In an age where most personal information can be found online, where access to bank accounts, credit card numbers, and email are routinely hacked and stolen, most of us believe our data is safe due to one thing: the password.
There's only one problem: "No matter how complex, no matter how unique, your passwords can no longer protect you." Those are the words of senior writer Mat Honan for Wired magazine who, in the summer of 2012, was the victim of a sophisticated hack into several of his accounts. Thing is, his passwords were all robust: using a combination of symbols, letters, and numbers—ranging from seven to nineteen characters in length.
"Since that awful day," Mat explains, "I've devoted myself to researching the world of online security. And what I have found is utterly terrifying. Our digital lives are simply too easy to crack."
After being hacked himself, he spent the summer learning how it is done. What did he find out? In "two minutes and $4 to spend at a sketchy foreign website, I could report back with your credit card, phone, and Social Security numbers and your home address. Allow me five minutes more and I could be inside your accounts for, say, Amazon, Best Buy, Hulu, Microsoft, and Netflix. With yet 10 more, I could take over your AT&T, Comcast, and Verizon. Give me 20—total—and I own your PayPal."
Keep in mind, Mat is not a sophisticated hacker. He was merely one individual motivated by his unfortunate experience to see just how easy it is. The real problem, he says, are two groups: overseas crime syndicates and bored teenagers—both of which are getting better at what they do.
One hacker, who goes by the name "Cosmo", was part of a group that took down sites ranging from the Nasdaq to the CIA, not to mention hacking the personal info of Michael Bloomberg, Barack Obama, and Oprah Winfrey. When finally caught, Cosmo turned out to be 15.
Of course, this is big business now. As Mat explains, "Malware and virus-writing used to be something hobbyist hackers did for fun...Not anymore. Sometime around the mid-2000s, organized crime took over."
Today, cybercrime is a rapidly growing multi-billion dollar industry preying on individuals, businesses, and large financial institutions.
Apparently, "last spring hackers broke into the security company RSA and stole data relating to its SecurID tokens, supposedly hack-proof devices that provide secondary codes to accompany passwords. RSA never divulged just what was taken, but it's widely believed that the hackers got enough data to duplicate the numbers the tokens generate. If they also learned the tokens' device IDs, they'd be able to penetrate the most secure systems in corporate America."
The point of failure in all of this is the password—the one thing everyone is relying upon to keep their information secure. Though Mat clearly believes those days are over and that radical changes will have to be made—more on that later—he does provide some do's and don'ts of password protection.
- Reuse passwords: If you do, a hacker who gets just one of your accounts will own them all.
- Use a dictionary word as your password: If you must, then string several together into a pass phrase.
- Use standard number substitutions: Think "P455w0rd" is a good password? N0p3! Cracking tools now have those built in.
- Use a short password—no matter how weird. Today's processing speeds mean that even passwords like "h6!r$q" are quickly crackable. Your best defense is the longest possible password.
- Enable two-factor authentication when offered. When you log in from a strange location, a system like this will send you a text message with a code to confirm. Yes, that can be cracked, but it's better than nothing.
- Give bogus answers to security questions. Think of them as a secondary password. Just keep your answers memorable. My first car? Why, it was a "Camper Van Beethoven Freaking Rules."
- Scrub your online presence. One of the easiest ways to hack into an account is through your email and billing address information. Sites like Spokeo and WhitePages.com offer opt-out mechanisms to get your information removed from their databases.
- Use a unique, secure email address for password recoveries. If a hacker knows where your password reset goes, that's a line of attack. So create a special account you never use for communications. And make sure to choose a username that isn't tied to your name...so it can't be easily guessed.
Although these are critical for making our accounts harder to hack, they still don't make it impossible. In fact, given how often various governments, large corporations, and highly sensitive networks get hacked, individuals have little safety other than not being valuable targets. However, as viruses created by hackers grow more sophisticated, pervasive, and self-replicating—much like the common cold or flu—larger swathes of society get hit. Although a bad flu may put us back for a couple days, try a virus that steals your personal information, ruins your identity, and then transfers all the money out of your bank account.
So, given that most of us online have, says Mat, "entrusted everything we have to a fundamentally broken system," what does next month's cover story of Wired advocate for all of us connected through the web? A solution that most of us today would probably never accept:
"The only way forward is real identity verification: to allow our movements and metrics to be tracked in all sorts of ways and to have those movements and metrics tied to our actual identity...we need a system that makes use of what the cloud already knows: who we are and who we talk to, where we go and what we do there, what we own and what we look like, what we say and how we sound, and maybe even what we think."
In addition to knowing our location and habits, Mat even speculates that a fully secure identity verification system might as well tap into the most unique marker of every individual: human DNA.
Essentially, rather than relying on our limited human memories to retain an easily hackable 1-dimensional line of code, we allow the government to track us as living 4-dimensional passwords (space plus time) navigating cyberspace and our physical environment.
As Mat admits, such a shift will "involve significant investment and inconvenience, and it will likely make privacy advocates deeply wary. It sounds creepy. But the alternative is chaos and theft."
Let's assume Mat is correct and that, with the rapidly growing threat of hacking, identity theft, and stolen funds, some form of location and data-tracking surveillance will be necessary in the future. If so, given how many people would prefer not to have their every move tracked, we need to consider a third alternative: large segments of society simply pulling the plug, disconnecting their lives entirely from the internet. For many, this wouldn't be a hard choice. But what about all those whose livelihood now depends on the web? The internet has not only reshaped the economy, but created an entirely new one too. How many would be willing to give it all up—their jobs, their income—if they knew most of their actions would be monitored? If you're not doing anything wrong, what do you have to hide right?
Sadly, this unfolding scenario is not merely one of a power-hungry government wanting to exert greater control of its citizens—it is also one of bored teenagers and overseas crime syndicates wreaking havoc on people's lives for profit and, sometimes, just for fun.
But, let's not kid ourselves; this could be a huge gain for the government as well. Are you paying all your taxes? Are you claiming unemployment, disability, and/or working under the table at the same time? There are a lot of people out there gaming the system that would either be cut-off or forced to give the State its dues. Running the government isn't cheap. So, not only is there a real problem, there's a clear incentive.
Where does all this end? As our lives slowly merge with the web, privacy, like copyrights, will become something merely argued about in court. Eventually, hard decisions will have to be made. If people want to participate in the economy, use government resources and services, buy or sell anything, as Mat points out, they're going to have to make huge sacrifices.
If, however, people prefer to unplug from the system entirely, then, most likely, they'll have to adapt to a more self-sufficient, less technologically dependent, and far simpler way of life. That is, before the day we had to worry about passwords, self-replicating malware, and overseas crime syndicates stealing our identities.
Question is: Does all this warrant Big Brother getting under our skin? Hopefully, not for some time.