Without Device ID You’re as Safe as Your Password
Twitter me this: When is Twitter not Twitter? Answer: when it’s the Iranian Cyber Army. Last week a simple password breach put Twitter out of commission for an hour or two while its servers were redirected to the Iranian Cyber Army. It illustrates the thin ice we skate on at any given moment on the Web when an entire global communication medium can be brought down by a password hack. A New York Times article on the latest Twitter outage put it this way: “The incident also highlights a basic vulnerability in the way life is lived as it becomes increasingly digital: With so much vital information stored on the Web, people are only as safe as their passwords.” Well, it’s not just their (consumer) password—as the Twitter hack illustrates it’s also the passwords sitting between the hackers and the systems and applications we use.
We entrust our online banks, social networking sites, email hosts—every web site where we maintain an account to keep our vital and personal data from getting ripped off. They in turn trust that we will do our best not to be hacked or duped into giving up our personal information so fraudsters can gain access to our “vital” information. Through regularly monitoring the ebb and flow of fraud related news and information on the Web, I have noticed that most of the fraud news and content is either advice for consumers telling them how they can protect themselves from online scammers, or bad news about web fraud trends and the latest company to get hacked. Even with a handful of narrow Google Alerts to push fraud news to my Google Reader it’s nearly impossible to scan—let alone read even a representative sampling of what constitutes the massive volume of web chatter about online fraud. If consumers had the full picture of how serious the online fraud problem is (including awareness of the fraud that’s not discovered and not reported) I believe most would rethink how they interact with businesses and people on the Web.
Whether you get phished for passwords, your computer is under the control of a botnet, or your online bank suffers a cyber attack by the Russian mob the results are the same: once someone has your online credentials (name, password, secret questions, etc.) they can be you online, thus you’re at risk of becoming a victim of fraud. Your computer’s unique device identifier can serve as an additional factor to authenticate you if your credentials have been compromised. Randall Gamby, former Burton Group analyst now Enterprise Security Architect at MassMutual Financial Group put it this way in an article about device identification:
“What is the name of the city where you were born?” More and more frequently, users of banking websites are greeted with such questions when attempting to login. Why isn’t the user able to view his account information after inputting his username and password? The customer was using a computer he hadn’t used before, and the bank was verifying he was who he claimed to be by using a device identification (DI) application.
Recently there’s been a boon in deploying device identification as a fraud-prevention strategy. With cybercriminals targeting online credit card transactions, new account registrations and account logins, financial institutions have begun to require more than just a user’s IP address and login/password to verify that the person trying to access the account is in fact the user.
Nobody likes to manage/remember passwords and logins for scores of web sites. Convenience (simple, repetitive passwords) often trumps security (strong passwords changed regularly). Device identification significantly strengthens other forms of web authentication without adding more hassle or risk of losing PII.
Want to learn more about passwords? Here are some tips from the University of Chicago on how to build strong passwords, and here’s the list of the top 500 most frequently used passwords. See if you can guess the #1 most frequently used password before you look.
- Tom
