Although your eyes might glaze over at the thought of the constant threat of breaches to which our data might be subject, there is some onus on us, as the data owners, to be vigilant and proactive. We thus discuss three security options that you could implement – in addition to passwords – to keep your information safer.
We are not (yet) at the end of January 2020, but there have already been a number of major data leaks and breaches, which it could be argued, does not augur well for the types of security incidents that could occur over the course of the year. For example, a hacker leaked the passwords for more than 515,000 servers, routers, and internet of Things (IoT) devices (Source: ZDNet). In addition to passwords, the leaked data contained the Internet Protocol (IP) address for each device, plus the username for a remote access protocol that can be used to control devices over the internet. Additionally, earlier this week, Microsoft announced it had experienced a data breach, and third parties that had found the records online suggested that around 250 million records had leaked (Source: Sophos).
Typically, one of the first remedies that users are asked to do, is to change their passwords, and of course exercise vigilance should they be contacted about a breach, especially with respect to clicking links in emails. However, in this day and age, when we are expected to have long, complex and unique passwords for the dozens of platforms we tend to frequent, are passwords truly enough?
Are passwords secure?
The short answer is no. Security experts tend to agree that passwords – by themselves – are the weakest means of securing an digital account or device. When only a password is needed to access an account, malware installed on the device, or the use of phishing techniques, could result in a compromised device and easy access to private and confidential data.
With respect to organisations, where the rewards for a successful breach could be high – such as accessing confidential data for hundreds or thousands of users – hackers might be prepared to use brute force methods involving considerable computing power and complex algorithms to crack those passwords. In essence, and with sufficient time, it is likely that virtually any password can be cracked.
So what are our options?
Although it might still be useful to password-protect a device or an account, it is recommended that it be used in conjunction with a another security protocol, such as two-factor authentication. Many of today’s popular platforms, especially those that conduct e-commerce or other financial transactions, such as Amazon, PayPal, Google, MailChimp, Facebook, Microsoft and WhatsApp, to name a few, have all introduced two-factor authentication.
After successfully entering your username and password, users are sent a code, such as via text message, email, or they can access a valid code through an authenticator application on their smartphone, which they in turn enter to complete the log-in process. Admittedly, it may not always be convenient to use this authentication method, but it is definitely an option to strengthen the security of your accounts.
Another alternative involves biometrics, such as the use of fingerprints, facial or even voice identification. Fingerprints, and more recently, facial identification have been widely deployed by many of the top smartphone brands, especially in their flagship devices. Although a password may still be required, primarily as a backup, or for the initial log in, access to the device thereafter and to some of applications, may require biometrics only.
One of the distinct benefits of biometrics, in addition the number of data points that they capture that considerably strengthens its security, is that the authentication process is local to the device. Unlike passwords that are being used in online setting, they are not being transmitted to a server for authentication, which essentially eliminates one of the vulnerabilities of associated with passwords. Having said this, the security for biometrics is crucial, since unlike passwords that can be changed, you really cannot change your face or your fingerprint. Hence, if biometric data is compromised, the potential remedies might not be simple.
A final option to consider is hardware security keys. Also called dongles, these USB devices tend to work in conjunction with passwords to secure access to devices, such as laptops and desktop computers, and to some specific applications. Additionally, some keys have Bluetooth capability, thus allowing this security measure to be used in a wireless environment.
Typically, there is a cost for the hardware keys, which can range between USD 20.00 and USD 50.00, depending on the brand and the features. However, depending on how you use your devices, the perceived value of the information on them, and the importance of keeping your devices and the data secure, it could be a small price to pay.
Parting thoughts..
In summary, it is interesting to consider the extent to which enhanced security requirements, such as those outlined above, are currently being implemented by public and private sector organisations here in the Caribbean, with which we regularly interact. Two examples readily come to mind: our local banks, for online and mobile banking, and the Inland Revenue (Tax) Department, for the online filing and payment of taxes. Clearly, as the region endeavours to become more compliant data protection best practice, a broad range of security deficiencies would need to be addressed.
Nevertheless, and regardless of the security responsibilities digital platforms owners and device manufacturers might have, we, as users, also need to be proactive and vigilant in managing access to our accounts, especially the ones that contain personal or sensitive data. Education is the first step.
Image credit: Lewis Ogden (flickr)
————-
Probably the greatest concern is that a lot of our personal data is in the hands of third parties. I think it is these third parties we require to demand water-tight security strength, in the first place. This, of course, is not to downplay our own security efficiencies, as advised.