I've been hacked and have decided to adopt Zero Trust security.
Recently, my LinkedIn account was compromised. I received an email notification about a change in my email address. When I tried logging in with my usual Google account, it registered as a new account. It turned out that someone used an old, seldom-used username and password to access my LinkedIn and changed the registered email to another one. While I was attempting to log in with my former Google account, I ended up being treated as a new user, losing access to the original account. I eventually regained access, but it was baffling to experience such a breach on a major platform like LinkedIn.
Such incidents are common. Whether it's because my email address is easy to remember, or due to frequent personal data leaks, I often receive emails attempting to log in using my email or asking to reset my password. There have been odd instances like being registered as a member of a South American pizza chain, receiving welcome emails from unknown adult sites, or even appointment confirmations from a dentist in Osaka, Japan. Once, while reading on Facebook, a real-time email popped up asking to reset my password.
Checking a website that verifies personal data breaches (https://haveibeenpwned.com/), I found that my personal information has been compromised 22 times and is listed among the email and password bundles accessible to hackers through dark web channels. These breaches aren't from obscure sites but major ones like Adobe, Canva, Dropbox, LinkedIn, Myspace, Tumblr, and Twitter. The only solace is that I'm not alone; my email is just one of over 700 million leaked emails. Though, that's hardly comforting.
I frequently encounter romance scam attacks too. Accounts with profiles of attractive women send Facebook friend requests or Instagram DMs. A particular photo of a Korean-American military woman has been so overused that it feels familiar, even to strangers. And let's not forget the incessant spam calls and scam texts. After giving my business card to someone on an economic broadcast, I was bombarded with texts about stock investments and forced into group chats. Since then, I've stopped using business cards altogether.
Lately, there's been a surge in scams promising easy money through side jobs. It makes one wonder how the world has changed so drastically.
Data Resources and Data Sovereignty
Even stepping out of the shadowy realms, the situation remains the same. There was a time when the phrase 'Data is the new oil' became popular. The idea was to view data as an undeveloped resource, something that needed to be mined and transformed into a more valuable asset. Initially, many considered this as merely a metaphor for the 21st century's data-driven era. However, upon closer examination, this statement was more literal than metaphorical. Personal information, indeed, can be mined (collected), processed, or even sold directly as a resource.
Actually, big tech companies and hacking groups essentially operate on a similar business model: collecting and processing information for business purposes. The distinction lies in the legality of their methods. Big tech legally collects personal data for internal use or sale to advertising companies, while hacking groups illegally gather personal information for scams or extortion. The internet, once hailed for making human life more convenient, has now become a platform enabling businesses based on extensive personal data. This is not universally true but certainly applies to giants like Google, Facebook, and Naver.
For these entities, good data equals competitive advantage, hence their relentless pursuit of more data. This led to the concept of digital sovereignty: data collected within a country should not be taken outside without permission and should be controlled within the country. This idea first emerged in Europe and China, concerned about the growing influence of big tech companies. The European Union’s General Data Protection Regulation (GDPR), effective from 2018, is a product of this concept. While some resent these restrictions on data that was once freely accessible, the trend has shifted. According to Boannews, over 130 countries now have laws similar to the GDPR.
However, digital sovereignty alone cannot prevent personal data breaches. As revealed by Edward Snowden's exposé of NSA documents, the desire to indiscriminately acquire personal information is no different for governments and corporations. This is where data sovereignty, a key aspect of digital sovereignty (the other being the authority to control digital technology, referred to as technology sovereignty), gains attention. From the user's perspective, this is sometimes called 'personal information self-determination right' or 'consumer data sovereignty.' It refers to the right of individuals to control the creation, storage, distribution, and utilization of information about themselves or information they generate.
Data sovereignty is gaining attention, and though it doesn’t automatically protect personal information, it establishes procedures for protection and enables individuals to exercise greater authority.
Zero Trust: Trusting by Trusting No One
Simply protecting personal information is not enough. Despite its frequent misuse, the current state of the internet relies on the free exploitation of such information. In essence, most internet services we use for free, apart from network access fees, are based on a business model established in exchange for our information. For instance, avoiding ads on YouTube requires subscribing to its premium service. Rejecting the traditional internet business model means we have to pay instead, which is an unwelcome change for many.
The key is to build a structure of mutual trust. To use the internet comfortably, there must be a belief that companies and governments will not misuse the information we provide. How can such a trust relationship be established? Interestingly, to trust each other, we must start by trusting no one. If data is not misused even when there's a lack of trust, then it can be considered a truly trustworthy state. This concept is known as the 'Zero Trust' model. It involves creating rules to ensure data can never be misused, considering every piece of data potentially vulnerable.
The trend of personal information protection and utilization rules in the Zero Trust context can be summarized into three main points. The first is to minimize the information collected. According to the ‘Digital Bill of Rights' announced by the government last September, only necessary information should be minimally collected and used within the scope of its intended purpose. Lately, there's an increase in sites that do not require any information other than a username and password. If sites didn’t know I'm a 40-year-old Korean man, I probably wouldn’t receive so many romance scam attempts.
Another aspect is 'passwordless authentication.' This uses the international biometric authentication standard FIDO (Fast IDentity Online), which replaces passwords with biometric data like fingerprint recognition, similar to smartphone payment services. Apple, Google, and Microsoft have recently introduced this under the name 'Passkey,' and SSenStone is also offering FIDO solutions. If this method had become the standard earlier, unnecessary hacking incidents, like the LinkedIn account compromise, could have been avoided.
Surviving by Trusting No One
The last point is the development of people-centered, user-friendly, yet robust security technologies. Gartner, an IT market research firm, emphasized 'people-centric security' in its 'Top 9 Cyber Security Trends for 2023.' This emphasis stems from the failure of traditional security programs to induce behavioral changes in users. In reality, many hacking and fraud incidents target human psychological weaknesses rather than systemic flaws. People continue to use the same usernames and passwords across multiple services, despite knowing the risks, simply because remembering different sets for each is too daunting.
No matter how effective, inconvenient technology will not be used. On the other hand, the One-Time Authentication Code (OTAC) developed by SSenStone reduces user inconvenience while ensuring a secure environment. It operates in an offline setting, generating a one-time password in real time for authentication, overcoming the drawbacks of traditional security systems. This system eliminates the risk of fixed information being leaked, does not require complex authentication processes, and functions independently of communication networks.
Clearly, technology alone cannot prevent the misuse of personal information. Humans are inherently vulnerable and inclined towards convenience. Hence, even when we know better, we get deceived and do things we shouldn’t. As a result, cybercrime continues to rise. According to a report from the Korean National Police Agency, the incidents have increased from about 150,000 cases in 2018 to 230,000 in 2022. Numerous companies and governments collect and utilize user-generated information, even when not involved in criminal activities. To thrive in such a world, technology, regulations, and individual attitudes must evolve together.
Practicing Zero Trust while enjoying digital life means enduring inconvenience. This includes meticulously reading terms of use, setting web service cookies to only essential ones, boldly refusing services that demand too much information, and quickly adopting new technologies like Passkeys. However, convenience breeds dependency, and dependency leads to vulnerability. If we do not want malicious entities controlling our lives, we must be the ones to first change our approach. Technology is merely a tool to assist in this endeavor.
