“While there has been an indisputable growth in information sharing online, there has been no clear direction for what we should share. The bad guys are leveraging this over-sharing”, said Thompson.
Gateway data, explained Thompson, “is data that seems harmless, but when used properly, can facilitate access to sensitive information”. Thompson declared three ways that gateway data can be used to illigetimately gain access to an identity or sensitive information:
- Direct use
- Amplification
- Collective intelligence
Direct use of gateway data, said Thompson, refers to the data being transferred into access by rules. A password re-set is an example of this, “but is completely unreasonable today”, said Thompson. “This information [required for a reset] is now readily available thanks to social networking sites”, he said.
“Most people’s online identities have a common root”, Thompson argued, “this could be either a central email account or a mobile phone”, he explained.
Amplification of gateway data, Thompson said, “is data that can be amplified when bounced off a person”. This, Thompson declared, “is the new insider threat. The person that is ‘very chatty’ about their work online, is the one to watch”. Those exploiting gateway data, said Thompson, “use information gathered online to presume knowledge of their victim, and build trust”.
The final, and perhaps most worrying of all uses of gateway data, said Thompson, is “collective intelligence of gateway data”. He described this as data that can be compiled from different places and correlated to become interesting.
“Individuals will reveal small chunks of information about a company – they will offer up sensitive work information online without thinking about who might be looking at it”. People make bad decisions, said Thompson, “especially those lower down the corporate food-chain”.
Thompson concluded his RSA Europe keynote with advice on how not to become victim to the gateway data trend. “Look beyond traditional personal identification, and most importantly, create awareness around gateway data”.