Nowadays almost all data is worth something to somebody, whether it’s your “dox” (i.e. your personal information; often including real name, date of birth, known aliases, address, phone number, National Insurance number, etc.), your full credit card information, your online payment platform log in details, bank account details, or merely your browsing history, there’s someone out there who wants it.
It could be simply for bragging rights, they might want to use it to bombard you with marketing materials, they might want to go on a spending spree courtesy of your credit card or, indeed, try to sell to others to do the same.
The price commanded by these pieces of data typically range from £2 for a CVV for a known credit card, £3 for full “dox”, and £5 for credit card details that have expired, to up to £25 for PayPal/eBay account login details, and £45 for “fresh” credit card details1.
With data breaches of large web services hitting the headlines so often - think Sony, Japan Airlines, JP Morgan Chase, Google and Adobe for example, it can be a difficult decision trusting any organisation with your personal data. However, many of these risks can be mitigated. As the Dropbox “hack” from October last year demonstrated, the weakness was not with Dropbox but with users using the same username and password combinations across multiple sites and services, thus allowing the hackers to access peoples' Dropbox with details hacked from less secure sites.
The issue of password reuse is a real danger to many web users. According to Ofcom's "Adults' Media Use and Attitudes Report 2013", a poll of 1,805 adults aged 16 and over, discovered that 55% of them used the same password for most, and often, all, websites. The figure is significantly higher if you include passwords that are similar - Hello, Hello1, hELLO, Hello123, and passwords that are easily guessed at from your “dox” - spouse’s date of birth, user’s home address and mother’s maiden name, for instance.
In fact, users on social network sites give a lot of this information away freely. An example of this would be the “Porn Star Name”, where people typically take the name of the street they grew up on and combine it with their mother’s maiden name, or variants of this (often by different names) asking for details such as their first pet’s name and their star sign.
While these are often blatant attempts to get the unsuspecting user to reveal the answers to common security questions relating to their account, many of these other online quizzes - Who You Were in a Past Life, What Job Are You Best Suited To, Find Your ‘True’ Nationality, are similar social-engineering attempts to gain more data about the user, generally, for marketing purposes but like most other internet trends, the line between marketing and more nefarious practices, is often rather blurred.
Password reuse is directly related to complexity, that is to say people reuse passwords so often as they find them hard to remember and, as complexity rises to avoid brute-force attacks, the passwords themselves get harder to remember. The easiest option in this case is also a good one - get a password safe. These come in a variety of forms, from apps for smartphones that encrypt and store your login details (all well and good, until your phone breaks or you lose it), online services (great, unless their security is compromised), and portable (encrypted data on a USB stick - which is fine until you lose it or you’ve hit its read/write limit - typically 10,000 to 1,000,000 cycles).
Personally, I use a smartphone app and, in its encrypted form, back it up my to my laptop, which itself is backed up regularly. My watch informs me when I’m out of Bluetooth range of my phone, typically about 10 metres for a class 2 device such as an iPhone, so the danger of me losing my passwords through leaving my phone somewhere is somewhat mitigated.
Should the worst come to the worst and my phone is lost, provided it is on and connected to the internet, I can remotely lock, track and erase it, replace it, restore my encrypted password database and, if I’m feeling paranoid, start changing all my passwords - currently 300 of them, all unique, of course!!
As an extra layer of security, I utilise two-factor authentication (2FA) where appropriate. Two-factor authentication is a security process based on “something you have and something you know”. A simple example of this would be withdrawing money from an ATM: it needs something you have - your bank card, and something you know - your PIN, before you can withdraw money.
Online, this often translates to username & password, PLUS a time sensitive code. In my case, these codes are generated by an app on my phone, or browser plug-in.
While 2FA started life in the military it was adopted online, initially on banking sites, VPN Access pages for large corporations and similar. It is now available for many online storage services, social networking sites, various email services and online payment platforms. A comprehensive list can be found at twofactorauth.org
As for the future, my prediction is that as password complexity continues to rise, taking password reuse with it, and more and more sites are utilising 2FA, whilst the user is crying out for SSO (single sign-on, where the user signs on once and gains access to all password protected sites/services - like the “sign in with Facebook” option many sites and services are now offering), that Instant SSO (the “Instant” refers to streamlining the integration) combined with 2FA will be the next big thing in online security, until it is rendered insecure probably by a combination of user laziness and “hacker” ingenuity.
1 Sources: Holt & Smirnova (2014), Reuters, Globe & Mail, and Rand.