgeon even as that other identity too.