When it comes to web safety, we’re going nowhere fast
That’s how many credit card details Miami resident Albert Gonzalez is alleged to have stolen by hacking into US companies over recent years.
Gonzales hasn’t been the only one busy stealing financial credentials from legitimate businesses who have collated data from our online and offline transactions, others have targeted home computers using malicious software (malware) or tricked them out of us via phishing or fraudulent websites.
Criminals have been stunningly successful in stripping our most sensitive information. And then parading it on online black market portals.
So far the best protection we’ve had against victimisation is criminal inefficiency. Not their ability to get hold of the data - rather their lack of capacity to exploit it. It is a very important distinction.
A reactive position is now best: assume that our financial credentials have been compromised, then monitor for misuse. Financial institutions allow us to “charge back” unauthorised transactions on credit cards (assuming they are picked up) and will even offer protection (thankfully) for misused internet bank accounts.
But while criminals have been online mining precious information we assumed was secure, we are increasingly just giving it away via social networking sites.
Yes, giving it away. And criminals love it.
Some of the seemingly innocent information may later be used to access internet accounts we operate, transfer our phone, or even to assume our identity (impersonate us).
Consider this: over time your credit card number will change, so will that of your bank account, even your street address. But your date and place of birth won’t, nor will your mother’s maiden name, the school you went to, or the name of your favourite pet. Many of these pieces of information sit exposed on various social networking sites, they are also often the “shared secrets” we give to websites to help us when we have forgotten our password, or to “prove” our identity when we transact.
A recent paper Broken Promises on Privacy by Paul Ohm from the University of Colorado Law School makes for a depressing read. It looks at the ability to cross-reference “annonymised” data to a point where individuals can be identified. Ohm cites research that 61-87% of the American population can be identified when a person has access to three items of information about them: postcode, date of birth and sex. Ohm’s argues that we need to have a broader definition of what “personally identifiable information” is.
In August 2008 the Australian Law Reform Commission recommended mandatory data breach and data protection laws, as part of a wide-ranging review of the Privacy Act. The government promised to respond in stages but has not yet commented on this area of the report. It is time for the Federal government to act so that we can have some confidence our information is safe - and are told when a company loses information about us.
Longer term we need to question the amount of information we give companies both on and offline, what they do with that information, and how they secure it. Online businesses need to be moving towards better ways of locking down accounts than usernames and passwords. Bill Gates predicted the demise of the password in 2004, stating that “over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don’t meet the challenge for anything you really want to secure.” But passwords have never looked healthier. Let’s hope Gates is right in the long run.
On a personal level we need to think carefully about the information we put online and how others can abuse and misuse it. We need to do our best to secure our own computers from intrusion.
We also need to ask ourselves how damaging the information (or tagged photograph) might be to our reputation, or employment prospects - current and future. But with a generation of people playing their lives out online - saved, indexed and retrievable - we’ll also have to change the prism through which we judge people. Standards and expectations will have to slip.
As lampooned as the suggestion often is, we need sustained public education and awareness about how to act more safely, responsibly and securely online. For many people the uptake of technology has simply outstripped their common sense and it will take time for the balance to be restored.
And when things go wrong online - identities stolen, computers compromised, cyberbullying, lost money to fraudsters - there needs to be a single place online to report matters. A place where police and regulators and responsible businesses will take notice. A place where people can get help.
The chance we’ve got if the online privacy, safety and security debate stays as moribund as it is today?
National Identity Fraud Awareness Week is 5-11 October 2009
Read all about it
Up to the minute Twitter chatter
The latest and greatest
Good morning Punchers. After four years of excellent fun and great conversation, this is the final post…
I have had some close calls, one that involved what looked to me like an AK47 pointed my way, followed…
In a world in which there are still people who subscribe to the vile notion that certain victims of sexual…