IT people suggest security is woefully flawed as children can crack passwords. Some 42 percent of IT people believe that the average child could crack most end-user’s passwords using social networking tools. That’s the findings of a survey conducted by SecurEnvoy amongst 300 IT people who found that average children can now use social networking tools so proficiently that adults simply don’t stand a chance.
Perhaps a greater concern is that, with social networking sites a virtual Aladdin’s cave of personal information is now available. According to SecurEnvoy, just relying on a security question – such as mother’s maiden name, first school or pet is woefully inadequate to fend against hackers – both those already practicing their craft and the far superior younger generation about to enter the workplace.
Andy Kemshall, co-founder and CTO for SecurEnvoy said: “You just have to look at the various status updates, and veritable goldmine of information, on social networking sites – such as LinkedIn and Facebook, to see how freely personal information is given away – and in fact is actively encouraged. For example, on Facebook, by labelling relatives, it wouldn’t take a genius to work out that Mrs Jane Brooks’ daughter Susan, whose uncle is Peter Jones, probably has a maiden name of Jones. Susan’s LinkedIn account will then tell us where she works, and probably includes her email address. While many won’t be able to do any more with this information, someone wanting to attack Susan’s employer could log in, answer the ‘secret’ question and reset her password to potentially get control of her credentials.”
The study found that only 16 per cent of security people believe using just a ‘secret question’ for securing passwords was enough protection. Given this figure, then, what is concerning is that 21pc confessed this was the practice within their organisation to reset passwords. That translates to five percent who know it’s a risk but do it anyway, and the other 16pc are just naively playing with fire.
Andy adds: “The IT professionals spoken to obviously have very real security concerns. But if we’ve got a problem today then what’s going to happen tomorrow when our technology proficient kids also join in the games and enter the workforce? We need to start getting serious about security today. To do that there are two things that need to happen – firstly, we need to educate everyone to make sure they realise exactly how much their online social habits are exposing. Secondly, organisations need to wake up to very real threat of inadequate security protection – such as password resets. Just like ‘chip & pin’ has helped prevent in person credit card fraud, apps and soft tokens as part of a two factor authentication process is a very effective security measure. If we don’t wake up to the risks and start taking security seriously, rather than being shocked that some organisation or other has been breached it will become the norm and accepted as part of every day life. I don’t think I’m happy for that to happen and certainly don’t think the rest of the population should be either.”
What is two factor authentication?
Two factor authentication (2FA) is a way of verifying a person is who they say they are. It requires the combination of two out of three possible factors – something you know – so a username, password or PIN; something you have – a credit card or token, and something you are – fingerprint. The combination of a username and password does not constitute 2FA as it is two types of the same factor. Authentication tokens, first used over 30 years ago, generate a one time passcode (OTP) which can be entered as part of a 2FA process. They are different to PIN numbers, which are static, as they change every time and will expire within a set time. However, unlike the original physical tokens of the 80s, today OTPs can be generated by apps on a smartphone or sent via SMS making their use not only easy, but also practical. An everyday example of and OTP in use is GetCash, a service launched by the Royal Bank of Scotland and NatWest last month. The system works by sending a six-digit code to the user’s phone, which can then be entered into an ATM to retrieve the money. It can only be used once and expires after three hours.
Here’s advice on how to protect online identities.
A security and compliance company, RandomStorm, has commented on Experian’s report that more than 12 million pieces of personal information were illegally traded in the first three months of 2012, exposing people to ID theft and fraud.
The credit checking agency reports that most people have dormant accounts that they neglect to close down. It warns that even taking the precaution of changing passwords will not protect people from having their ID cloned if submitted personal details are subsequently stolen. Andrew Mason, Technical Director and Co-founder of RandomStorm, said: “Experian’s research highlights how important it is for people to protect themselves by making sure that old online accounts are closed. However, as we saw with the Yahoo password breach, there is still a risk of your personal details being stolen if the service provider keeps your old details on file. By creating unique passwords for each online service, then this stolen data cannot be used to unlock other accounts.”
“We would strongly advise people to use the service of a credit scoring company and to set up an alerting service, such as the Identify Watch service from Equifax, to protect themselves from identity theft and fraud. We also recommend using password management services, such as 1Password, to avoid reusing passwords for multiple services.”
Earlier this year, RandomStorm was interviewed by a researcher working on a Channel 4 Dispatches documentary that exposed the illegal sale of personal data. The programme highlighted the risk of unscrupulous employees at private investigation firms using “blagging” techniques to breach section 55 of the Data Protection Act . Blagging is the practice of conducting identity fraud, by contacting an organisation and giving personal information, gleaned from other sources, to persuade employees to impart more sensitive private information, such as bank details, medical or benefit records.
“An individual’s private data is only as secure as all the businesses that handle it,” commented RandomStorm in the programme.
References:
BBC Breakfast, Tuesday 17th July 2012, “Online fraud, do you have a digital double?” http://www.bbc.co.uk/news/business-18867338
Information Week, Friday, July 13, 2012, “Yahoo password breach: 7 lessons learned”
Channel 4 Dispatches, 8pm Monday, May 14, 2012, “Watching the Detectives” http://www.channel4.com/programmes/dispatches/episode-guide/series-109/episode-1
The Data Protection Act 1998, Section 55, “unlawful obtaining etc., of personal data.” http://www.legislation.gov.uk/ukpga/1998/29/section/55
About RandomStorm
RandomStorm is a UK-based network security company, providing IT security management tools and services. The company’s core products include: xStorm, an online perimeter vulnerability scanning service; iStorm a network security appliance that provides scanning of the entire corporate network topology; StormProbe an intrusion detection solution (IDS) with intelligent event correlation that alerts companies when critical assets are at risk and AirStorm, a cloud, or appliance-based IDS, to protect corporate wireless infrastructure.
RandomStorm is a CESG CHECKsecurity consultancy and an Approved Scanning Vendor and a Qualified Security Assessor for the Payment Card Industry Data Security Standard. For further information – visit: http://www.randomstorm.com
