Many of us read about the cyber-attack suffered by eBay when the auction site was forced to request that its 233-million customers worldwide change their passwords, says Mohammad Ismail, Identity & Access security solutions manager at Gemalto for Middle East & Africa.
eBay went to great lengths to stress that the financial details of customers had not been affected, but in reality, once a hacker has even a small piece of information about you, piecing together the rest of the jigsaw is fairly easy.
When someone becomes the victim of a security breach and their account is hacked, it’s not just that one account that’s at risk. Depending on what the hacker was able to obtain, additional users’ details can be reused or sold-on for other purposes.
Combining this information with other details (publically available or illicitly obtained) increases the vulnerability of other online accounts. For instance, your email address can be used to help hackers to spoof your account, set-up false accounts in your name, or even be used to send you ‘news’ of the attack in a phishing email with a link to reset your password – a malicious link which could download malware onto your system.
Essentially, hackers have the ability to take advantage of consumers’ online profiles once they have just one piece of the puzzle.
What the entire Internet community really needs, including those on eBay, is to accept that simple password security is no-longer adequate enough. Two-factor authentication is now essential.
Two factor security works by combining something you know (your username and password) and something you have (a security device such as a token or a mobile phone). Logging on with this form of security therefore requires possession of both a password and a physical token, such as a smart card or encrypted USB token, before you can be logged in.
In the future a third factor based on “something you are” (biometric data, such as your fingerprint) will also be added to provide an even greater level of security.
As we move into an increasingly digital era where more and more of our personal information is stored online, organisations using and storing this data need to increase their efforts to both protect it and to make it less useful when used in isolation from the intended system.
However, individual users of these services need to recalculate the balance between convenience and security and accept that we all need to take greater control over our own digital security, and that means login routines that are more difficult for a hacker to piece together.
Individuals need to ask the sites that house their personal information to take stronger security measures and move to strong authentication, and when it is offered, be sure to take advantage. To avoid becoming a victim of online fraud means being proactive – users shouldn’t wait until a cyber-attack is front page news before doing something about it, because by then every online account that user owns could be compromised.
At the end of the day, I believe that shocking, high-profile data breaches of this sort have a short-term effect on peoples’ attitudes towards online security. However, to prevent such attacks requires action from various parties.
Action from online service providers to put in place far more effective security measures, and action from users at two levels; firstly to demand that service providers better protect their personal information and private data; and secondly, to actually take their own responsibilities seriously and to accept that they need to trade off a little convenience in return for a significant increase in the effectiveness of the security used to protect that data.
Mohammad Ismail is Gemalto’s Middle East & Africa manager for Identity & Access Products and Solutions. With extensive technical expertise in Public Key Infrastructure, strong authentication, data encryption and information protection & control, Mohammad actively supports enterprises in the region with their IT projects and help them meet security challenges.