I wrote last week about the stunning password and user name theft that Hold Security had unearthed (“Cautionary Note About Hold Security”; August 12). In that blog, I mentioned Graham Cluley’s important discovery about the fee that Hold Security would charge consumers who wanted to find out if any of their passwords and user names had been breached. Mr. Cluley mentioned several password management services about which I said I’d be writing more.
I looked at the sites for several password management services. I’m not recommending any of them but these are services about which consumers should be aware. The password manager services allow consumers to store all of their passwords, along with other confidential information, into one secure site. Hayley Tsukayama wrote a very helpful article about password management, including a good summary of several of the services along with the pros and cons (www.washingtonpost.com, “How to keep track of your passwords without going insane”; August 7).
She reviewed two of the three services I had mentioned, e.g., LastPass and 1 Password. She also included Dashlane. I also mentioned KeePass which has similar features as the others but is a completely free and open source password manager. I mention that because, as Ms. Tsukayama wrote, the other services are free unless a consumer wants to sync his passwords across multiple devices, such as between a smart phone and a computer.
For that kind of premium service, there are different fees charged by the services:
- LastPass charges $12.00 a year;
- 1Password charges a one time fee of $50.00 for Mac and Windows, $18.00 for iOS and $10.00 for a full version of the app on Android; and
- Dashlane charges $30.00 a year.
All the services operate along the same lines. They are online storage lockers that retain all of a consumer’s passwords in encrypted databases. The passwords are locked behind a single master password that only the consumer knows. That’s the good news. But as Ms. Tsukayama notes, that also means the consumer has to remember that master password because it can’t be retrieved from anywhere else. The services can also store secure notes, credit card information as well as other information that a consumer has to fill in on various websites. Another attractive feature of these services is their ability to generate random passwords for accounts that are strong and are remembered in their various lockers or vaults. That way, a consumer can access these passwords while browsing the web by clicking onto a button on his browser and choosing the account for which he needs to fill in information.
Are there downsides to these services? Consumers are relying on the security of the various password manager services when using them. KeePass notes on its website that in addition to being free and open source that its encrypted database is not stored in the cloud but strictly locally.
As I said, I’m not endorsing any particular service but I am strongly encouraging consumers to think about the ways in which they are storing their passwords.
There’s been a rush of articles suggesting what consumers can and should do to protect themselves following the news about the Russian hackers. The fact that over a billion usernames and passwords have been stolen has meant that some consumers are overwhelmed given the magnitude of the theft.
Graham Cluley wrote an article explaining his initial hesitation about writing about Hold Security’s discovery or commenting on it when contacted by the news media (grahamcluley.com; “Security firm that revealed “billion password” breach demands $120 before it will say if you’re a victim”: August 7). As he explained, his reservation stemmed from the paucity of information in Hold Security’s initial official statement. So Mr. Cluley dug in more and found that Hold Security wants consumers email addresses and $120 per year for their new breach notification service. Consumers whose email addresses are found are then asked for an encrypted version of all of their passwords so they can be compared against the Hold Security’s database.
There are obvious problems with this approach. Instead, Mr. Cluley highlights Troy Hunt’s free service that checks breach information in its database. I went to the site which is: haveibeenpwned.com and learned that my email address had been found in one of the breaches loaded into the system. It was the Forbes.com breach about which I already knew. I signed up for Mr. Hunt’s free service to get alerts if my email shows up in other breaches.
Password management is becoming more pressing and complex for consumers. Thanks to Mr. Cluley’s investigation, I’ll take a pass on the Hold Security fee breach notification system.
Mr. Cluley mentions LastPass, 1 Password and KeePass as several password management services that consumers should consider. I’ll be looking at those and will write about them in future posts.
A breach of mind boggling magnitude has been unearthed by Hold Security, a Milwaukee firm that specializes in identifying major online security breaches. Nicole Perlroth and David Gelles broke the story yesterday about Hold Security’s latest discovery (www.nytimes.com; “Russian Gang Amasses Over a Billion Internet Passwords”; August 5). Other media are now reporting on this story citing the New York Times article.
No, you’re not mis-reading the headline of their story— over 1.2 billion unique combinations of user names and passwords were stolen by Russian hackers. In their story, Ms. Perlroth and Mr. Gelles report that Hold Security found that the Russian gang had also stolen over 500 million email addresses. Per their report, the New York Times hired an independent security expert to analyze the database that Hold Security had. That expert confirmed the authenticity of the database and the magnitude of the data that has been stolen.
Which companies and websites have been victimized? Hold Security is not disclosing the names of victims because of “non disclosure agreements” and the company’s reluctance to name companies whose websites could still be vulnerable. Ms. Perlroth and Mr. Gelles wrote that it appears that the Russian criminals haven’t been selling many of the records online yet but, instead, appear to be sending spam out on social networks for fees paid by other groups.
So what protective steps can individuals take? It’s hard to know exactly what to do when faced with a breach of this astounding magnitude. Some of the most immediate steps are ones that are sound guidance regardless of the scope of a breach. These include diligently examining financial statements for any suspicious charges or withdrawals; changing passwords as a pro-active step; and not using the same password and user name for multiple sites.
More and more employers are letting their staff members work from home. There are numerous pluses to these types of arrangements. However, hackers and cyber criminals have figured out how to use these types of remote access arrangements for criminal purposes. Nicole Perlroth reported on a study released yesterday by the Department of Homeland Security (DHS); DHS worked with the Secret Service and others and identified a significant problem companies are now facing (www.nytimes.com; “Checking In From Home Leaves Entry For Hackers”; July 31).
As Ms. Perlroth reports, the DHS study found that hackers are scanning corporate systems for remote access software. These remote access systems allow employees and outside contractors to access their companies corporate networks via an Internet connection. What happens then? The hackers find the software and use high-speed programs that continuously guess the login credentials and keep doing so until bingo! they find one and hack into the system.
In her article, Ms. Perlroth writes that DHS found that once they’ve hacked into the system, the criminals use a type of malicious software called Backoff to steal payment information, such as credit and/or debit card numbers. They steal those numbers off of the inshore cash register systems. This information then is immediately sent to the hackers’ computers from which they sell the credit and debit card numbers.
Let’s hope that companies read the DHS report; learn lessons from it; and then work to confront and confound these hackers as much as possible.
While we’ve heard and learned about our “online footprints,” in a July 21st article, Russell Brandom just wrote about a disturbing new phenomenon called “canvass fingerprinting” (www.theverge.com; “Companies have a tricky new way to track your movement across the web).
As Mr. Brandom wrote, the “canvass fingerprinting” was discovered by researchers at Princeton University. As described, this new web-tracking technology can follow users between and among websites. As Mr. Brandom reports, it is “nearly impossible to block” even if an individual has disabled cookies on his browser and isn’t logged into Facebook. Per his article, the Princeton researchers discovered that “canvass fingerprinting” is being used by 5% of the top 1,000 Internet sites including Whitehouse.gov and the official website for the State of California.
How it works is also what makes it so strong even if an individual has blocked cookies on his browser. The technology asks the browser to draw a hidden image and then uses that image to track the browser’s unique properties. Mr. Brandom reports that it appears that AddThis created “canvass fingerprinting” as part of its efforts to find alternatives to cookie tracking. Mr. Brandom also adds that AddThis might end the “canvass fingerprinting” trials as they found, he writes, that the test results are “not uniquely identifying enough.”
Whether AddThis does or doesn’t end the trials, what is clear is the important point with which Mr. Brandom ends his article. The key takeaway is that simply blocking cookies and using other means may not be enough to thwart being tracked. That is very worrisome to those of us concerned about protecting our privacy online.
This is one of those “bad news” stories. It has just been learned that back in March Chinese hackers successfully broke into very sensitive computer files maintained by the Office of Personnel Management (OPM). As reported by Michael S. Schmidt, David E. Sander and Nicole Perlroth in the New York Times, Chinese hackers were targeting tens of thousands of files on Federal employees who have applied for top-secret security clearances (www.nytimes.com; “Chinese Hackers Pursue Key Data on U.S. Workers”; July 9).
This is frightening on many levels starting with the fact that the hackers were able to breach OPM’s e-QIP system which holds these, and other, employee files. Second, the amount of personal and sensitive information that is contained in these top-secret security clearance applications makes it a treasure trove for hackers. Applicants have to provide an array of sensitive information including, names of foreign contacts, financial data, and details about prior employment.
Senior officials and spokespersons for OPM and the Department of Homeland Security (DHS) have said that neither agency had “identified any loss of personally identifiable information.” DHS has also said it has an emergency response team assessing this breach and that the team would mitigate any risks that are identified.
While that is good news, that doesn’t mean that there couldn’t be future risks that personal and financial information has been stolen. Federal employees need to be aware of this breach and vigilantly monitor financial accounts for any unauthorized charges or changes.
Consumers are increasingly online doing all kinds of transactions. These transactions often involve sharing personal and private information. Yet consumers might not be fully aware of how that personal and private information is being used and/or ways in which they could better protect themselves.
So I was particularly interested to read about the just announced “Digital IQ” initiative being launched by the Better Business Bureau (BBB) and Acxiom. Their initiative, which other businesses and organizations will be invited to join, is going to try and help consumers become more knowledgeable about the Internet (www.bbb.org; “Better Business Bureau to Launch “Digital IQ” Initiative with Acxiom”; July 1).
How will this be done? Per the BBB announcement, the partners are going to conduct researched geared at identifying specific areas on which consumers need help in “…developing effective habits and skills for navigating the digital world. By understanding how consumer data is collected and used, as well as the tools available to exercise choice about these processes, consumers can develop a “data comfort zone.” Their initial products will be practical educational materials focusing on shopping and buying but the hope is that the initiative’s scope will expand over time to teaching consumers about other uses of data and analytics.
They’ve announced that their initial research will examine topics including:
- How consumers can become smarter shoppers to get the best deals while staying in their respective data comfort zone;
- How and when consumers should fill out marketing surveys; and
- How advertisers use location data that’s on consumers’ devices.
On June 25th, the Supreme Court issued a seminal decision addressing the convergence of privacy and the digital world. The Court held that police cannot, without a warrant, under most circumstances, search data on a cell phone taken from someone who has been arrested (Riley v. California, 573 U.S. ___ (2014); Riley). I’ve read the decision which touches on many Fourth Amendment questions. I’m not going to summarize the entire decision but want, instead, to highlight some of the overarching pivotal privacy findings.
In reaching its decision, the Court explored the realities of today’s digital world within the context of the Fourth Amendment’s protections against unreasonable warrantless searches by the government of people, their homes, papers and other effects. The Court analyzed and compared the seismic differences between the search of a single document, or of a person who has been arrested, with a search of the enormous data capacity of a cell phone — and of the “quantitatively and qualitatively” different privacy implications between those types of searches. Riley, 573 U.S. ___, at 8-9, 18-20. The Court also analyzed whether searching the data on a cell phone fell within the legally recognized exception to the warrant rule, i.e., the reasonableness of a warrantless search incident to a lawful arrest.
Briefly, here are some of the key privacy findings by the Court:
- The Court found that cell phones, and a search of them, are significantly different, raising corresponding privacy concerns, than searches of other objects. In comparing a potential search of data on a cell phone to searches of individuals or other objects, the Court wrote that “[m]odern cell phones, as a category, implicate privacy concerns far beyond those implicated by the search of a cigarette pack, a wallet, or a purse.” (Riley, 573 U.S. ___, at 17).
- The Court found greater privacy considerations arise from a search of cell phone data precisely because of the volume and range of what can be collected and retained on a cell phone. That very data capacity distinguishes that search from the search of, for example, an individual as the latter “…was limited by physical realities and tended as a general matter to constitute only a narrow intrusion on privacy.” (Riley, 573 U.S. ___, at 17).
- The Court’s opinion recognized the significance, from a privacy perspective, of the diversity and volume of data collected on a cell phone. Unlike a single paper record or document, the sheer quantity and range of cell phone data can “…reveal much more in combination than any isolated record.” (Riley, 573 U.S. ___, at 18). A person’s activities, locations, likes, and relationships can all be constructed from cell phone data. (Riley, 573 U.S. ___, at 18-21).
- Finally, the Court noted “[t]o further complicate the scope of the privacy interests at stake, the data a user views on many modern cell phones may not in fact be stored on the device itself. Treating a cell phone as a container whose contents may be searched incident to an arrest is a bit strained as an initial matter.” (Riley, 573 U.S. ___, at 21).
The Court’s opinion fully recognized the need for police to protect themselves or prevent arrested persons from escaping or that emergency situations could arise that require an immediate search of a cell phone. (Riley, 573 U.S. ___, at 10-11, 25-27). But absent those fact specific situations, police must have a warrant before searching cell phone data.
This decision establishes critical privacy protections by recognizing the central role cell phones occupy in today’s world — and their capacity for collecting and recording continuously so many inter-related aspects of our lives.
The Consumer Financial Protection Bureau (CFPB) knows that more and more consumers are using mobile devices for accessing financial services, transacting banking and other financial activities and managing their personal finances. To help consumers, the CFPB, on June 11th, issued a very helpful guide titled “Tips when using mobile devices for financial services” (http://files.consumerfinance.gov/f/201406_cfpb_consumer-tips_mobile-rfi.pdf). This one pager is an excellent resource.
Here’s a short summary of the CPFB’s top 6 consumer tips for using mobile devices in a safer way for financial transactions:
- Set up alerts on the mobile device(s) and always check account balances;
- Protect personal information and be cautious about accessing financial accounts or conducting financial transactions on a mobile device shared with someone else;
- Use strong passwords and don’t save them on phones;
- Immediately report the loss or theft of a mobile device to every financial institution and financial service used;
- Always use secure websites or apps; and
- Always remember to delete sensitive information when replacing an existing phone or device with a new one.
As the CFPB notes, some of these tips might be obvious but that doesn’t make them any less important or valuable to remember to do.
Most consumers know that their online shopping activities are being tracked by merchants and advertisers. But, Hayley Tsukayama, in her June 9th “The Switch” column for The Washington Post, writes that many consumers aren’t aware that merchants are tracking their in person shopping via the consumers’ smartphones wireless Internet connections (www.washingtonpost.com; “How Apple’s new software makes it harder for retailers to track your movements”).
So how easy is it for merchants to track consumers via their smartphones? The answer is — extremely so! How is it done? As Ms. Tsukayama reports, retailers are able to track shoppers — in their stores and even just passing by — using the unique code that smartphones emit when trying to connect to wireless networks (called the MAC address). Using these codes, merchants are able to discover how often a consumer visits a particular tore or even passes by it. Nordstrom had been using a program using these codes to track shoppers throughout its stores but stopped doing so after concerted outcry by consumer and privacy advocates.
So what’s the good news from Apple? In her column, Ms. Tsukayama reports about learning that Apple is attacking this unique code/tracking problem in the new operating system iOS 8 coming this Fall. Under Apple’s upcoming iOS 8, the code that’s generated will be randomized thus thwarting merchants’ ability to identify iPhones using unique codes. This very neat solution will help those consumers using Apple smartphones. However, consumers using other smartphones with other operating systems will still be trackable.
What’s the solution for consumers using non-Apple smartphones? An available option is one people may not want or like — and that is, turning their smartphones off when they’re shopping. I know that’s not ideal but it is one option for all of us.