Data breach; millions of account details leaked; a board-member resigns into a cushy retirement plan; we move on. The same routine plays out on an ever-increasing basis. Despite this, few of us adopt new measures to protect ourselves in response. The effort of remembering a new password for each website can often seem more trouble than it’s worth – why would someone want your data anyway?
Hacking websites to obtain user data is a profitable enterprise. Attackers demand huge ransoms for the data or sell it on the dark web. Once the dataset has been released, anyone can download it for use at a later date. In other words: once it’s out, it’s out. Security expert Troy Hunt has developed the website haveibeenpwned.com which allows users to discover which data breaches they’re a victim of.
The information lost through data breaches isn’t limited to passwords. If a company stores information about you, there is always a risk that it will be leaked. A 2014 hack of Domino’s pizza in France and Belgium compromised the telephone numbers and physical addresses of account holders.
It doesn’t seem like a big deal when the data leaked is already public. Often, however, it’s not the data itself but the relations between different pieces of information that can be the most revealing. It has been reported that data leaked from the adult website Eroticity includes physical addresses, IP addresses, names, payment history and website activity – information that users might have preferred remain private. Data leaked from cannabis.com was a similar level of detail.
In a phishing attack, a legitimate website is impersonated in order to convince users to submit sensitive information. Attackers using leaked information can also send phishing emails pretending to be a legitimate organisation. The inclusion of personal data such as your real name and address give an authentic air to these emails. Though we might doubt the chances of being personally targeted by such an attack, the ease of mounting such attacks en masse significantly increases that likelihood.
Certificate organisations were introduced to held protect users against fraudulent websites by acting as a trusted third party that verifies the legitimacy of a website. Attackers realised that they could obtain sensitive user information by ‘typosquatting’: operating under domain names marginally different to common websites. In modern browsers, the reassuring green padlock at the top of the page informs users that the site they’re on is real – at least that was the case until recently. Even without including typosquatters, it has been reported that Certificate Authority ‘Let’s Encrypt’ issued 988 Certificates to companies with the word ‘PayPal’ in them. Each of those websites would bear a green padlock that lulls users into a false sense of security.
Organisations handling personal data are responsible for ensuring adequate security procedures are put in place. It is no longer acceptable to store a user’s password on a company database – the result of an irreversible mathematical function (a ‘hash’) should be stored instead, and attempts to log in to accounts are verified by comparing the hashed password attempt with the hash stored in the database. Why is this important? If passwords stored in ‘plain text’ are leaked, anyone can log into that account; if they are hashed, it is much more difficult for attackers to gain access.
Nevertheless, accounts protected by common passwords (‘password’, ‘123456’, ‘opensesame’) are still vulnerable as they will produce the same hash. Attackers can search the leaked dataset for commonly occurring hashes to increase their chances of making an accurate guess. There are ways around this (see ‘salting’), but bugs and oversights by web developers may introduce further security holes. There are no guarantees that these security measures will be implemented anyway, and it isn’t practical to avoid all websites that have bad security.
Instead of relying on the websites we use adequately protecting our data, it is safer to take simple measures to protect our personal security. Using a distinct, secure password for each website is key, though remembering them all is not easy. This can be simplified by using a password manager (I use 1Password) which generates and stores secure passwords, meaning only one ‘master password’ needs to be remembered. This is a small convenience tradeoff for vastly increased security. Of course, we should take care to only use password manager applications that are certified as cryptographically secure, as this becomes a strong but singular point of failure. Staying vigilant when submitting data is essential, relying on more than just the green padlock for reassurance.
We are all at risk of data breaches, fraudulent sites, and phishing attacks: we all need to take appropriate action. We must act as if any data that is handed over could be publicised in the future and avoid one breach or misjudgement compromising access to all of our personal information.