A Conversation with Ying Sai

Ying Sai is an expert in internet security research and e-commerce. She is an assistant professor of computer information systems and teaches in the College of Business Administration. We spoke with her about hacking and internet security. She was interviewed by Editor Joseph Wakelee-Lynch.

What was the value of Internet transactions in 2012?
Close to $300 billion in 2012.

Can we also estimate the amount of money lost due to attacks on Internet security?
There are different ways to estimate loss. Direct loss includes how many customers had their information stolen, the amount spent to reimburse customers, and the cost of increased Internet security and consultant fees paid by businesses. There was about $800 million lost in 2012. The loss of potential sales, customers and reputation are indirect losses that are hard to estimate.

Is there a lag time between the government’s security advances and when they become widely available in the marketplace?
Sometimes. But in some areas, private researchers are more advanced than government agencies, such as in the case of developing encryption algorithms. I know of a case in which university researchers developed an algorithm so advanced that the U.S. government prohibited publication of the research for fear that terrorists could use it.

Is the world of hackers and defenders a spy vs. spy world?
Everyone involved is trying to learn the latest techniques and stay ahead. Take “zero day attacks,” for example. Zero day refers to the time when government agencies and businesses patch vulnerabilities. The availability of the patch is often publicly announced. For government agencies or corporations, implementing the patch can take hours or days, not seconds. Hackers try to attack whoever has not installed or completed the patch. The “good guys” try to patch their systems quickly to narrow the time of vulnerability. So there is a race between the hackers and the protectors. That’s where new techniques are developed, in response to new vulnerabilities.

Has there ever been a single data loss event that reshaped Internet security?
Yes. TJX, which owns T.J. Maxx and Marshalls, was hacked in 2006–07. The hackers parked in a store’s parking lot and, with an antenna, intercepted the unprotected wireless communication between the store’s cash register and the manager’s office. That’s called a “man in the middle” attack. Credit card information, expiration dates and pin numbers were all transmitted. Information from perhaps 94 million credit and debit cards was stolen. The hackers got into the databases so many times that they forgot which they had downloaded. So they made notes to themselves in the databases as reminders. After that incident, the payment card industry set higher standards about data storage.

Will consumers someday no longer employ usernames and passwords?
There are fingerprint or iris-recognition technologies — biometric information — that some people think will be convenient and widespread. But there’s a drawback. If your password gets compromised, you change it. But if someone duplicates your fingerprints or your iris patterns, you can’t get new sets of those. Your biometric information is 100 percent lost and unusable forever. That’s a problem.

So the old-fashioned username/password combination is pretty useful?
It’s a low-tech, cheap solution that’s durable. It’s pretty good!