What do you think when you hear Target, Neiman Marcus, UPS, JP Morgan Chase and Sony? Major brands? True. International corporations? Sure. Massive security breaches? Every one of these companies has lost customer information to hackers.
The pace at which people are migrating their lives to devices and the cloud is making personal data more vulnerable than ever. This could make for a bleak future, unless people change how they secure that information. But who has to change, and what’s standing in the way?
People aren’t lazy – they’re human. They forgot things, so it’s no wonder that many choose one password to use everywhere. This won’t keep them safe.
The question is no longer will a website get hacked but when. Using one password across many sites is practically no better than no passwords at all – once someone cracks one, they can access them all.
Perhaps how people use passwords is more to blame than flaws with passwords themselves. Password managers like LastPass let users create unique, long character strings for each site. Sure, LastPass was hacked, but hackers only got access to encrypted versions of passwords. Plus, LastPass lets users change every site’s password very easily and it automatically re-encrypts all the saved ones.
Some people are excited about biometrics, but they’re scary. It’s one thing to change login credentials when those get stolen, but you can’t change your fingerprint or the pattern of your iris. Two-factor authentication is another option, but it’s a hassle and therefore impractical for anything but the most precious data, like bank accounts.
Passwords aren’t all people need to be mindful of, though. Does Cats.com really require my social security number for a ‘Manx of the Month’ newsletter? And when a site gets hacked, what information will the hacker get?
Logins are overkill
Logins were designed to authenticate users for security purposes and to identify them in order to remember preferences for convenience. But too many companies require full authentication when simple identification is enough – and plenty of those that only identify users pass up better ways to remember them.
Facebook’s shared login is a decent compromise because it provides identification and authentication without requiring that users give a third-party site their actual password. The downside to this model is users do have to give that third party access to their Facebook profile in return – and if their Facebook credentials are compromised, the bad guys have access to all the places where they can ‘Login with Facebook’.
Ultimately, many companies don’t need to authenticate at all. Think about the last time you created a login. You probably had to key in your full name, home address, mobile phone, maybe even gender or age, and probably a hint to help with password retrieval – just to order pizza? Really? Seems the default is to extract as much information as possible from users, in the guise of providing security.
Since companies are unlikely, without pressure, to stop unnecessarily extracting personal data from consumers, where will that pressure come from? How about an industry-wide ‘security report card’?
Imagine a grade-reflecting adherence to a data security standard, like PCI DSS for credit cards. Consumers can choose who is trustworthy enough to share information with and who’s not. Lax companies can improve practices to earn a higher grade.
On the flip side, we consumers need to think of identity, finances and personal data as gold bricks. If they keep them on the coffee table, having a front-door lock is vital. But if someone breaks the deadbolt, they can take it all.
But even a stronger deadbolt isn’t enough. We need to secure each ‘brick’ behind layers – inside a lockbox, which is disguised to look like a copy of War and Peace, hidden spine-in on an upstairs shelf – then make sure each layer is strong enough.
Having a solid password practice won’t help much if the company we’re entrusting our information to isn’t trustworthy.
While a report card won’t eliminate logins, it will give consumers more insight into how much of their data companies need and how they protect what they get. And companies should be rated on a number of criteria, such as is the data encrypted on their machines (answer is often no); how many employees have access to it (should be a very small number); what kind of auditing, monitoring and reporting is done; how long do they refrain the data and for what use; and what do they do with users’ data after they unsubscribe.
Companies that digitally collect customer information should regard themselves, first and foremost, as custodians of that data. This alone would make a dent in cybercrime.
But it won’t happen without raised standards, and those won’t happen without pressure from the people with the most to lose – the consumers.
Sourced from Joel Grossman, COO, Location Labs