Posted by Martyn Casserly 13 March 2014
Are we too lazy to be safe?
Ask any security specialist what the weakest part of a system is and you’ll usually get the simple, but emphatic, answer of 'the user'. This might sound churlish, but time and time again it is born out to be true, and often the problem is one of plain old laziness.
Keeping our data and devices secure takes effort. It can often make life a little less convenient than we were hoping for, and it's at that point that many users take the easy option and choose not to bother. It’s entirely understandable, after all who wants to have to wait a few seconds for a confirmation text message before you can log onto a service, or repeatedly enter passwords to buy music on your phone? Technology was meant to make life easier wasn't it? The problem is we now have so much sensitive data online, much of which is daisy chained together, that quick access for us also means quick access for any opportunistic hackers looking for an easy target. See: how to manage your passwords with Keepass
Passwords have become something of a problem. Conventional wisdom states that you should never use the same one on two different accounts, or recycle older variants. But how many of us actually exercise this kind of sensible behaviour? One of the main issues is that with so much of modern life transitioning online it can be a herculean task to create individual, complex, alpha/numeric/symbol-based passwords for every service we use. So...we don't. In fact it's all too often the case that the passwords we do create are ridiculously simple and are used on every account. In a recent report from AVG, the security company listed the top five passwords used in 2013 - all of which were truly shocking:
The fact that password was the second highest gives you an indication of just how easy it has become for hackers to steal our data and, increasingly, our identities.
"Complex passwords can be a real hassle to remember," states AVG Security's chief technology officer Yuval Ben-Itzhak, "often forcing people to use the same password for multiple accounts. This is never a good idea as once your password is cracked – and if it’s a simple password, chances are that it will be – hackers have access to your most sensitive and valuable information stored within emails, applications and social networking sites. For years hackers have relied on these simple passwords, despite the acknowledgement of the associated security risks. Individuals should not take password security lightly and should ensure their login details are as robust as possible to mitigate against online threats."
This perceived difficulty makes it seem like too much work for many people, but we need to remember just how vulnerable it can make us. Your email is an absolute treasure trove for the digital criminal. When you sign up to any service you nearly always need to confirm the activation via an emailed link. You also will have account details sent to your inbox, along with various other correspondence. All a hacker needs to do to gain access to your various accounts is crack your email, then they visit the various sites, say they've forgotten the password, and a new one will duly arrive in the inbox. Some companies will require additional information, but even this could possibly be gleaned from previous emails. If this sounds a little farfetched then just look at the story of Wired reporter Matt Honan, who had his entire digital life destroyed in a matter of hours thanks to some enthusiastic hackers and his own lax security measures.
See also: How to stop hackers stealing your data.
There are solutions available that can make this whole process a little easier. Password manager apps such as Lastpass, 1Password, and mSecure can automatically create complex, random passwords for your various accounts, and only require that you remember a master password to gain access. As you might expect all of these services don't come for free, but considering that in the UK alone last year there were over twelve million victims of cybercrime, costing upwards of £826 million, it looks like money well spent. If you don't want to pay then there are still the free options offered by the likes of Microsoft, Google, and Apple which can enable two-step verification. With this you'll need to enter a code sent to your mobile before you can log into your account. It's fast, a lot more secure, and pretty much universally ignored by the majority of users.
Of course passwords can be somewhat pointless if we get lazy in how we treat our data. Phishing attacks are still rife online, which suggests that enough people are falling for them to make it worth the (minimal) effort to keep sending out millions of spam emails each day. They can be easily defeated if we just take a moment to think about what we're being asked to do. If you ever receive an email warning you that your account has been hacked, a complaint has been raised, or any other urgent provocation that causes you to immediately respond - don't panic. If there's a link in the email, never click it.
Navigate directly to the site in question by yourself and see if the email was telling the truth. The same applies on social networks if you receive private messages with links. Is the tone of voice the kind your friend would really use? Are they likely to send me this type of thing unsolicited? Criminals are not evil geniuses, they're opportunists. All they need is someone to be in too much of a hurry, or too trusting, and before you know it your money or identity can be digitally pickpocketed. If we make it hard for them, they usually move on to another target pretty quickly. You see...they're lazy too. This becomes especially relevant when we look at how mobile devices are changing our attitudes to safety.
In its annual security report Symantec, the company behind Norton, noticed a worrying trend emerging. Whereas most people are aware of the dangers that viruses and malware present on their computers, this knowledge somehow fails to make the transition to mobile devices. Of the smartphone users interviewed only 22 percent had any kind of security software on their device, while a whopping 54 percent didn't even know that such things existed. There are of course some mitigating circumstances: Apple's iOS is very difficult to hack due to its closed system, and this same walled-garden approach also means that you can't actually run anti-virus or malware-scanning apps its devices. Android is more open to attack, but is still a very safe system if users take the time to check what permissions apps ask for.
If you don't see how a calculator should need access to your phone, contacts, and account details - don't download it. We need to adopt this kind of 'considered purchase' mindset if we hope to avoid a security breach sooner or later. At the very least put a passcode on your device, unlike the 30 percent of users who currently don't bother, so that if your very stealable device ends up in the hands of a neredowell it will not yield up its data too.
In the Symantec report were figures which showed that smartphones and tablets are becoming more attractive targets for criminals, with 25 percent of users suffering at least one successful attack in 2013. As we move into the post PC era it's vitally important we remember that even though these devices are much simpler than our old desktops, they are still hugely powerful creations that can be used to gather information against their users if we don't remain vigilant. The internet is the same whether we access it from a laptop or a tablet, and the passwords we use can easily be stolen by the chap at the table behind you in the coffee shop running a snooping program on the free, open, Wi-Fi connection you're both using. Having constant access to the digital superhighway is a wonderful thing, let's just make sure we don't fall asleep at the wheel.