Digital trust. If there’s a hot topic in the world of tech, this is it. You can get a measure of its importance simply by looking at who is talking about it, and how. The first hits on Google are articles by the WEF and McKinsey. Callsign staged two huge online events focussed on digital trust, with keynotes by the likes of Steve Wozniak, Brian Cox and Timnit Gebru. The UK government hasn’t mentioned it at all to date, and that’s probably the strongest indication of just how vitally important something really is.
It's something that I’ve covered in depth in various blogs, papers and articles, but simply put it’s the assurance that the person or entity that we’re interacting with online is who they claim to be. Digital trust is foundational to the digital realm.
Or so you would hope. At a recent networking event, I exchanged details with a fair few people – that being what networking events are all about after all, aside from the nice drinks and snacks (which, courtesy of the lovely folks at Level 39, were very nice indeed). A few business cards changed hands, but most of the exchanges were via the LinkedIn app on smartphones. On the slim chance that you don’t know how this works, the app can pop up a QR code – scan that, and voilà, the deed is done.
Which deed exactly is a point for debate. In a world where people are rightly paranoid about even answering the phone – there’s a good reason for the existence of Google’s Call Screen on its Pixel phones – the attendees at the network event were curiously quick to scan a code from the phone of someone who they’d met only minutes previously.
“Do you know who I am?” I asked one person. They replied in the affirmative but when I asked them exactly how they knew that, there was a pause for thought. I pointed out that all they had to go by was what I’d told them, and the QR code on my device which, at first glance, certainly looked like the LinkedIn app.
It was of course, but suppose it hadn’t been? Suppose, for example, I’d been a scammer who had wangled an invite to the event and had prepared an app with a scannable code that was designed to inject malware onto another person’s device? A device that had their banking apps, their social apps, their dating apps, their… you get the picture.
And it’s not even an improbable scenario. If there’s one thing that I’ve learned about bad actors – the scammers and fraudsters who plague the digital world – is that they’re good at what they do. Really good. Forget the image of the guy in the grey hoodie illuminated by a laptop screen that’s the lazy shorthand for a cyber criminal; Fraud is big, big, big business.
Not just in terms of profits and margins, but it runs along the same lines as a huge corporation, with team meetings, monthly targets and hell, probably team-building days. This is, after all, their day job. And like any day job, you only progress if you’re good at what you do.
One of the unsaid saids in the organisations that fight cyber crime is to never give the bad actors any credit whatsoever. But that’s disingenuous at best; it dilutes the perception of the threat. These people are inventive and resourceful. Shut down one attack vector and like a hydra, three more pop up. The standard mode for dealing with fraud is reactive, which isn’t so much shutting the gate after the horse has bolted as vaguely recalling that you actually have a gate while wondering why the winner at the 3:15 at Cheltenham looks a wee bit familiar a week later.
I’d love to believe that we won’t get to the stage where cyber criminals start infiltrating events in the way I’ve described. But you can bet they’ve thought of it, or other scenarios where it’s possible to have a code scanned by a total stranger – trade shows, for example.
Things are changing, albeit gradually. Businesses are realising that they need to swing from taking a reactive approach to cyber crime to taking a proactive stance and, halle-bleedin’-lujah, some of them are actually doing it.
There’s hope yet for digital trust. Good ol' face-to-face analogue trust? It looks like there's still some work to be done.
