In case you missed it, email services provider Epsilon had a massive security breach and a large number of email lists were exposed, including those of several large banks such as JP Morgan Chase and Citi.  This is likely to result in more targeted phishing campaigns as it is now in the open who is an actual customer.  As a quick aside, it is somewhat shocking how many sites leak this kind of information in due course of operation – most password resets work on the basis of entering an email address.  If the address is not in the system this fact is displayed on screen!  That of course means that someone can simply try a large number of email addresses and retain only the ones which the password reset system acknowledges as known.

More importantly, it highlights that when lots of information is stored in one place that place makes for a juicy target.  I am sure that we will see more breaches in the future with even more sensitive data exposed, including social security numbers.  I had been thinking about this as the week before I filled out several online forms at financial institutions that required my social security number.

So why are we so afraid of these breaches?  For two reasons: first, because single factor authentication is common on the web and is fundamentally broken.  Second, because there is still a lot of “offline” authentication that can result in meaningful exposure (eg issuance of a credit card).  Both of these would seem to be solvable with a bit of determination, in particular by leveraging the fact that cell phones tend to be tied reasonably well to identities.

Even with just feature phones, receiving an SMS text with a code provides a useful second factor of authentication.  This is super easy to implement using Twilio. The challenge then becomes – at account creation, how do you know which phone number belongs to which individual?  This is where carriers seem to have completely dropped the ball to date.  They could be meaningful authentication providers (letting their users opt-in), which incidentally would provide a pretty strong tie to a carrier something that has proven difficult for carriers to maintain.

Google has done a good job offering two factor auth.  But where we really need it is in conjunction with payments (where Google has made limited progress).  Another alternative of course would be for there to be single sign in providers that have strong authentication and can then be used to log into payments.