Recently a software leader published an article that discussed the possibility that maybe shorter passwords were better than longer ones. This goes directly against all research previously that longer passwords were the key to user security online.
I believe this just adds to the confusion users experience when trying to be more secure. It also can confuse the argument when businesses are considering what their password policies should be.
I think this is an example of someone trying to get noticed and come up with an off the wall idea to get attention. In a world where some people want to be noticed by publishing their every move on Twitter, making their pictures public on Facebook, and videos of anything and everything cluttering the internet this isn’t a real surprise. The advice is to reduce your security and make access easier.
Businesses need to ignore this type of advice and focus on best practices for security. Access to corporate networks should never rely on a single password rather two-factor authentication needs to be deployed. Hard drives should be encrypted to deter theft and minimize the impact when a theft occurs. Wireless networks need to use the strongest standards possible and time should be taken to test the security.
I remember in the not to distant past when a prospect I was meeting with told me if they were to purchase a firewall it would only get the attention of a hacker so they chose to not purchase one. This was the advice of their IT professional.
I have written on this topic before but after fresh from a week in Orlando it has renewed my aggravation.
While attempting to enter Disney World this week we were once again asked for our fingerprints. We refused of course but while entering one park we were told we could not enter without giving up our fingerprint. Only after a supervisor heard this did they let us in.
Do they not realize that our fingerprints are our identity? The only thing in this world that is all mine. Names, social security numbers, addresses, credit cards can all be changed. But not my DNA, I am stuck with it. Why would I want to turn that over. Newsflash, Disney security is not safe. No company is 100% secure and the fact that they even ask for this information bothers me. They are asking us to trust them with our identity. Here is a brief flow chart of how they want the transaction to enter Disney works to better demonstrate this.
Step 1 – Tickets Purchased at Gate with Credit Card – They now have my name, credit card, CVV code, and zip code.
Step 2 – Enter Park – Disney employee asks for my ticket that I purchased in step one then asks for my fingerprint to tie it to my ticket in a database.
Step 3 – Tie Ticket to Mobile App on Phone
These two steps take about 5 minutes from start to finish. Here is what Disney now has on me:
2. Zip Code
3. Credit Card
4. Strip Data
5. CVV Code
7. Mobile Phone Access
This is just absurd. Many unsuspecting tourists perform this same routine daily. I am afraid one day I will read Kreb’s one morning and hear that this database has been stolen. Can you imagine the fallout on that one?
A skimmer is a device placed on the swipe section or over the card entrance on an ATM machine or POS terminal. The devices are so transparent that it is hard for anyone to personally see the difference without picking up and inspecting the unit. If this was a checkout in the store it would look weird, grabbing it looking around. Or if you started poking around an ATM machine to determine if one was there you may find yourself in trouble for suspicious activity.
Yet every day banks have to deal with these devices being installed. After some research I learned no one is actually watching the camera’s unless there is an issue! The message is clear, banks will not be proactive in protecting us. They wait for us to report the problem.
Here is an example. If I am using my debit card while in Florida and an hour later my card is use do withdraw cash in Greensboro, NC the bank will process the transactions. No question asked. This would be so simple to detect, yet they allow it to go through.
Target sales have not dropped off. People still use PNC and Chase bank after they were hacked. PF Changs was packed this weekend. Most people will not change their behavior until it affects them.
- What are you going to change to proactively protect yourself from theft?
- Still using the PIN you have had for years?
- Using the same convenient password on multiple websites?
- Still using your debit card as debit instead of credit?
- Shop at Target lately?
I am writing this from about the great State of Arkansas on my return from Dallas. After we took off I immediately jumped on my iPad to make the most of my time and get some work done. I connected the wireless and opened my browser to pay the exorbitant fee for internet ($12 for 90 minutes).
My browser launched http://www.google.com and I was able to see the search engine page like normal…but I didn’t log in or pay. So my wife and I poked around it a bit and it turns out we were able to search in Google, view images, and a number of other things…all for free on Google. Now I understand the ability to surf on US Air’s website for free. But Google? Lot’s of stuff to do there.
This is a prime example of a small hole that will no doubt get abused. I wasn’t looking for it, but I found it. Imagine if I spent the rest of the flight finding other holes in the system?
You can never test your system enough. And by test I don’t mean test to see if it works, I mean test to make sure things don’t. Testing for failure is as important as making sure what you want to work does.
In 2010 a company tried to sue their bank for $400,000+ in losses as a result of Cybercrime. The lawsuit was not successful and the company had to eat the loss. Now an appeals court ruling came out that the company may have to pay the bank’s legal fees.
As these rulings continue to come down the message is resounding that companies are responsible for losses. There will soon be so much case law and precedence set that it will be hard to get a ruling another way. Banks are not responsible since they are simply holding your money, you have control over what happens to it, in the courts eyes.
Some of the Cybercrime theft takes place over years, not days. Slowly trickling money out of a business or person until it finally gets noticed. We all remember the movie Office Space where they were going to siphon off fractions of pennies into an account. When this happens you may certainly be held culpable of the loss as it is viewed that you missed it and therefore at fault too.
Assessments go a long way to help give you some cover. In the event something happens at your company you will need to show you were taking steps to protect yourself.
We spend a good deal of time filtering and protecting clients from dangerous or inappropriate content. Every client has unique challenges and objectives of what the goals should be. Another part of what we do is filtering adult content from children in schools.
Over the past few years Google, Yahoo, and Bing have switched to a secure search model. This change has adverse effects on students in schools as it prevents people from forcing the Safe Search flag on student browsers. It makes it very challenging for IT Administrators to filter the results for students by default. Most firewalls cannot help with this either. It is a constant battle.
We are well down the road of having technology integrated into all parts of our kids lives. Search is a very basic thing and integrated into most devices the use. My Fourth grader can grab an iPad and search for anything.
One thing we cannot forget during this integration process is to protect our kids and families. Most parents do not have the ability or access to tools like I do. Search providers should be doing more to allow firewall, router, and other device providers the ability to block this content. I am not advocating for censorship of information. I am however saying let’s give parents an easy clear cut choice to block the inappropriate stuff. Just give people a choice that is easy and clearly defined.
Gregg Steinhafel has resigned from Target, or fired based on the report you read. This is of course just 5 months after the massive data breach. This extends the debate over what happened and who was responsible. Target has also replaced the CIO at the beginning of May. The fall out continues.
Target has also announced it is purchasing chip and pin technology to better protect credit card consumers. This is an an example of reacting versus being proactive. At least the technology is being purchased.