In thinking about today’s post, I wondered if the title was a bit of hyperbole. Upon reflection, I don’t think so.
Consider: How many people use the same User ID and password for multiple accounts? Many, many people do – and this practice bleeds across personal (social) and professional accounts to a very dangerous degree. Consider too: One hack should not have the potential to daisy-chain and wreak havoc through multiple domains and accounts, by virtue of simple clues granted in one account’s initial breach.
The reason I got to thinking: There’s no shortage of security breaches and leaks, as indicated by the Privacy Rights Clearinghouse’s Chronology of Data Breaches . But I also happened to be reading an international news story: Back in July, SK Communications Company of Korea reported that the personal information of its 35 million users had been hacked.
In a statement, SK said, “The specific scale of the hacking is still being investigated, but it is estimated that some of the personal information of 35 million Nate and Cyworld members have been leaked.” Nate is South Korea’s third-most popular search engine. Cyworld is the country’s largest social networking site; with 25 million users, it accounts for half of the country’s population.
The Biggest Security “Hole”? By virtue of SK’s recent breach, and just a general peek at the Chronology, consider again carefully: How many people – in any country – use the same user ID and password for multiple sites? How many people have the same authenticating credentials for multiple personal accounts… and sensitive work accounts?…
Answer: Too many. Ok, that’s not a very empirical, scientific, report. But I just did a survey of people around me, and… most people have a measure of the same credentials for all sorts of environments.
It could be worse – and it is: What does this mean? This means that if one site is hacked, and credentials are stolen… other information that may point to other sensitive accounts can lead the hackers to those accounts, and they can spin your credentials through all of them. Consider accounts such as: Banks, mortgage companies, work, professional associations, schools, and on, and on, and on…
For the professional business and IT audience: Make it a part of your Security Policy, and any other relevant policies and forums (such as user orientations, quarterly security refresher training, etc.) that user ID(s) and password(s) for business systems must be unique, separate, and apart, from all personal user IDs and passwords. Even security questions and answers should be unique, and used only for the specific work environment.
For the individual: I strongly urge you to consider separate and unique authenticating credentials for personal accounts such as Facebook, MySpace, YouTube, dating sites, and so on – and further, your bank(s) and other related accounts of high sensitivity – whatever you have and wherever you’re involved.
Again: One hack should not have the potential to daisy-chain and wreak havoc through your entire life’s online and subsequent real world existence.
Think about it – and act.
On this day (September 2nd): In 1930, the first non-stop airplane flight from Europe to the US was completed in 37 hours.