While it’s convenient to link various personal online accounts and identities, users must beware of the security risks, says Martin Walshaw, senior engineer at F5 Networks.
It’s nice when everyone gets along, isn’t it? When Web sites play fair with each other and allow users to link up various accounts – LinkedIn, Twitter, Facebook, Flickr and so on. Some online services even let you create an account with your Facebook profile, removing the need to memorise another password.
This is no doubt a convenient way of spreading your online identity – having your Twitter feed or Flickr photos display on your blog, for example.
But there is also a drawback to this openness (isn’t there always?!). The recent news story that Slack, the increasingly popular group chat app, had been hacked reminded me of the perils of linking various personal online accounts and identities. As this news story points out, the database that was accessed by the hackers contained “any additional information users may have added to their profiles, like their Skype IDs”.
While there is no indication so far that the Skype IDs have been used for nefarious means, it is still an alarming reminder of what happens to our personal data once it’s online. It’s not just the security of that data at the source (in this case Slack) that we have to worry about, but any other services that we may have linked our accounts to or provided information for.
There is so much personal data now flowing across networks that it can be difficult to keep track of which services have our data. While we may think that our information is going on a journey around one particular company’s network, out to our devices and back again, the example above shows that’s not always the case.
If hackers gain access to that network, then that data journey can be interrupted and diverted to another route that the individual doesn’t know and isn’t even aware of, and, of course, has no control over.
The data journey across the network is a complicated one; different services, different devices, different departments within an organisation can all take data on a journey around a network. And as we’ve discussed before, data is an attractive target for hackers and the threat has never been greater.
But what’s the best way to stay secure? It’s difficult to tell people to not upload personal data– so many aspects of our lives are online that that isn’t really an option. Instead, we should focus on understanding and minimising risk. People should take more care about where they upload their data to and what data they make available online. The old (well okay, not so old) adage applies: “What goes on the internet, stays on the internet”. It’s called Digital Permanence, so people need to choose wisely what they post in the first place. People also need to make sure the site or service uses SSL encryption (at a minimum) and check for other security procedures being used – login verification, captcha challenges, strong password requirements. All these are indicators that the application designers have taken security seriously.
In the end, our use of online applications is only going to increase. Because of this, we face an ever-increasing challenge of maintaining a grip on our personal and corporate data, not in the least remembering credentials for each site! Certainly, linking accounts helps simplify that, but is it worth the additional risk? The way I see it, it’s a bit like going to a casino: while it’s fun while you’re there, you should only take what you’re prepared to lose. Perhaps we’d be wise to do the same with our online data, too.