by Lauren Floyd
By now, the number of epic hacks of celebrity iCloud accounts threaten to make the issue of data security so buzzed over that people get sick of hearing about it. But this buzzword weariness is so dangerous precisely because universal awareness is the only way to educate people about what’s effective and what’s not.
Here’s the thing: passwords, even really complicated ones, are not enough to protect your personal or business data. They haven’t been for a long time, and yet we have article after article reminding people of how important it is to adopt stronger, more complex passwords to help boost their data protection. While that’s all well and good, the scary truth is that the average person is woefully behind the curve when it comes to digital security, especially if many have just now decided to upgrade their long-standing “password123” for every account ever to “rolltidefan321.”
Don’t get us wrong – there are several password manager apps out there, outfitted with super strong password generators and 256-bit AES encryption, which are really great. You should absolutely be using them if you have lots of online accounts that you’d like to lock down. But unless your password manager tool also uses multi-factor authentication, you’re still exposing yourself to great risk.
Take the now infamous Matt Honan incident of August 2012: using a bit of social engineering to take advantage of Apple and Amazon’s then-lax account policies, a hacker breached his Google and iCloud accounts to remotely erase all the data on his devices and, ultimately, take over his Twitter account. Honan lost more than a year’s worth of photos, documents, and emails in literally the blink of an eye.
While it’s clear now that Honan was the victim of a very targeted attack that exploited certain flaws in Amazon’s and Apple’s security measures, by his own admission there were a couple of things he could have done to prevent the hack:
In many ways, this was all my fault. My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened.
So the lessons learned were these:
1. For goodness’ sake, do NOT link or “daisy chain” all your accounts together. When you decide to create a new online account, do not choose the easy (read: lazy) option of signing in using your Facebook or Google account. Just don’t.
2. Start adopting multi-factor authentication to sign into every account for which it’s been made available.
While two-factor authentication is already “old hat” for anyone who’s enabled a lock code and a fingerprint scan for their iPhone, it still hasn’t caught on in the corporate world as quickly as it should. Perhaps the reason for this arises from the kind of revamp of policies and processes that businesses would need to put in place to enforce its adoption. But multi-factor authentication, as a rule, is really pretty simple. There are three kinds of things one can use to verify that it is, in fact, you attempting to sign into an account:
1. What you know = username, password, security question
2. What you have = your phone, a key fob
3. What you are = a human who can pass a biometric scan
When you go through the process of signing into your credit card account, for example, and you get the username, password, and security question right, you’ve only utilized single-factor authentication. It’s not very secure at all, and many IT experts are sounding the alarm on the false sense of comfort that people get with these personal questions. The unsettling truth is that there is already so much information about you online that is readily accessible to hackers, you can never be too sure that the name of your first grade teacher isn’t public knowledge somewhere.
“Take some of the breaches recently involving the celebrities. The hackers were able to get on iCloud and answer the security questions based on what they found on the celebrity’s Wikipedia page,” explains TekLinks VP of Managed & Cloud Services, David Powell. “Now substitute ‘Facebook profile’ for ‘Wikipedia page,’ and you’ve got an idea of how easily this can happen to anyone with any kind of social media presence.”
What business technology experts are encouraging their clients to do is to make step the multi-factor solution a priority, rather than an afterthought. A great example of how this can be done exists in the two-factor authentication Google and Facebook are using, which sends you a temporary code (via your phone or key fob) that you must input in addition to a username and password. While this doesn’t provide 100% insurance, it is much more likely to prevent a breach.
“The most important thing for this technology’s adoption in the workplace is that people both recognize its value and find it easy enough to use each day,” says Powell. “It’s also an area where there’s going to be an opportunity for careful policy-making to make a huge impact. The technology is available now, it’s just not yet widely adopted. Ultimately, cloud services providers need to provide businesses with a better way to enforce data security now, while recognizing that we’re still humans and we’re not going to jump through massive hoops.”