Monday, October 29, 2012

Your Money or Your Life?

Such was the typical refrain of the 18th century Highwayman on stopping a stagecoach full of wealthy but ill-prepared travelers. We'd like to think we don't have to make that choice today, but information superhighwaymen (I can't believe I just wrote that) are asking us to do so, and more surprisingly, we consistently make the wrong choice.

Many sensible people use online banking probably with 2 factor authentication, you may have one of the little devices that generates a code to enter when you log in. Personally, I wouldn't use online banking without it, and even the committed technophobes in my family are using it.

On the other hand, I am often still unable to protect my social identity with anything stronger than a password. I'd like to - and I already do for my email, thanks to Google's forward looking approach (no doubt because their corporate customers demanded it!). Facebook does now have "login approvals" under security options - not quite 2 factor but close enough, and will make pinching your password a lot harder. These sort of features are still not understood by most, or in some cases unavailable.

This leads to the strange situation where we protect our money, which is a terrible thing to lose, but eminently recoverable, more strongly than we protect our reputation, our personal information and our privacy. You cannot get this back. The cat will not go back in the bag. We still value security incidents in terms of a "dollar cost", when the cost of your personal pictures being made public could be much higher, and you cannot undo the harm that has been caused. The password issue is simply an indication of our priorities, and these are wrong.

The potential impact of a this type of "social" security breach should not be underestimated. The tragic case of Amanda Todd shows how extreme the consequences can be, pictures she believed to be private were spread across the internet.  These pictures were not a traditional "security breach", but something which if it had happened in the days before indelible, freely copied pixels would have been forgotten.

This is perhaps even more important for young people - as heavy users of social media, often their attitudes and approach to online security is not where it should be - a combination of inexperience and, until very recently, little or no help from educators or parents.

Reader, stop thinking with your wallet for a moment, and make sure you put a value on your reputation, your health, your happiness and your life, because Facebook, linkedin, google, they've all got fragments of those things. If you can't be sure what you give these cloud services is secure, my advice would be not to give it at all.

Helpful hints
  •  Email - Gmail offers 2 factor, enable it. Hotmail.. update Jan '14 -Hotmail now supports 2fac!
  •  Facebook - turn on login approvals, and take extra care to log out of public computers, turning on secure browsing is helpful to protect session cookies 
  • Phone - use a screenlock PIN, this will foil a casual attacker. Have some way to wipe your phone if lost. Don't display text messages on the lockscreen.
  • Linkedin - You can check "always use a secure connection", but that's a marginal upgrade
  • Flickr - use federated authentication from Google or perhaps Facebook
  • Twitter - check "require personal information for a password reset", no 2 factor (yet) so take care with your data - update: May 2013, twitter introduces 2fac, thanks! 

No comments:

Post a Comment