I’m by no means a security expert, for that discipline we must acknowledge RSM Partners in the IBM Mainframe space & I congratulate Mark Wilson, their Management Team & personnel on their recent acquisition by BMC.
One way or another, for 25 years since 1995 I have been a carer for my parents who both died of brain cancer & dementia, my Father in 2003 & my Mother in the last few months. Other than to pick up mail & perform minimal house maintenance duties, I haven’t lived at my house since October 2018. Of all my achievements in life, keeping both of my parents out of a specialized care setting is without doubt my greatest, on my own, being a widow & having outlived my only sibling when I was 9 years old. Indeed, when I look back on things, how I have managed to balance this family activity with any type of career development seems incredulous to me. Perhaps I can now concentrate on my alleged Mainframer day job…
It’s amazing the skills you can learn away from your day job & even in recent bereavement, dealing with the bureaucracy of probate can teach you something, especially at this current juncture, where we finally seem to be in the midst of a widespread password to Multi-Factor Authentication (MFA) security evolution!
Having to deal with a probate estate, including property, there are some recurring costs you have to pay, primarily, power, water, telecommunications, local authority, et al, while you await grant of probate & eventually sell the house. Of course, you need a bank account to do this & for want of a better term, I decided to make lemonade out of lemons for this seemingly mundane activity. Currently, in the UK, many of the major current account providers want your business & offer switching inducements of ~£100-£175. I have switched current accounts 3 times in the last few months, accumulating ~£500 that I have donated to a homeless charity. As somebody much wiser than I once noted, there’s always somebody in a worse situation than you & having to face my first Christmas without a blood relative, this year I volunteered for said homeless charity, which once again, was a real eye opener.
What became obvious while I was subscribing to & switching from these largely UK clearing bank current accounts, was the changeover from a password & memorable information account authentication system, to a password & One Time Passcode (OTP) via Mobile Phone SMS (Text Message) protocol. Each of these clearing banks deploy the latest IBM Z Mainframe for their System Of Record (SOR) data & security management, but technology doesn’t make for a bulletproof system, because as always, there is the human user of these systems. My experiences of dealing with my elderly & frail Mother in her last few years then became pertinent, as in her heyday, Mum had the most amazing memory, used & commissioned mini computers herself in the early 1980’s, but the degeneration of her motor & neurological abilities, rendered her largely helpless trying to use a smartphone. Of course, this will apply to many people, of all ages with health challenges various; do technology advances exclude them from 21st century technology & services?
In theory, hopefully most organizations are now realizing that passwords are a major vulnerability, at least from a human viewpoint & I guess us IT folks all know the statistics of how long it takes to crack a password of various lengths & character composition. Even from my own viewpoint, for many years I have been using a Password Manager, where my password to access this system exceeds 50 characters in length. I have tens of passwords in this system, I don’t know any of them, they’re all automatically generated & encrypted. However, if this Password Manager is compromised, I don’t expose one resource, I expose tens! Once again, even for this system, Multi-Factor Authentication via a password & One Time Passcode (OTP) via Mobile Phone SMS (Text Message) is the access protocol. It then occurred to me, from a generic viewpoint, most security access systems ask you to register several pieces of memorable information; what’s your favourite book; mother’s maiden name; favourite sports team; pets name, et al. Maybe, some of this information is duplicated & although not as vulnerable as having the same password for all of your account access, there’s a lot of duplicated personal information that could compromise many accounts…
Additionally, in the last several years, the evolution towards a cashless society has become more pervasive. I myself use a mobile wallet, a mobile payment app, with NFC (Near Field Communication) for contactless payment convenience. The convenience factor of these systems is significant, but once again, for those people with health challenges, can they easily use these systems? We then must consider, how much information is accessed or even stored on a smartphone, to operate these financial accounts?
To recap, knowing the major UK banking institutions, I know my financial account password is stored in a secure Mainframe Server repository (I.E. ACF2, RACF, TopSecret) & associated account data is most likely protected at rest & in-flight via Pervasive Encryption (PE) or other highly secure encryption techniques. However, to access these highly secure Mainframe systems, the client I’m using is a smartphone, with a hopefully highly secure Operating System, Mobile Banking App & Password Manager. If I’m a bad actor, historically I would try to hack the most pervasive Operating System of the time, Microsoft Windows via desktop & laptop PC’s. Today, perhaps I’m going to focus on the most pervasive client, namely mobile devices, typically operating via iOS & Android. Of course, it’s no surprise that are increasing reports & activity of security exposures in these mobile operating systems & associated web resources, servers & browsers.
Additionally, in recent times, a well know financial institution was compromised, revealing the key personal information of ~145 Million US citizens, due to the well-known “Apache Struts” vulnerability. This financial institution does deploy an IBM Mainframe, which historically would have afforded a tightly controlled Mainframe centric environment with no public Internet links; evolving to a decentralized environment, maybe globally outsourced, with a myriad of global Internet connected devices. If only we could all apply the lessons & due diligence measures learned over the many decades of our IBM Mainframe experience. However, this notable data breach happened at an organization that had been deploying a Mainframe for decades, proving that it’s human beings that typically make the most costly high profile mistakes!
Being a baby boomer & a proud Mainframer, I know what can go wrong & have planned accordingly. I have separate accounts for mobile contactless payments, credit as opposed to debit based & more than one bank current account. Whether by account isolation or the Consumer Credit Act, I’m limiting or eliminating any financial loss risk should my smartphone or financial account information be compromised. For belt & braces protection, I always carry a modicum of cash, because how many times, even recently, have Mainframe based banks had card processing or cash machine access outages? I’m just applying life experience & business continuity to my own daily life requirements, but how many people in the general public apply these due diligence measures? Once again, please consider these members of the general public might be your family member, an inexperienced child or young adult, or more likely, perhaps a vulnerable aging parent.
Once again, applying my Mainframe Disaster Recovery & Business Continuity experience, how can I safeguard 99.999%+ availability for my day-to-day life if my smartphone is lost or Password Manager is compromised? It’s not easy, a standby phone, sure, but what is the cost of the latest premium smartphone; how easy is it to synchronize two Password Manager solutions, from different software providers? From my viewpoint, this is somewhat analogous to the IBM Mainframe hot versus warm or cold start DR process. If you want high availability, you have to duplicate your expensive hardware, in the unlikely event you suffer a hardware outage. Unlike the IBM Mainframe System Of Record (SOR) data, where of course must have the same software & data on both system images, if somebody compromises your Password Manager, was that a human or software error? I don’t have the answers, I just try to apply due diligence, but I’m not sure how many members of the general public possess the life & vocational experience a Mainframe baby boomer has.
Without doubt, eliminating passwords is a great step forward, but is Multi-Factor Authentication (MFA) the “silver bullet”; I don’t think so. Humans beings are just that, human, born to make mistakes. Software is just that; prone to bugs & exposures, inadvertent or otherwise. Centralizing your whole life in a smartphone has many advantages, but is it as vulnerable as keeping your life savings under the mattress?
Finally, thank you Mum & Dad for giving me this life opportunity & showing me dignity & strength in your dying days. Thank you to the Mainframe community for providing me with so many opportunities to learn. Maybe you can all give something back to the wider world for the causes that mean something to you. The local charity I discovered & supported was the Northampton Hope Centre that tackles poverty & homelessness. There but for the grace of god certainly applies to all of us, at one time or another, so let’s try & support as many people we can, those close to home & those in need. It only occurred to me when I lost my Mother that eventually, if we live long enough, we all become orphans & a few weeks before I became an orphan, Coldplay released a song, Orphans. There’s a line in that song, “I want to know when I can go, back & feel home again”. For me, hopefully after about 18 Months, the end of March 2020 might be that day!