High-Profile and Unknown Attacks
Equifax was one of the biggest such hacks, affecting nearly 150 million people. And late last month, news hit that hackers had attacked Marriott Hotels’ reservation systems and have managed to access the data of around 500 million people in one of the biggest data breaches in history. (To understand the breadth of this hack by comparison, the current population of the U.S. stands at around 329 million.)
The publicity around these kinds of breaches is terrifying enough for those who care about who’s accessing their personal data online. However, it’s even more disconcerting to think that our data could be compromised on major websites and we aren’t even hearing about it.
For instance, Branch.io provides a mobile traffic attribution service used by many big-name websites including Pinterest, Tinder, Yelp and Airbnb, to name a few. A team of security researchers at VPNMentor were researching client-side security when they came across a vulnerability in Tinder’s security.
After some further research, they found that the vulnerable endpoint was not owned by Tinder but by Branch.io. The attribution software had set up a hidden subdomain (go.tinder.com) that had a cross-site scripting flaw. This vulnerability meant that hackers could easily insert malicious links. If users clicked on one of these links while logged into their Tinder account, then hackers could easily get access to the users’ profiles and data.
Although Branch.io quickly released a patch for the vulnerability, Tinder was not the only service affected — potentially all Branch.io clients using that software were affected. This means that the data of up to 685 million users were at risk from the vulnerability.
Although Branch.io has now fixed the issue, there is no way of knowing if hackers exploited this vulnerability or the extent of the damage if they did.
How Decentralization Can Help
Unfortunately, it's impossible to reverse the damage for data that may already have leaked. It’s also up to individual websites’ policies and procedures to fix the issue going forward. However, blockchains could offer some potential solutions, depending on how flexible our favorite sites are in their adoption of the technology.
If websites begin to accept cryptocurrencies more widely, they would have a far greater assurance of privacy over their payment data compared with using credit cards. Blockchain-based payment services would be more secure for customers making payments and could offer lower fees for sellers receiving and withdrawing their revenues.
Ripple could be a viable alternative. Other options include coins with a privacy focus, such as Dash, which would assure customers that nobody on the other end of the transaction can easily access their personal data.
Also, customers and sellers could start making purchases on secure, blockchain-based marketplaces wherever possible. Although there isn’t currently a blockchain retailing behemoth matching Amazon’s scale, there are alternatives. OpenBazaar, for example, is a peer-to-peer marketplace that uses smart contracts to hold payments in escrow in case of any nondelivery or other dispute. The platform supports a range of cryptocurrencies for both buyers and sellers.
Ultimately, major websites must take it upon themselves to act responsibly in securing customer data, even where they use third-party software. Blockchains provide multiple methods for companies to fulfill their user-privacy responsibilities better. As blockchain solutions become more prominent, if online companies continue ignoring this kind of issue, they may find themselves in hot water once customers realize what’s going on. In which case, the current online giants may find that their neglect hits them where it hurts most — share price.