Tag: Security

Security – but where is the usability?

I wrote earlier about the threats that are currently attacking our computer systems in the society, and we can also see that there are new attempts at increasing the security in the systems. However, there is an inherent problem in computer security, namely the transparency and usability of the systems. It seems that it is very difficult to create security systems that are easy to use. We have been used to writing our passwords on sticky notes and paste them on the screen, and we put our PIN codes on small paper notes in the wallet so that we will not forget them when we really need them. The reason for this is of course that the passwords, in order to be strong, have to be more than impossible to remember. Even worse is that in order to be really safe (according to the professional advice), you should have different passwords everywhere. And there are also all the many PIN codes to all the cards we have.

One important property within the human being is the delimitation of the memory. We have problems remembering meaningless things, such as the recommended password: “gCjn*wZEZK^gN0HGFg4wUAws”. So people tend to not have that kind of passwords, which of course leads to a decreased security. Well, in some sense we also solved this problem by adding two-step verification, i.e., the “if-you-don’t-have-your-phone-you-are-lost”-verification. This, of course, has to be interleaved with “find a motorcycle” or “find the traffic lights” games, to prove that you are not a robot (!).

Now it has become better, we have biometric security. We use the fingerprint or facial recognition methods. Only problem is that after a day of work in the garden, the fingerprints are no longer recognizable, and after a severe accident, the face may not look at all like yourself anymore, so you cannot call your family to say that you are OK. Well, at least it is safe, isn’t it?

Yes, but not when it comes to the current means for BankID, the virtual identification used in Sweden. Yes, of course it works when you want to log into your bank in order to handle your affairs. It is an accepted identification method. BUT not when you want to move your BankID to a new telephone! To do so, you now (after the last change) have to scan your passport or national ID-card. The most common means of identification, which in Sweden is your driver’s license, is on the other hand NOT accepted.

You might think that that should not be any problems, since everybody will surely have a passport today? But, no, that is not the case. As an anecdotal evidence I will relate my fathers situation:

My father just turned 90 years old. He is still a young man in an old body, so he has an iMac, an iPad, a laser printer, etc. at home. He is in fact a quite heavy tech user for his age. He also had an old smartphone that started to lose its battery charging, so he was given a new smartphone as one of the birthday presents. The transfer of the data went smoothly and without any hiccups, until it was time to use the BankID on the new phone. It was of course not transferred. Thus, we ordered a new BankID on his bank and signed it with his BankID on his new phone. But now…

Who is being excluded by the design?

My father decided to quit driving several years ago. However, he still kept his drivers license and even had it renewed without problems. Although being an ex-globetrotter he also reckoned that he needs no passport any more. So, when I asked him for an ID, he produced the drivers license. That did of course not work, although it is valid as identification in most other places. It was not an option to go to the bank and identify himself. They cannot validate the BankID. It has to be done through the web page and the app. Sorry!

So, now I have to take my father through the heavy cold and snow to the police station to have a new passport, which is only going to be used one single time, that is, in order to install the BankID. Where is the user friendly procedure in this?

I would think that my father is not the only person who is using the driver’s license as identification. I assume that many older people, for example, will have a similar problem when they need to get a new BankID (provided that they even use a smartphone).

Where is the human-friendly procedure for establishing the identity? Why can we, for example, no longer trust the people at the bank to identify a person with a valid identification and flick a switch to accept the ID? To make the issue a bit more general: Where has the consequence analysis gone when we make this kind of decisions? Or even better stated:

Who is going to be excluded by the new design or decision?

How vulnerable are we?

This post was actually started in late 2023, when the Swedish Church had become the victim of a cyberattack with ransomware, which took place November 22. The church organization at that time decided that it will not pay the ransom (in order not to make this a successful attack) but will instead recover the systems manually over time. However, this recovery takes a lot of time, and as long as the systems are not completely recovered, it is not possible to make any bookings for baptizing and weddings. In case of a funeral, it has still been possible to make a booking, but, the data had to be taken down using pen and paper (i.e., post-it notes).

We are very vulnerable if we only depend on our digital systems.

Head of information services at the Swedish church

In Sweden, the church has been separated from the government, but it is also still responsible for a number of national and regional bookkeeping services, like funerals. Also, a large number of people will still use the church services for baptizing and weddings, where in the latter case it also fulfills its role as an official administrative unit, in parallel with the weddings that are registered by the government. Suffice it to say that the church depends heavily on digital administration for its work. Consequently, some parts of the Swedish society also depends on the same computer systems being intact.

More attacks…

In 2024, there has now been a number of similar events, mostly through the use of ransomware, but also with overloading web servers. The systems affected this time have been in other organizations and governmental institutions. The most famous of them this time is probably the HR management system Primula, which is also used by the defense organizations and industries, among many others (including universities). This time the attacks are suspected to be made Russian hackers, possibly as part of a destabilization campaign as part of the ongoing war in Ukraine.

Again, the main issue is not that there have been attacks that have been successful, but rather that the backup systems are insufficient or, in most cases seemingly missing. Hopefully the systems will soon be up and running again, but if there is an attack on systems that are more central to the functions in society, then the problem is not only in small organizations, but may affect larger systems including systems for money transfers. Recently shops have been forced to close, when there have been longer problems with the money services.

In this context it is also important to point to the problem with paying. The Swedish Civil Contingencies Agency (MSB), which is responsible for helping society prepare for major accidents, crises and the consequences of war, recently sent out a message to the public, advising them to always have at list 2000 SEK in cash at home. The question is whether the society is prepared to revert to using cash money for the transactions. A large number of shops and services no longer accept cash as payment.

What now

When interviewed, the head of the information service for the Swedish church said that one lesson they have learned from this event is that they have to be less dependent on computer services than before. He did not specify how in any more detailed way, but the message was more or less clear: “We are very vulnerable if we only depend on our digital systems”. His conclusion is neither new, nor especially controversial. When our computer systems or the Internet fails, we are more or less helpless in many places. However, most of the time, the threats are envisioned in terms of disk crashes, physical damage or other similar factors. The increased risk of cyber attacks is not mentioned to the public to any larger extent.

We depend on our IT-support units to handle any possible interrupt as fast as possible, but the question is whether this is enough. Are there backups of the data? Are there backup systems that are ready to be launched in case the old system is failing? Are there backup non-computer based procedures that can replace the computer systems if there is a longer breakdown of the computer systems? Even if it is costly to maintain these backup systems/procedures, it is quite likely that we will need to add a higher level of security in order to not end up with a social disaster, where a large part of the society is essentially incapacitated.

What are the consequences?

We can just imagine what would happen if, as mentioned above, the central systems for bank transfers fails badly or gets “cyber-kidnapped”. Credit cards will not work, neither will mobile money transfers or other electronic payment options. There will be no way to pay our bills, and we may not even get the bills at first hand. Probably even the ATM machines will cease to work, so that there is no possibility to get cash either. Imagine now that this failure will last for days and weeks. What are the consequences?

But we don’t have to look at this national disaster scenario. It is enough to think about what will happen if the computer systems in universities or other large organizations are attacked by cyber-criminals. Not to mention the effects on critical health care, where minutes and seconds can count. Do we have any possibilities to continue the work, reaching journals or other important documents, schedule meetings, planning operations and other important events? Are we really ready to start working on paper again, if necessary? I fear not!

With the current situation in the world, with wars and possible also challenges from deteriorating environmental factors, a lack of emergency plans for our digital systems may not only be causing serious problems, but may really turn out to be disastrous in case of any larger international crisis. Looking at what happens around the world currently, it is easy to see that the risk for cyber-attacks in international crisis situations has increased to a high degree. In many cases the (possible) plans on how to proceed are not known to people who work in the organizations. Is your work protected? Do you know what to do if the systems fail?

Unfortunately, we cannot continue to hope that “this will never happen”. Even if the most extreme of the possible scenarios may not happen, we are still very vulnerable to attacks, e.g., with ransomware or “Denial of service” from “normal cyber-criminals” and this can be just as bad on the local scene, when a whole organization is brought to a halt due to a computer system failing badly. Therefore we need to be acting proactively in order to not be stuck if/when the systems fail. Because, it is quite certain that they will fail at some point of time.

And how will YOUR organization handle that kind of situation? Do YOU know?

TikTok – what is the problem?

Last Friday, I was interviewed by the Swedish television (the local Uppland channel) about the reasons for this and the possible dangers with the application from a security perspective. The interview can be found here but it is only in Swedish. Therefore I will describe the problem in this post as well.

The municipality of Uppsala, together with a large number of other public actors (also in many other countries) have recently prohibited the use of TikTok on the work spade. Apart from that some people might think that there are very limited reasons to why you should need access to TikTok on your mobiles at all during your work, why would you prohibit the use of TikTok, when you can still use Youtube, Instagram and Facebook? What is different with TikTok?

There are actually some reasons for this, both the prohibition and the differences between the application. TikTok is an application that allows the users to record short videos (max 3 min) and publish these on the TikTok platform. This has become very popular among, above all, young people. There is also an ongoing critical discussion about the social aspects of the TikTok application, but it is not part of this post.

When the application is installed, it asks the user for permission to access photo and video storage, the camera and the microphone, which is of course quite reasonable, since the purpose of the app is exactly to record videos and store them in the user’s phone. However, it also asks for access to the contact lists, and the current location when used. And here is one of the problems, namely that this data is given by the user to an application we know very little about. But, one may object, this data is not dangerous, we give it to almost any of the social media applications (actually, that might be something we should not do either, without some consideration).

The data the users provide is, however, actually not that innocent as it might seem at first sight. If the application can collect the data as mentioned above, the data might form a much bigger collection of “innocent” data, which is not as innocent anymore. It contains your contacts, the places where you have been, and also when you where there. If the data of different people are correlated on the whole data set, there might be patterns that could show interesting things for people who are specifically interested. It could for example show regular visits to certain locations, or even that you meet some people regularly. Still, who would be interested of this information? Not everything might be interesting, but suppose that you are engaged in a civil defense organization. Then the meeting places, the people you meet at those meetings, and who these people meet in other contexts might be very important information for a possible enemy. So, there are quite a few people in a city that could be of interest in this kind of analysis.

But, as mentioned above, this information is provided to many different applications, so why has TikTok been singled out like this? Well, there is one additional argument for this, namely that it is very important that we know where the information is going in the larger perspective. This is where the history of TikTok becomes relevant. TikTok is owned by the Chinese company ByteDance, one of the biggest startup companies in the world, and this is where the main problem starts. The statement in the Privacy Policy gives an indication (my boldface added):

We may disclose any of the Information We Collect to respond to subpoenas, court orders, legal process, law enforcement requests, legal claims, or government inquiries, and to protect and defend the rights, interests, safety, and security of the Platform, our affiliates, users, or the public. We may also share any of the Information We Collect to enforce any terms applicable to the Platform, to exercise or defend any legal claims, and comply with any applicable law. 

TiKToK Privacy Policy

The text in boldface provides a key to the problems. The data can be released in certain situations, which are not under our control. In 2017 China implemented a law that compels companies to turn over personal data relevant to China’s security. The question is then what this data might be. Depending on the situation, information pertaining other countries’ military and/or civil defenses might be very relevant to another country. The company can, through its mother company be forced to hand out any information under the conditions mentioned.

What are the odds? It is difficult to say, of course. However, since TikTok is not crucial to the work in public organizations, there is no reason even to take the chances. Especially in the current situation where there is such unrest over most of the world, there is definitely a reason for being careful in general with the handing out of data.

But, there are also some drawbacks with the general ban on the application. As mentioned above, the application is mostly used by young people. This also means that the proper use of the application can become an entry point to different youth groups, which could be invaluable to certain groups in the municipality, such as social workers, schools, and not least libraries. The libraries have used the application for some time to spread information to young people under the hashtag #BookTok, which allegedly has been very popular. This will now become difficult to handle with the current ban. Of course there may be ways around this ban, but in my opinion it all goes to show that a ban on an application like this has to be carefully considered, and that there should be an awareness of that there could be cases where there has to be exceptions. And, not least, there is a need for more information to potential users of social media about the possible risks that follow the usage.

To quote a famous detective in a famous TV-series:

Let’s be careful out there….