Still Insecure?
It seems like jumping in the Way Back Machine to write an article about something like internet security again. But, for whatever reason - and perhaps it was just the attack of the Heartbleed Worm - there have been many mentions of security - and insecurity! - on the Internet of late.
And what prompted me to, yet again, write an article about the subject is that in the last month or so, I've gotten ages-old phishing attempts that, while they're laughably obvious, can't help but make me wonder why anyone would be resorting to such ancient techniques.
In fact, the recent eBay hack was, according to a source, "'social engineering' techniques like phishing to trick people into helping them commit fraud, and were able to "spoof" legitimate eBay credentials to access the online marketplace’s database. "People could have had very strong passwords and still had those stolen," he (Ben FitzGerald, director of technology and national security at the Centre for a New American Security) added."
In truth, one of the "phishing" attempts I got recently wasn't even online, but the sophistication of the presentation (in letter form) gave me a nanosecond of "really?" before I realized that there were telltale clues to its fraudulent nature.
The letter, by the way, was a heavy paper stock, perforated-end "you have won 2 tickets on any American Airline" announcement with a number to call "by such and such a date."
When Mr. Fitgerald talks about "social engineering," he is referring to just the kinds of triggers that gave me that momentary pause: heavy paper (expensive); peforated ends (again, expensive), a logo and more or less proper English wording. These things lull us into a sense of security - it must be the real thing, it isn't from Nigeria, badly worded and offering me $10,000,000 (I did get one of these emails just recently - more about that later!). That's "social engineering." What will make your mark feel secure with you? What gives him or her an assurance that this must be the real thing?
I've written before about emails that have subject lines such as "This is my last attempt," or "Did you get my last email?" or "Thanks for your order!" These things make us feel that we must have done something, or entered something, or ordered something, and therefore, we should open the email. Once the email is opened, the next step in wooing can commence.
Then, of course, there are genuine hacks.
More and more, we have data stored "in the cloud," or basically, "on someone else's server." Which means, you have very little control over its security. And given the nature of doing business these days, there's very little that can be done to change that - you, one small blip of data in a massive sea, are not going to change the tidal wave that is digital exchange of information. No data, including biometric credentials, are absolutely secure. Retinal scans, fingerprints, voiceprints - once it has become digital it is stealable. And almost any computer or server can be broken into.
What to do?
Exactly what security experts have been telling us all along:
- Trust no one. Unless you know for a fact that you have won a prize, ordered a product, have a download coming, belong to a secure site - don't believe it. Get another source of assurance. Google it, for heaven's sake. (When I "won" my airline tickets, I Googled it and found - to my embarrassment - that this was an old game, just on newer, better paper, with a bit more polish on the grammar.)
- Change your passwords regularly. Even the best of us don't do this frequently enough. As I've written before, the best advice I ever got was from a very wise geek friend who had essentially developed a little algorithm for passwords. He simply knew his algorithm, and from there, it was easy to apply it to each location he visited, so that no two passwords were identical, but he had no difficulty "remembering" the password - as he was actually simply remembering the algorithm.
- Use a base password that isn't something associated with any other information readily available about you. So, use your great-grandfather's dog's name or something really arcane, rather than your birthdate, or street number. Do mix up the characters with numbers, letters, and symbols - and don't have a favorite symbol that you just tack on to the end of a highly guessable password. Remember that you are up against a computer program, which is tireless and never gets bored. It will keep guessing til the lights go out on the universe if it has been instructed to.
- If the websites you visit that require passwords don't challenge you every so often, you're probably better off not being on them. Certainly your bank or other financial locations should check in with you periodically, request the answers to your challenge questions, and ask you to reset them.
- If you are going to keep a list of passwords, keep it on paper. Yes, that's right. Don't keep it on your computer - at least, if it must be on your computer, then use one of the reasonably good "master password" systems that encrypt your data and hide it all behind a single sign-on (Last Pass and the like).
- If you really have a lot of sensitive information online, consider whether it's worth it to buy identity theft protection. Yes, it was rather comical when one of the early purveyors of this protection offered his own social security number and then assured us it was perfectly safe - and it wasn't - but if the company is also offering insurance up to the amount of money your data is worth, then why not?
There is no way to be 1000% safe today. Data can be worth a lot, so thieves will spend time and resources trying to get it.
All we can do is our very best to evade them.
And what prompted me to, yet again, write an article about the subject is that in the last month or so, I've gotten ages-old phishing attempts that, while they're laughably obvious, can't help but make me wonder why anyone would be resorting to such ancient techniques.
In fact, the recent eBay hack was, according to a source, "'social engineering' techniques like phishing to trick people into helping them commit fraud, and were able to "spoof" legitimate eBay credentials to access the online marketplace’s database. "People could have had very strong passwords and still had those stolen," he (Ben FitzGerald, director of technology and national security at the Centre for a New American Security) added."
In truth, one of the "phishing" attempts I got recently wasn't even online, but the sophistication of the presentation (in letter form) gave me a nanosecond of "really?" before I realized that there were telltale clues to its fraudulent nature.
The letter, by the way, was a heavy paper stock, perforated-end "you have won 2 tickets on any American Airline" announcement with a number to call "by such and such a date."
When Mr. Fitgerald talks about "social engineering," he is referring to just the kinds of triggers that gave me that momentary pause: heavy paper (expensive); peforated ends (again, expensive), a logo and more or less proper English wording. These things lull us into a sense of security - it must be the real thing, it isn't from Nigeria, badly worded and offering me $10,000,000 (I did get one of these emails just recently - more about that later!). That's "social engineering." What will make your mark feel secure with you? What gives him or her an assurance that this must be the real thing?
I've written before about emails that have subject lines such as "This is my last attempt," or "Did you get my last email?" or "Thanks for your order!" These things make us feel that we must have done something, or entered something, or ordered something, and therefore, we should open the email. Once the email is opened, the next step in wooing can commence.
Then, of course, there are genuine hacks.
More and more, we have data stored "in the cloud," or basically, "on someone else's server." Which means, you have very little control over its security. And given the nature of doing business these days, there's very little that can be done to change that - you, one small blip of data in a massive sea, are not going to change the tidal wave that is digital exchange of information. No data, including biometric credentials, are absolutely secure. Retinal scans, fingerprints, voiceprints - once it has become digital it is stealable. And almost any computer or server can be broken into.
What to do?
Exactly what security experts have been telling us all along:
- Trust no one. Unless you know for a fact that you have won a prize, ordered a product, have a download coming, belong to a secure site - don't believe it. Get another source of assurance. Google it, for heaven's sake. (When I "won" my airline tickets, I Googled it and found - to my embarrassment - that this was an old game, just on newer, better paper, with a bit more polish on the grammar.)
- Change your passwords regularly. Even the best of us don't do this frequently enough. As I've written before, the best advice I ever got was from a very wise geek friend who had essentially developed a little algorithm for passwords. He simply knew his algorithm, and from there, it was easy to apply it to each location he visited, so that no two passwords were identical, but he had no difficulty "remembering" the password - as he was actually simply remembering the algorithm.
- Use a base password that isn't something associated with any other information readily available about you. So, use your great-grandfather's dog's name or something really arcane, rather than your birthdate, or street number. Do mix up the characters with numbers, letters, and symbols - and don't have a favorite symbol that you just tack on to the end of a highly guessable password. Remember that you are up against a computer program, which is tireless and never gets bored. It will keep guessing til the lights go out on the universe if it has been instructed to.
- If the websites you visit that require passwords don't challenge you every so often, you're probably better off not being on them. Certainly your bank or other financial locations should check in with you periodically, request the answers to your challenge questions, and ask you to reset them.
- If you are going to keep a list of passwords, keep it on paper. Yes, that's right. Don't keep it on your computer - at least, if it must be on your computer, then use one of the reasonably good "master password" systems that encrypt your data and hide it all behind a single sign-on (Last Pass and the like).
- If you really have a lot of sensitive information online, consider whether it's worth it to buy identity theft protection. Yes, it was rather comical when one of the early purveyors of this protection offered his own social security number and then assured us it was perfectly safe - and it wasn't - but if the company is also offering insurance up to the amount of money your data is worth, then why not?
There is no way to be 1000% safe today. Data can be worth a lot, so thieves will spend time and resources trying to get it.
All we can do is our very best to evade them.
Comments