October is National Cyber Security Awareness Month, which means we’re paying more attention to things we should already be doing.
So much of our personal information lives online, and most of us don’t protect it as well as we should.
Thrive sat down with SC4 professor of computer information systems Rob Richardson to talk all about cyber security. His biggest piece of advice: change your passwords frequently, and use different passwords for different accounts.
Here’s the rest of the conversation.
Thrive: When we sign up for an email account, I think a lot of people assume that, say, Google, is keeping our information protected. Are they?
Rob Richardson: They do, but only to the extent that you cooperate. There’s been these big data breaches, and the big one over the summer that most people don’t realize happened was that Myspace got breached. They took 360 million user accounts. Which means for a lot of people, now those credentials are out there floating around.
People don’t cooperate because we’re lazy, so we re-use credentials. I guarantee that some significant fraction of those 360 million credentials are currently in use, same username, same password, that pair, in some other website – maybe in dozens of other websites. There are attack tools that specifically can import breach data and then create a config for some other website, say Amazon, then try to log into Amazon with every one of those 360 million accounts to see how many use those credentials. Or to Gmail, or to Yahoo, Outlook, whatever.
What you can do is go to a website called www.haveibeenpwned.com. What this website will do, is you give it an email address, and it will compare it against 140 of these big public breaches.
People are lazy, we don’t want to remember different accounts for different things; we don’t want to have to change passwords. When you ask me, does Google protect my security, they do if you cooperate. Google has no way to know that you use the same password for every single thing in the universe.
Thrive: Once they get in, what would they have access to?
Richardson: They’d have access to all of your saved mail. Don’t forget, with Gmail, your Gmail login gets you everything else in Google as well. That gets you Google Drive, Google Books, Google Hangouts, Google Plus. They could retrieve the documents even if those documents were confidential. They could take those documents, modify them and pass them on. They would have access to your contacts, and could send them an attachment under your name. Or they could send link recommendations.
Thrive: How do these breaches keep happening?
Richardson: Most of these companies are in business to do something else. That something else requires them to have users. The more difficult they make it for the user, the less users they’re going to have. It’s this counterintuitive thing, they know they need good security, but strong security is never convenient. If they enforce long passwords, frequent password changes, multi-factor authentication – where before you login you have to respond to a text that it sends to your phone in addition to typing in your password – or you have to do the captcha thing, all these other forms of authentication you have to use make it less and less convenient, which means their user base shrinks. It’s this kind of fight, if we make our security too strong, we drive away our user base.
Right now because of the reuse of passwords and the ease of which people can check these big data breaches against other sites, the two-factor authentication is really the way you need to go. But most places don’t do that yet.
Thrive: It’s becoming more and more important to secure stuff, but it’s also probably becoming more and more lucrative for hackers, right?
Richardson: It is. They’re getting very, very organized now. Some of the criminal syndicates that conduct cyber attacks really think about what they’re doing. They target things that they know they can get data from. They don’t target every person, only the people who are worth targeting.
Thrive: How much more sophisticated are these emails now? Are they getting better at them?
Richardson: My key here for people is skepticism. Be very, very, very skeptical online before you provide any information or take any action.
We definitely are too trusting. The people who actually make money doing the email fraud or online scams, the ones who survive, they learn – they get good.