After having been affected with last year’s Sony’s PlayStation Network breach as well as the latest Linkedin password hack which I fear even more, I’m absolutely sure that the current solutions protecting sensitive identity and financial information on the internet are not secure enough. Having seen and experienced all the financial, technical and security challenges behind the scenes while I was a technology services Deputy CIO just makes me worry even more.
Current situation with account protection in the real life seems to be rewarding not only executives, accountants and engineers who circumvent security improvements on behalf of convenience, but also hackers and internet-focused criminals. With instant profit as main credo, corporations view security as an endless profit-eating hole in which no corner-cutting corporate smoke and mirrors magicians like to invest until shtuff happens, when it turns into a profit-eating black hole of damage control. Then they start running around like headless chicken until the negative publicity cloud clears, but we the people (AKA customers) are already screwed. I still believe in what I wrote here a year ago, claiming that things will only get worse.
Moreover, when a system is well guarded and seemingly a fortress, hackers obtain their credentials through social engineering or through less secure systems where users keep the same login and password. These guys can relatively easily find their way into seemingly protected networks by luring naive users into clicking on malicious links and do a lot of damage with malware, trojans, bots and identity theft. Many of my own friends and pages, books or bands I liked on Facebook keep spamming me with a lot of useless information, articles, musical YouTube videos (like I don’t know where to find them), “I need a little fishie in my aquarium” games, invites to share everything short of my social security number, but that nuisance contributes to people accepting too many app invites without being cautious enough. What’s worse and possibly happens easier because of this, I’ve also seen several apologetic emails from my friends denying that it was them who sent messages with malware. What happened is they received a message looking like it was from a friend or their technical support, trusted it and clicked on OK without carefully evaluating the risk and double-checking with the apparent sender.
Absolutely Concise Internet Identity May Be Bad for Good Guys
I used to think that a transition to IPv6 and stricter policies toward knowing the owner of each and every device and address in the world would help a lot against cyber crime and spam, but besides IP spoofing (faking internet addresses) there are other reasons why absolutely distinguishable internet identities may be bad for Humanity. The internet has been blossoming partially because it is often so anonymously liberating. Once there is a fixed identity for every person and every device out there, the bad guys (oppressing and censoring regimes, as well as crime rings) will get a perfect tool to locate and harm the good people opposing or publicly exposing the wrongdoings and violent ways.
Perhaps we need a number of different authentication systems with a required combination of all for most secure systems, where establishing new accounts and contacts should be based on perfectly verified identity including MAC addresses, owner’s name, biometrics (fingerprint, eye or voice recognition), smartphone and phone numbers, home address and all other real offline identity information. The others may have relaxed rules, and perhaps we should all have the third, absolutely anonymous one, just so those bad guys can’t discover who is who and harm good people they can reach.
Whatever the solution, the world needs something new to protect its systems. Until then we need to give away a little of our convenience to protect what we have left of our privacy and identity.
What To Do For Now
I’ll sound like a broken record (does anybody remember what that stands for?), but until there is a much better internet account protection and higher security for all, I suggest using password managers and a different and secure password on every single account you have. It’s not too convenient but it’s much better than having all accounts stolen at once. In my KeePass post I listed my three favorite password managers with desktop and smartphone synchronization, some working well across a multitude of systems (Windows, Linux, Apple, Android, iPhone, Blackberry, etc.) so you can find some relatively convenient security bliss there.
Google’s Two-factor Authentication
Google has moved ahead with their two-factor authentication, which has worked flawlessly for me for many months and I highly recommend it. It is one of few ways to additionally secure your (so far only Google) accounts and make it extremely difficult for hackers to break in. This security add-on comes with an app you can install on your smartphone that gives you a six-digit numeric code you apply each time you sign in (unless you click on “remember this computer for 30 days”, when you do it only once a month). I’ve seen similar things done earlier by my bank’s online service and by some companies with a security token, but Google perfected it, put it on smartphones and made it both more secure and more convenient, which is usually an oxymoron. Out of the few security improvements I’ve seen lately, I like this one most and I fully endorse it as a move in right direction.
Below is a Google video providing more information about this feature. Let’s hope other internet entities soon start using same or similar security add-ons. There may be some problems with number of different apps we’d need, but we’ll worry about that if and once it happens. For now, in lack of other, easier, more convenient and more secure account access techniques, we need these desperately to protect our privacy, finances, circles of friends, websites, etc.