Practicing Better Online Security

/ October 5, 2014

We regularly read about companies experiencing security breaches, and yet we continue to give an insane amount of data (and level of detail within that data) to companies without giving much thought to how they’re using it, how they’ll protect it, or whether we should perhaps limit their ability to store it.  Sometimes, as I’ve written about in the past regarding USA Triathlon, it becomes apparent after trusting them that you shouldn’t have.

There are two types of data relationships with companies: those who we have to give information to and those we don’t. JP Morgan Chase just reported that 83 million accounts (76 million households, 7 million small businesses) were compromised. They hold my mortgage; I don’t really have a choice as to whether I want to let them store my data. LinkedIn reported in 2012 that 6.5 million accounts had been compromised. It’s a social media platform; its users all made an active decision to share data with them unnecessarily.  In all, more than 1.6 billion passwords have been stolen by a Russian crime organization.

It didn’t help that LinkedIn reported failed to store password data with even basic industry standard security practices.  See my comment earlier about learning you can’t trust organizations.

We routinely offer personal bits of data, such as a mother’s maiden name, to companies from whom we are making a simple and perhaps one-time purchase, on the premise that they will make our account more secure by providing it. What if they store it in an unsafe manner or include it with information they share with other parties? Where does that information go over time? Assuming you can trust a company, how do you know you can trust the companies it does business with?

The simple answer is that you can’t.

Companies are experiencing security breaches at an alarming rate – as of the end of 2013, about 47% of Americans had been impacted. Some are the result of lax security policies that allow sensitive information to be stored on unencrypted removal media that can be lost or stolen, while others are the result of criminals hacking into company data for the purpose of stealing your identity,

A New York Times article earlier this year highlighted the fact that our increasingly “connected” business infrastructure only serves to create new ways to defeat a company’s security measures:

“Unable to breach the computer network at a big oil company, hackers infected with malware the online menu of a Chinese restaurant that was popular with employees. When the workers browsed the menu, they inadvertently downloaded code that gave the attackers a foothold in the business’s vast computer network.”

Last year was an impressive year in its own right with more than 740 million records involving data breaches, and that figure could actually be conservative. More than 100 million of those were the Target breach alone. By the middle of this year, almost half – 432 million, or about 47 percent – of Americans had been hacked in the previous 12 months, according to figures from the Ponemon Institute.

Large-scale Data Breaches by Company

  1. Heartland Payment Systems, 2008-2009: 130 million records compromised
  2. Target Stores, 2013:110 million records compromised
  3. Sony online entertainment services, 2011: 102 million records compromised
  4. JP Morgan Chase, 2014: 83 million records compromised
  5. National Archive and Records Administration, 2008: 76 million records compromised
  6. Epsilon, 2011: 60 million to 250 million records compromised
  7. Evernote, 2013:More than 50 million records compromised
  8. Living Social, 2013: More than 50 million records compromised TJX Companies Inc., 2006-2007: 46 million records compromised
  9. Adobe Systems, 2013: At least 41 million records compromised
  10. CardSystems Solutions, 2005: More than 40 million records compromised

For a visual representation of security breaches, check out the project on this site!

So, what can you do to prevent this?

Minimizing Shared Data

The best thing you can do is limit the data you share with companies. It stands to reason that the more widespread your data is stored, the greater number of opportunities for it to be compromised. For example, does the shore store from which you’re ordering a holiday decoration really need your telephone number? Does the gym where you exercise really need your home and mobile phone numbers? And here’s an easy one: The salesman at the dealership where you’re considering buying a car does not need your email address or your telephone number. But this just addresses the type of data that is either shared or sold by companies to others.

What about the data you used to secure all of your accounts, like answers to security questions? How much data could be easier compromised if your mother’s maiden name is available to a hacker who knows your email address and password? There’s no reason that answers to these questions should be additional (and unique) complex passwords rather actual answers.

Two-Factor Authentication

First, use two-factor authentication wherever possible. Two-factor authentication means “something you know” (like a password) and “something you have,” which can be an object like a phone. This doesn’t necessarily help prevent your data from being compromised, but it will keep people out of your account if they already have your information. Wired Magazine’s Mat Honan shared a heart-breaking story about his experience in 2012 and why two-factor authentication would have helped.

Two-factor authentication solutions are not without implementation problems, such as with using application-specific passwords (ASP) that work on multiple services, specifically in terms of Google’s case. The ASP could be used to access not only any service (Google originally claimed it was specific to only one) but even to adjust account settings, such as turning off two-factor authentication. For more information see this article or this article. Twitter has had problems with its implementation as well.

And unfortunately, many service providers don’t bother implementing it until they have a widely publicized breach. My beloved Evernote was a prime example.

Several sites maintain an ongoing list of places where you should enable 2FA, such as LifeHacker, Evan Hahan and twofactorauth.org.

General Password Practices

You should always strive to use multiple and complex password for your login on sites. Two recent breaches revealed a password reuse rate of 31% among victims. For that matter, many people don’t know how to construct a complex password.

I use a different password on each site, and each of those passwords is a complex password. This isn’t really manageable (unless you incorporate something standardized about the site into a standard password, but then you’re undermining the premise of using unique passwords) without a password manager such as RoboForm, LastPass or 1Password. For information about selecting the best application for you, check out PC Magazine’s recent comparison or any of the ongoing discussions on LifeHacker about the topic. Personally, I have used RoboForm since 2007 and love it, though I’m considering changing to take advantage of features it lacks.

Reactive Measures

If you’ve already been compromised — and statistically, it’s likely you have been —  consider doing one of the following:

  • First and foremost, change your passwords on any accounts with financial institutions,
  • Register for credit monitoring services, which are likely provided free of cost by companies with whom you have an account that has been breached or from a service such as Credit Karma,
  • Place a security freeze on your credit files, which costs no more than $10 (depending on your state) but is free if you have been the victim of identify theft, and
  • Perhaps most importantly, monitor your credit for new changes annually, which you can do for free

Related posts