Hackers have had a big week. US claims that the Chinese military is allegedly hacking into US corporations and actively enticing the country’s best hackers to join up is one thing, but when hackers try to break into Facebook, that’s a real national emergency.
Don’t get me wrong, they are both serious issues, but the latter should have Facebook users that choose to login to other sites using their Facebook credentials shaking in their shoes. How many sites now allow you to login using Facebook, your Microsoft account and others? Why anyone would opt for Facebook login for anything but Facebook defies logic. The whole idea of having different logins is to protect oneself from hacking in one vulnerable site that could expose the user’s personal accounts on other sites.
Twitter accounts for Burger King and Jeep were also compromised this week. As AdAge digital points out, “Twitter began as a platform for people to send short, mass messages, and as brands began to uncover its usefulness, they, too, jumped in. Today Twitter essentially treats as equals – brands with millions of followers and people with only a handful – offering one standard account type to serve both.” But the breaches certainly point to the need for a distinction.
Twitter declined to comment on the hacks, citing the privacy of individual accounts. But Gizmodo has made a speculative ID of the hacker based on the content of his tweets and posts that the Burger King account was breached by resetting a password via a compromised email account. Great, that might help find the culprit but there will be another tomorrow and the day after. Damn the excuses, the accounts were hacked and if Twitter wants to raise its status and remain viable it simply cannot allow these things to happen.
So many internet sites and social networks only require single factor authentication when most banks now require at least two. Speed and simplicity, however desirable, may prove to be a liability for many, but carrying around bags of security tokens is not be a viable alternative either.
It raises questions of whether identity and security should be inextricably linked but that also raises the question of who or what will be trustworthy enough to be act as the secure handler of those security details, and what if they are compromised. Governments, CSPs and banks have all been mooted as potential trusted partners, and even though they sound like far more secure options than Facebook as identity brokers, they too are a risk.
Consumers are advised to have a different login and password for all access to secure sites so that if any one site is compromised their information can’t be randomly used on other sites to gain access. But if you have logins to hundreds of sites, how can you possibly remember them all, especially if they have been created by those clever password generators?
Oh yes, there are those password storage applications that have proliferated on mobile platforms that store encrypted information in the cloud so it can be accessed by all your devices. They are brilliant in concept, design and operation but who are they created by, where is the data stored and who manages the encryption. I’m not saying that any of them cannot be trusted but if you plan to keep all your confidential information in a safe place you should probably check just how safe it is. If you can, that is!
So, what’s the solution? Stopping all access to any site via the internet is a start, but is no guarantee. Reverting to cash, writing cheques and quitting all web-based portals that hold any of your information might work, but is it really an option, e.g. you or your house could get robbed or your date may not be deleted. Having multiple virtual identities, if you can remember them is another. As more and more ‘free’ social sites revert to any means of ‘monetization’ the options of being safe and secure are reduced. we are in danger fo killing of the digital age before we even get into it.
So, what’s left?
First published at TM Forum as The Insider