When it comes to web safety, we’re going nowhere fast

Will Pope Francis have the vision to tackle this?

by Hannah Harborow

110
Advocating risk management is not “victim blaming”

by Sarrah Le Marquand

210
Defeating bullying one child at a time

by Peter James

310
Why can’t I be pope?

by Xavier Toby

410
My democratic dilemma after the death of a despot

by Gabriel Pizani

510
Punch on: Open thread 14/03/2013

by The Punch Team

610
Atheist church’s faithless flock proves value of religion

by Sam Clench

710
There’s no such thing as a free bus ticket

by Jessica Irvine

810
Politicians can’t control the economy

by Albert Alla

910
How far do the National Rifle Association’s sights focus?

by Scott Limbrick

1010

by Alastair MacGibbon

21 Sep 05:35am

Must Reads

The Punch is moving house

385

Will Pope Francis have the vision to tackle this?

122

Advocating risk management is not “victim blaming”

251

Filed under: Crime, Fraud, Identity, Internet, Social Media

5 comments

130 million.

That’s how many credit card details Miami resident Albert Gonzalez is alleged to have stolen by hacking into US companies over recent years.

Albert Gonzalez stole details for 130 million accounts - and he's just one hacker

Gonzales hasn’t been the only one busy stealing financial credentials from legitimate businesses who have collated data from our online and offline transactions, others have targeted home computers using malicious software (malware) or tricked them out of us via phishing or fraudulent websites.

Criminals have been stunningly successful in stripping our most sensitive information. And then parading it on online black market portals.

So far the best protection we’ve had against victimisation is criminal inefficiency. Not their ability to get hold of the data - rather their lack of capacity to exploit it. It is a very important distinction.

A reactive position is now best: assume that our financial credentials have been compromised, then monitor for misuse. Financial institutions allow us to “charge back” unauthorised transactions on credit cards (assuming they are picked up) and will even offer protection (thankfully) for misused internet bank accounts.

But while criminals have been online mining precious information we assumed was secure, we are increasingly just giving it away via social networking sites.

Yes, giving it away. And criminals love it.

Some of the seemingly innocent information may later be used to access internet accounts we operate, transfer our phone, or even to assume our identity (impersonate us).

Consider this: over time your credit card number will change, so will that of your bank account, even your street address. But your date and place of birth won’t, nor will your mother’s maiden name, the school you went to, or the name of your favourite pet. Many of these pieces of information sit exposed on various social networking sites, they are also often the “shared secrets” we give to websites to help us when we have forgotten our password, or to “prove” our identity when we transact.

A recent paper Broken Promises on Privacy by Paul Ohm from the University of Colorado Law School makes for a depressing read. It looks at the ability to cross-reference “annonymised” data to a point where individuals can be identified. Ohm cites research that 61-87% of the American population can be identified when a person has access to three items of information about them: postcode, date of birth and sex. Ohm’s argues that we need to have a broader definition of what “personally identifiable information” is.

In August 2008 the Australian Law Reform Commission recommended mandatory data breach and data protection laws, as part of a wide-ranging review of the Privacy Act. The government promised to respond in stages but has not yet commented on this area of the report. It is time for the Federal government to act so that we can have some confidence our information is safe - and are told when a company loses information about us.

Longer term we need to question the amount of information we give companies both on and offline, what they do with that information, and how they secure it. Online businesses need to be moving towards better ways of locking down accounts than usernames and passwords. Bill Gates predicted the demise of the password in 2004, stating that “over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don’t meet the challenge for anything you really want to secure.” But passwords have never looked healthier. Let’s hope Gates is right in the long run.

On a personal level we need to think carefully about the information we put online and how others can abuse and misuse it. We need to do our best to secure our own computers from intrusion.

We also need to ask ourselves how damaging the information (or tagged photograph) might be to our reputation, or employment prospects - current and future. But with a generation of people playing their lives out online - saved, indexed and retrievable - we’ll also have to change the prism through which we judge people. Standards and expectations will have to slip.

As lampooned as the suggestion often is, we need sustained public education and awareness about how to act more safely, responsibly and securely online. For many people the uptake of technology has simply outstripped their common sense and it will take time for the balance to be restored.

And when things go wrong online - identities stolen, computers compromised, cyberbullying, lost money to fraudsters - there needs to be a single place online to report matters. A place where police and regulators and responsible businesses will take notice. A place where people can get help.

The chance we’ve got if the online privacy, safety and security debate stays as moribund as it is today?

Zero.

National Identity Fraud Awareness Week is 5-11 October 2009

Share post:
Print page:
- Print Article

5 comments

Show oldest | newest first

- Laura Mather says:
  
  04:39am | 22/09/09
  
  This is a great article. The current (and emerging) threats to online security and privacy are super scary! It’s good to see some discussion on this!
  
  Reply
- Ray Jarratt says:
  
  06:29am | 22/09/09
  
  I wish more people understood just how important an issue this is. Most of us don’t take it seriously until our own data is compromised - and then it’s too late.
  Thank you Alastair.
  
  Reply
- Nick Coster says:
  
  09:53am | 22/09/09
  
  As a product management consultant we see the same mistakes with websites being repeated time and again. The mantra of there being a trade off between security and usability is a poor excuse for a lack of imagination. The result is simplistic login pages that copy the same mistakes from one website to the next.
  
  There is a fantastic opportunity out there for the development of an authentication process (and re-authentication process) that is both secure and easy to use. It should not (for example) require the use of personal, unchanging information to reset access.
  
  This information, while personal should not need to be kept private. I should be able to tell anyone my birth date and anyone should be able to know my mothers maiden name. This should be information that is worthless to fraudsters but it isn’t because the designers of online services have assumed that this information is hard to get to. It isn’t, so the design of systems that make this assumption must change them.
  
  Reply
- Brian Iselin says:
  
  05:01pm | 22/09/09
  
  Excellent, and timely, article Alastair. Your words of caution are sadly something lacking in the space of those bringing life into ever more personal networing sites and more applications that proliferate indidivual information. The amazing part of this is the naivety we see in those users who keep a vastly tighter clutch on their handbag or wallet in a bad neighbourhood than they do on their personal data and banking information on the website. Here in Brussels we have a troubled area called the Gare du Midi - every city has one - the badly lit, grimy, under-policed area where people don’t go unless they want to find trouble. I don’t believe in being over-cautious, but as you say people are far more reckless online than they woudl be online, precisely because it feels like a less threatening context than using an ATM on a badly lit street. People online would be much better thinking they are cruising Gare du Midi when doing anything online but especially when making financial transactions or using personal networking sites. Education is the key, and not only or necessarily for the x-gen, y-gen and teens out there who already know their notebooks from their netbooks. Educative actions must somehow reach those who exhibit the least caution and the least knowledge of the perils of life online (and the fatter bank accounts): baby-boomers and their children.
  
  Reply
- Brendan Read says:
  
  10:21am | 12/10/09
  
  Alastair, you are absoloutly right with your comments. How many mistakes must we make to get it right. If only more people listened to your thinking. Lets hope that the Gov cybercrime inqiry were listening!
  
  I am currenly completing my Masters of Information Technology at QUT in Brisbane. One of the subjects I am doing is Enterprise 2.0 which is focused around the use of Web 2.0 platforms in a commercial environment.
  
  I was always deemed the sharing of information online as being dangerous purley because of my background being in the security field. I am interested to know your thought of employees using Web 2.0 applications. Do you think given the right guidelines and training that employees using Web 2.0 applications can be a benefit rather than a threat?
  
  I recently heard a presentation by Charis Palmer from the Online Banking Review. This presentation went into discussion about the use of social networking sites by employees within an organisation and the possible threats that this poses including issues of identity fraud. I know that this is a very real reality and that criminals utilise social networking sites to obtain further information on potential victims. There was also a very important and relevant discussion around the use of policy regarding social networking site use. I believe as did Charis Palmer that there needs to be a greater development of policies in a way that employees are better educated and prepared when posting information.
  
  Great to read your posts. Keep up the good work Alastair!
  
  Reply

Sorry, comments are now closed for this article.

Facebook Recommendations

Read all about it

Punch live

Up to the minute Twitter chatter

penbo 19 May 13 12:24AM

@KevCorduroy @SallyHitchiner it's a great idea I doubt he'd go for it though far too laid back

ToryShepherd 18 May 13 10:48PM

. @mcguiremi is journo of the year! #samediaawards

ToryShepherd 18 May 13 10:35PM

.@mariamosco @msmarto Super Smarto. And Shirley Stott Despoja into the Hall of Fame #samediaawards

ToryShepherd 18 May 13 10:14PM

Best print journo to @mcguiremi woot! #samediaawards

See all tweets

Nosebleed Section

choice ringside rantings

From: Hasbro, go straight to gaol, do not pass go

Tim says:

They should update other things in the game too. Instead of a get out of jail free card, they should have a Dodgy Lawyer card that not only gets you out of jail straight away but also gives you a fat payout in compensation for daring to arrest you in the first place. Instead of getting a hotel when you… [read more]

From: A guide to summer festivals especially if you wouldn’t go

Kel says:

If you want a festival for older people or for families alike, get amongst the respectable punters at Bluesfest. A truly amazing festival experience to be had of ALL AGES. And all the young "festivalgoers" usually write themselves off on the first night, only to never hear from them again the rest of… [read more]