Why should I care about online security?
It’s tempting to assume that only big businesses or big celebrities have to worry about their online security. After all, personal information like our photographs aren’t as interesting to anonymous hackers as compromising pictures of Jennifer Lawrence and other Hollywood A-listers, are they?
But the truth is we all have photos and messages we would prefer to keep private, and information like credit card details we would like to keep safe. According to a report by security software-maker McAfee and the Washington think tank Center for Strategic and International Studies, more than 40 million people in the US had their personal information stolen last year, as well as 54 million in Turkey, 20 million in Korea, 16 million in Germany and more than 20 million in China.
While it would be a mistake to think that the data we store online can ever be 100% safe, it would also be an error to assume that we can’t make our email accounts and the data – including photographs – that we store in the cloud a little bit more secure with very little inconvenience.
I’m pretty sure I don’t store anything in the cloud, thanks…
Many of the celebrities at the heart of the recent leaks may have thought the same. But as cloud services grow it’s becoming common for devices like smartphones to upload user data to remote servers by default. If you’re at all worried about some of your photos falling into the hands of malicious parties it’s probably not a bad idea to check your phone settings to see what data is being automatically backed up to the cloud, and disable automatic uploading.
Still, there’s no doubting that the cloud can be very useful – ask anyone who has lost all their photos and contact information because they lost or broke their phone. Fortunately there are other actions you can take to keep your data in the cloud safe. Probably most importantly, you’ll want to consider using a strong and secure password.
So what makes a good password?
For starters, some computer security experts say that password length is more important than complexity, which means that a 16-character memorable password like “ilovemysportscar” is more difficult to guess than an eight-character unmemorable password like “T9!!q”. This is because there are far more total possible combinations of 16 characters than eight, meaning malicious software must take longer to hunt through all the possible options to find the correct password. One survey found that 22% of “strong” eight-character passwords that contained numbers and symbols could be cracked after 10 billion guesses – compared with only 12% of 16 character passwords.
In his book How to Predict The Unpredictable, the author William Poundstone proposes other tips, such as including avoiding obvious number substitutions – most people substitute the letter “I” with a “1”, for example, which creates a false sense of security. Better would be to create a seemingly random string from the first letters of a phrase you have memorised. (As an illustration, the previous sentence in this paragraph could become: “bwbtcasrsftfloapyhm”).
Alternatively, you might choose a random string of letters and numbers, and use it to create a nonsense sentence. So, the (admittedly too short) password “RPM8t4Ka”, explains Poundstone, might become “Revolutions Per Minute, 8 track for Kathy”.
“I don’t know what it means,” he writes, “but I do know it’s fairly easy to remember.
OK, that’s my email password changed. Am I safe now?
Not completely. Even a 16-character password is useless if you inadvertently hand it over to a hacker. Unfortunately, that’s all too easily done. Use an unsecure wi-fi hotspot, for example, and an eavesdropper on the same hotspot can easily monitor your internet activity and read your passwords. If you’re not prompted to enter a password to access a wi-fi hotspot, there’s a good chance it isn’t secure. It’s probably best to restrict your online activity to basic browsing on these wi-fi hotspots, and perform more sensitive actions (checking email, uploading data to the cloud) on your home wi-fi or using your phone’s secure data network – look for the 3G or 4G symbol on your screen.
You can actually go one step further for minimal extra fuss. Install a virtual private network (VPN) app on your phone, switch it on when you’re on a wi-fi hotspot and it will essentially make it more secure: the app scrambles all of the data from your online activity – including the passwords you use to check email – in a way that makes it unintelligible to eavesdroppers. VPNs aren’t free, though, so privacy comes with a price.
And that should protect me from data theft?
It’s a start – but you’ve still got work to do. We don’t know for sure how hackers compromised the online accounts of the celebrities at the centre of the recent leak. There’s some evidence that they exploited a vulnerability in Apple’s iCloud service to repeatedly guess the user password until they found the correct one. But there is another way to gain access to someone’s account, no matter how strong their password is. If you know the person’s username, you can ask the service provider to reset their password using the “forgot my password” function. To work this particular trick a hacker needs to know a little information about the person whose account they are trying to access – things like their date of birth, their mother’s maiden name, or the first school they attended – so they can guess the answers to the security questions that must be answered to reset the password.
Of course, celebrities will find it difficult to keep this kind of personal information secret, which makes them particularly vulnerable to this form of attack – Sarah Palin’s email account was hacked this way in 2011. But many of us are all too willing to publish online the personal information we rely on to protect our passwords – many of us display our full date of birth on a social network profile, for instance. Navigating the privacy settings on social networks to hide this data is often not easy, but in the interests of keeping your data secure, it’s probably worth taking the time to make sure this sensitive information is kept out of sight of potential fraudsters.
Some people even advocate using false information on social networks – like an incorrect date of birth or ‘un-birthday’ – to keep your identity elsewhere secure.
OK, I’ve done all that. Am I finally safe?
Sadly, probably not. But you’ve certainly made life more difficult for hackers. And there’s one final trick you can use to add an extra layer of security. Many email and cloud services now offer two-factor authentication. With this service enabled, simply entering your correct password on a website won’t immediately offer you access to your account – instead it might trigger an automated call or text message to your mobile phone that requires you to punch in a PIN to complete the sign-in process. The idea is that confirming your identity twice is more secure than making you confirm it just once.
So I have to memorise, or do, yet another thing, then?
As with almost all of these security measures, two-factor authentication adds a little bit of inconvenience every time you want to access your account. Not everyone is prepared to trade convenience for security. But the bottom line is that we each have to make a personal decision about just how seriously we value our online privacy.
Is my personal information ever going to be more secure?
As The Economist noted earlier this year “Securing cyberspace is hard because the architecture of the internet was designed to promote connectivity, not security.” And this will get harder over the next few years and decades, as the “internet of things” begins to flourish – where billions of devices, from cars to household appliances to medical equipment, will be connected to the web.
“The tactic of pumping out new software as fast as possible and then issuing patches later to fix flaws in the code may be tolerable if all that is lost is data, but if it involves personal safety, consumers will be less tolerant,” noted The Economist. And if we want companies to be more proactive in keeping our information safe, then it’s all the more reason why we need to make sure we take enough precautionary steps ourselves.
To find out more about online security, check out the World-Changing Ideas Summit in New York on 21 October. BBC Future will be covering the event in full – so watch this space.