Six Rules for Keeping Your Data Secure
This would be remembered as the Year of the Hack, if 2015 didn't promise even more cybersecurity breaches. Ordinary users shouldn't wait for businesses and government to respond to the growing threat.
This year's spectacular revelations include the theft of 145 million personal records from eBay, and the acknowledgment by JPMorgan Chase that 76 million households and 7 million small businesses may have been affected by a data breach. Yesterday, hackers claimed to have obtained millions of passwords from Dropbox. These reports followed news of tens of millions of compromised credit card numbers at Target, Home Depot, WalMart, PF Chang and Nieman Marcus.
Other, as yet undisclosed thefts could be linked to two longstanding vulnerabilities in open-source software known as Heartbleed and Shellshock, discovered in recent months. In addition, we have seen the release of celebrities' naked pictures stolen from Apple's iCloud and images of ordinary youngsters lifted from Snapchat. There also was the theft of classified data by at least two different groups of Russian hackers, one using malware called Snake and the other dubbed SandWorm by the cybersecurity company that discovered it. Perhaps the best way to get a general picture of global information (in)security is this interactive map produced by the Russian cybersecurity company Kaspersky Lab.
According to PricewaterhouseCoopers, which surveyed 9,700 executives in 154 countries in April and May, there were 42.8 million reported incidents this year, up 48 percent from the 2013 survey. The number of companies reporting losses of more than $20 million doubled compared with last year. At the same time, investment in information security is down 4 percent from the year before.
In this game, innocent bystanders may be most likely to get hurt. Here are six rules for protecting yourself:
- Keep nothing on any of your devices, or in the cloud, that you wouldn't want the world to see. That includes Dropbox and iCloud, even if the former says no user credentials have been compromised and the latter has added a two-factor authentication requiring access to a user's phone. All computer systems are vulnerable because humans write code. A vulnerability could lurk for years, as Heartbleed and Shellshock did. It is much safer to keep your data under a loose floorboard than on a major company's cloud service: only someone who is intensely interested in you will search your apartment, but Internet services are subject to generic, wholesale attacks.
- Don't send any sensitive information over the Internet. Kids thought Snapchat was a safe way to sext because pictures and videos disappear after being viewed. It turns out that an outside developer found a way to store the content and someone else broke into the storage. Besides, governments are watching, and even if you don't believe Edward Snowden's story of National Security Agency staffers passing around naked photos obtained through blanket surveillance, it could happen.
- Block e-mails from people you don't know. They are much more likely to be spam and phishing attempts than legitimate correspondence. Those who really need to can contact you via social networks. Never open any e-mail attachments unless you've discussed them with the sender. SandWorm used a previously unknown Windows vulnerability to get into Ukrainian and North Atlantic Treaty Organization member networks, but they needed a user to open a "weaponized" PowerPoint file. That unnecessary click can get you fired and your organization robbed blind.
- The credit card you use online should have a spending limit that reflects the amount that you would be comfortable losing to thieves and perhaps never recovering. Virtual cards that are never used again are best for big purchases. The credit card you use offline should have a chip and require a PIN code to pay a merchant. True, chip cards are more widespread in Europe than in the U.S., but it's not impossible to get one. If you don't have a chip card, don't use plastic to pay small merchants: Few invest in data security.
- Vault applications that store your many passwords are just as vulnerable as any other services, regardless of the claims they make about encryption and not storing your data. True, none of the widely available vaults has been cracked, but every new breach is always a surprise. It might make more sense to minimize the number of services allowed to store your credit card numbers, only picking ones with two-factor authentication and committing the passwords to memory.
- Don't buy anything that could be maliciously reprogrammed with physical consequences. That applies to most Internet of Things devices and, increasingly, to cars.
I don't always follow these rules, but every time I break them, I know I'm taking a risk. The pre-Internet world was safer, if not as convenient. We have put way too much trust in the magic of technology.
This column does not necessarily reflect the opinion of Bloomberg View's editorial board or Bloomberg LP, its owners and investors.
To contact the author on this story:
Leonid Bershidsky at firstname.lastname@example.org
To contact the editor on this story:
Max Berley at email@example.com