If you’ve ever done your banking or paid for porn online, that little padlock in your browser or the green address bar means you’re dealing with someone a security company has authenticated as a legit retailer.
Now imagine if you ran a dodgy phishing site and wanted to trick people into giving you their login details. If you could find one of the cyber-whizzes who issue authentication keys (the little padlocks, etc), take them to the pub and promise them a grand to give you a shonky authentication certificate, you’d be laughing.
It makes being an authentication technician so clandestine that when we met one (a former physicist) from security vendor Symantec (publisher of Norton cybersecurity products), it was on the condition of anonymity.
The nerve centre
Unlike Symantec’s flashy headquarters, the authentication centres are in small, nondescript, unmarked buildings in the US, somewhere in Europe and Melbourne.
The front door is just the beginning. After going through a mantrap – those airlock-like rooms that need everyone inside and the door closed before the next door opens – the inside looks much like any other office.
But every door you pass through has more numbers, keys and codes before you get to the inner sanctum of the ceremony room – where the authentication certificate is generated, signed, witnessed and handed over to the website owner.
The screening process
“That is a significant risk from a personnel security perspective,” our contact agrees when we suggest that you wouldn’t want to employ anyone with a gambling problem or a stint in chokey for fraud on their record.
His 2006 job interview was a five hour grilling from three people who gave him a truckload of papers to complete before they’d even talk to him more. Which is nothing, by the way – some higher-level jobs that need federal government clearance have 300 pages of documents to complete.
Then comes everything short of a cavity search. After the initial police and credit checks you’ll endure news ones every 1-5 years depending on your security level, and some of them are done behind your back.
For the highest-level positions, Australian Federal Police will look at hobbies, talk to your friends, look at your and your spouses’ financial details, ask what countries you’ve visited for the last 10 years and why, and much more.
Even if you finally get a job there they don’t just hand you the master key to generate certificates. The checks and balances are seemingly endless. “I need six people with access to the lockboxes inside the safe,” our contact says. “To access certain cryptographic material I literally need eight people to unlock one key.”
It sounds like the NSA on the inside, but they have to let them out some time to have a private life, and that’s where training takes over. Our guy says you’re tested on what you can and can’t say on an ongoing basis, some of it involving roleplays.
“We really drill into staff what you can and can’t discuss. You can’t talk about customers and you certainly can’t talk about when key signing ceremonies occur because there’s a real risk people can be identified.”