tag:theconversation.com,2011:/fr/topics/online-security-211/articles
Online security – The Conversation
2023-12-14T13:40:03Z
tag:theconversation.com,2011:article/216198
2023-12-14T13:40:03Z
2023-12-14T13:40:03Z
Phishing scams: 7 safety tips from a cybersecurity expert
<figure><img src="https://images.theconversation.com/files/558278/original/file-20231108-27-qgt394.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Phishers are crafty and their scams are always evolving.</span> <span class="attribution"><span class="source">weerapatkiatdumrong</span></span></figcaption></figure><p>Recently, one of my acquaintances, Frank, received an email late on a Monday afternoon with the subject line, “Are you still in the office?” It appeared to come from his manager, who claimed to be stuck in a long meeting without the means to urgently purchase online gift vouchers for clients. He asked for help and shared a link to an online platform, from which Frank bought R6,000 (about US$325) worth of gift vouchers. Once he’d sent the codes he received a second email from the “boss” requesting one more voucher.</p>
<p>At that point, Frank reached out to his boss through WhatsApp and discovered he’d been duped. Frank had fallen prey to a phishing scam. </p>
<p>This is just one example of many from my own circles. Other friends and relatives – some of them seasoned internet users who know about the importance of cybersecurity – have also fallen prey to phishing scams. </p>
<p>I am a cybersecurity professional who conducts <a href="https://www.wits.ac.za/staff/academic-a-z-listing/m/mau-maz/thembekilemayayisewitsacza/">research</a> on and teaches various cybersecurity topics. In recent years I have noticed (and confirmed through <a href="https://iacis.org/iis/2023/4_iis_2023_294-310.pdf">research</a>) that some organisations and individuals seem fatigued by cybersecurity awareness efforts. Is it possible that they assume most people are technologically astute and constantly well-informed? Or could it simply be that fatigue has set in because of the demanding nature of cybersecurity awareness campaigns? Though I have no definitive answer, I suspect the latter.</p>
<p>The reality is that phishing scams are here to stay and the methods employed in their execution continue to evolve. Given my expertise and experience, I would like to offer seven tips to help you stay safe from phishing scams. This is especially important during the festive season as people shop for gifts and book holidays online. These activities create more opportunities for cybercriminals to net new victims. However, these tips are appropriate throughout the year. Cybercriminals don’t take breaks – so you shouldn’t ever drop your guard.</p>
<h2>What is phishing?</h2>
<p>“Phishing” is a strategy designed to deceive people into revealing sensitive information such as credit card details, login credentials and, in some instances, identification numbers. </p>
<p>The most common form of phishing is via email: phishers send fraudulent emails that appear to be from legitimate sources. The messages often contain links to fake websites designed to steal login credentials or other sensitive information. The same email will be sent to many addresses. Phishers can obtain emails from places such as corporate websites, existing data breaches, social media platforms, business cards or other publicly available company documents.</p>
<p>Cybercriminals know that casting their net wide means they’ll surely catch some.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/meet-the-yahoo-boys-nigerias-undergraduate-conmen-60757">Meet the ‘Yahoo boys’ – Nigeria's undergraduate conmen</a>
</strong>
</em>
</p>
<hr>
<p>Voice phishing (vishing) is another form of this scam. Here, perpetrators use voice communication, like a phone call in which the caller falsely claims to be a bank official and seeks to assist you in resetting your password or updating your account details. Other common vishing scams centre on offering discounts or rewards if you join a vacation club, provided you disclose your personal credit card information.</p>
<p>Social media phishing, meanwhile, happens when scammers create fake accounts purporting to be real people (for instance, posing as Frank’s boss). They then start interacting with the real person’s connections to deceive them into giving up sensitive information or performing financial favours.</p>
<p>Cybercriminals also employ SMS phishing (smishing), using text messages to target individuals to reveal sensitive information such as login credentials or credit card details by clicking on malicious links or downloading harmful attachments. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/online-fraudsters-colonial-legacies-and-the-north-south-divide-in-nigeria-187879">Online fraudsters, colonial legacies and the north-south divide in Nigeria</a>
</strong>
</em>
</p>
<hr>
<p>Who is behind these scams? Typically, these are seasoned and cunning scammers who have honed their skills in the world of phishing over an extended period. Some work alone; others belong to syndicates.</p>
<h2>Phishing skills</h2>
<p>Successful phishers have a variety of skills. They combine psychological tactics and technical prowess. </p>
<p>They are master manipulators, playing on victims’ emotions. Individuals are deceived into believing they’ve secured a substantial sum, often millions, through a jackpot win. This scheme falsely claims that their cellphone number or email was used for entry. Consequently, the victim doesn’t seek clarification. Excited about getting the windfall payment quickly, they give their personal information to cybercriminals.</p>
<p>These scammers even tailor their approach to match individuals’ personal beliefs. For example, if you have an affinity for ancestral worship, be prepared for a message from someone claiming to be a medium, asserting that your great-great-grandfather is requesting a money ritual involving a deposit to a particular account and promising multiplication of your funds – even though your ancestors have communicated no such information. </p>
<p>Likewise, if you are a devout Christian, someone claiming to be “Prophet Profit” might attempt to contact you through a messaging platform, suggesting that a monetary offering to their ministry will miraculously resolve all your financial challenges. It’s simply too good to be true.</p>
<h2>Seven tips</h2>
<p>So, how can you avoid e-mail phishing scams? Here are my tips.</p>
<p><strong>1.</strong> Before acting on an email that seems to be from a trusted colleague or friend – especially if it involves an unusual request – check whether the communication is authentic. Contact them directly through a telephone call.</p>
<p><strong>2.</strong> If you encounter suspicious emails at work and are unsure of what to do, promptly report them to your IT department.</p>
<p><strong>3.</strong> Exercise caution when disclosing your contact information, such as email addresses and phone numbers, on public platforms. Malicious individuals may exploit this information for harmful purposes.</p>
<p><strong>4.</strong> Be vigilant when responding to unsolicited emails or messages that request personal information or immediate action.</p>
<p><strong>5.</strong> Validate the sender’s email address. When in doubt, use official contact details from an organisation’s official website to get in touch instead of replying to the message.</p>
<p><strong>6.</strong> Don’t click on dubious links. Always double-check the URL before entering sensitive data.</p>
<p><strong>7.</strong> Keep your devices, anti-spam and anti-malware software up to date. Use strong and unique passwords or multi-factor authentication.</p><img src="https://counter.theconversation.com/content/216198/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Thembekile Olivia Mayayise received research funding from the Diversifying Academy Grant at Wits University.
</span></em></p>
Cybercriminals don’t take breaks, so you shouldn’t ever drop your guard.
Thembekile Olivia Mayayise, Senior Lecturer, University of the Witwatersrand
Licensed as Creative Commons – attribution, no derivatives.
tag:theconversation.com,2011:article/200692
2023-03-08T13:40:55Z
2023-03-08T13:40:55Z
Should you pay for Meta’s and Twitter’s verified identity subscriptions? A social media researcher explains how the choice you face affects everyone else
<figure><img src="https://images.theconversation.com/files/513996/original/file-20230307-172-u720z6.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C5582%2C3710&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">If you want to use two-factor authentication via text message on Twitter, you'll have to pay for it.</span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/news-photo/twitter-verified-seen-on-mobile-with-a-stock-graph-on-news-photo/1246403941">NurPhoto via Getty Images</a></span></figcaption></figure><p>Social media services have generally been free of charge for users, but now, with ad revenues slowing down, social media companies are <a href="https://www.wsj.com/articles/would-you-pay-for-social-media-meta-twitter-and-snap-want-to-find-out-856524f8">looking for new revenue streams</a> beyond targeted ads. Now, Twitter is charging for its blue check verification, and Meta and Twitter both charge for identity protection.</p>
<p>Users benefit from “free” services such as social media platforms. According to <a href="https://doi.org/10.1073/pnas.1815663116">one study</a>, in the U.S., Facebook users say they would have to be paid <a href="https://mitsloan.mit.edu/ideas-made-to-matter/how-much-are-search-engines-worth-to-you">in the range of $40 to $50</a> to leave the social networking service for one month. If you value Facebook highly enough that you’d need to get paid to take a break, why not pay for these new services if you can afford them? </p>
<p>Meta plans to offer <a href="https://www.theverge.com/2023/2/20/23607106/twitter-facebook-instagram-meta-security-subscription">paid customer support and account monitoring</a> on Facebook and Instagram to guard against impersonators for <a href="https://www.theverge.com/2023/2/19/23606268/meta-instagram-facebook-test-paid-verification">US$11.99 a month on the web and $14.99 a month on iOS devices</a>. Twitter’s proposed changes make two-factor authentication via text messaging <a href="https://www.theverge.com/2023/2/20/23607106/twitter-facebook-instagram-meta-security-subscription">a premium feature for paid users</a>. Twitter Blue costs $8 a month on Android devices and $11 a month on iOS devices.</p>
<p>As a researcher who <a href="https://scholar.google.com/citations?user=JpFHYKcAAAAJ">studies social media and artificial intelligence</a>, I see three problems with the rollout of these features. </p>
<h2>The collective action problem</h2>
<p>Information goods, such as those provided by social media platforms, are characterized by the problem of collective action, and information security is no exception. Collective action problems, which economists describe <a href="https://personal.utdallas.edu/%7Eliebowit/palgrave/network.html">as network externalities</a>, result when the actions of one participant in a market affect other participants’ outcomes. </p>
<p>Some people might pay Facebook for improved security, but overall, collective well-being depends on having a very large group of users investing in better security for all. Picture a medieval city under siege from an invader where <a href="https://doi.org/10.1126/science.1130992">each family would be responsible for a stretch of the wall</a>. Collectively, the community is only as strong as the weakest link. Will Twitter and Meta still deliver the promised and paid-for results if not enough users sign up for these services?</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/514057/original/file-20230307-16-6if8n3.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="a screenshot with large and small text and a white checkmark inside a 12-point star" src="https://images.theconversation.com/files/514057/original/file-20230307-16-6if8n3.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/514057/original/file-20230307-16-6if8n3.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/514057/original/file-20230307-16-6if8n3.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/514057/original/file-20230307-16-6if8n3.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/514057/original/file-20230307-16-6if8n3.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/514057/original/file-20230307-16-6if8n3.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/514057/original/file-20230307-16-6if8n3.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Meta is beginning to roll out a paid identity protection service for Facebook and Instagram users.</span>
<span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/news-photo/this-photo-illustration-taken-in-melbourne-on-february-24-news-photo/1247430814">William West/AFP via Getty Images</a></span>
</figcaption>
</figure>
<p>While large platforms such as Facebook and Twitter could benefit from lock in, meaning having users who are dependent on or at least heavily invested in them, it’s not clear how many users will pay for these features. This is an area where the platforms’ profit motive is in conflict with the overall goal of the platform, which is to have a large enough community that people will continue using the platform because all of their social or business connections are there. </p>
<h2>Economics of information security</h2>
<p>Charging for identity protection raises the question of how much each person values privacy or security online. Markets for privacy have posed a similar conundrum. For digital products in particular, consumers are not fully informed about how their data is collected, for what purposes and with what consequences. </p>
<p>Scammers can find many ways to breach security and exploit vulnerabilities in large platforms such as Facebook. But valuing security or privacy is complicated because social media users do not know exactly how much Meta or Twitter invests in keeping everyone safe. When users of digital platforms do not understand how platforms safeguard their information, the resulting lack of trust could limit the number of people willing to pay for features such as security and identity verification.</p>
<p>Social media users in particular face <a href="https://doi.org/10.1257/jel.54.2.442">imperfect or asymmetric information</a> about their data, so they do not know how to correctly value features such as security. In the standard economic logic, markets assign prices based on buyers’ willingness to pay and sellers’ lowest acceptable bids, or <a href="https://www.investopedia.com/terms/r/reserve-price.asp">reservation prices</a>. However, digital platforms such as Meta benefit from individuals’ data by virtue of their size – they have such a large amount of personal data. There is no market for individual data rights, even though there have been a few policy proposals such as California governor Gavin Newsom’s <a href="https://www.cnbc.com/2019/02/12/california-gov-newsom-calls-for-new-data-dividend-for-consumers.html">call for a data dividend</a>. </p>
<p>Some cybersecurity experts have already pointed out the <a href="https://www.washingtonpost.com/politics/2023/02/21/paid-security-features-twitter-meta-spark-cybersecurity-concerns/">downsides to monetizing security features</a>. In particular, in giving a very rushed timeline, one month from announcement to implementation, to pay for a more secure option, there is a real risk that many users will <a href="https://www.theverge.com/2023/2/20/23607106/twitter-facebook-instagram-meta-security-subscription">turn off two-factor authentication altogether</a>. Further, security, user authentication and identity verification <a href="https://time.com/6257711/facebook-instagram-twitter-paid-verification/">are issues that concern everyone</a>, not just content creators or those who can afford to pay. </p>
<p>In the first three months of 2022 alone, nearly one-fifth of teens and adults in the U.S. <a href="https://www2.deloitte.com/us/en/pages/about-deloitte/articles/press-releases/connectivity-and-mobile-trends.html">reported their social media accounts getting hacked</a>. The same survey found that 24% of consumers reported being overwhelmed by devices and subscriptions, indicating significant fatigue and cognitive overload in having to manage their virtual experiences. </p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1626760590629933057"}"></div></p>
<p>It is also the case that social media platforms are not really free. The old adage is <a href="https://quoteinvestigator.com/2017/07/16/product/">if you are not paying, then you are the product</a>. Digital platforms such as Meta and Twitter monetize the enormous tracts of data they have about users through a <a href="https://theconversation.com/why-bad-ads-appear-on-good-websites-a-computer-scientist-explains-178268">complex online advertising-driven ecosystem</a>. The system makes use of very granular individual user data and predictive analytics <a href="https://doi.org/10.1257/jep.23.3.37">to help companies microtarget online ads</a> and <a href="https://doi.org/10.1007/s11151-013-9399-3">track and compare advertising views with outcomes</a>. There are <a href="https://theconversation.com/facebook-begins-to-shift-from-being-a-free-and-open-platform-into-a-responsible-public-utility-101577">hidden costs</a> associated with people’s loss of privacy and control over their personal information, including loss of trust and vulnerability to identity theft. </p>
<h2>Social media and online harms</h2>
<p>The other problem is how these moves to monetize security options increase online harms for vulnerable users without identity protection provisions. Not everyone can afford to pay Meta or Twitter to keep their personal information safe. Social bots have become <a href="https://doi.org/10.1007/978-3-030-91779-1_11">increasingly more sophisticated</a>. <a href="https://www.cnbc.com/2023/02/23/biggest-benefits-risks-in-meta-twitter-verification-subscriptions.html">Scams increased by almost 288%</a> from 2021 to 2022, according to one report. Scammers and phishers have found it easy enough to <a href="https://www.washingtonpost.com/technology/2023/02/23/facebook-instagram-fee/">gain access to people’s personal information and impersonate others</a>. </p>
<p>For those who are scammed, the process of account recovery is frustrating and time-consuming. Such moves might hurt the most vulnerable, such as those who need Meta to find access to job information, or the elderly and infirm who use social media to learn about what is happening in their communities. Communities that have invested resources in building a shared online space using platforms such as Twitter and Facebook may be harmed by monetization efforts. </p>
<p>People are tired of having to navigate numerous subscriptions and having security and privacy concerns that persist. At the same time, it’s an open question whether enough users will pay for these services to boost collective security. Ultimately, the service a social media platform offers is the opportunity to connect with others. Will users pay for the ability to maintain social connections the way they pay for content, such as entertainment or news? Social media giants may have a difficult path ahead.</p><img src="https://counter.theconversation.com/content/200692/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Anjana Susarla receives funding from the National Institute of Health.</span></em></p>
Twitter and Meta are looking to make money from protecting users’ identities. This raises questions about collective security, people understanding what they’re paying for and who remains vulnerable.
Anjana Susarla, Professor of Information Systems, Michigan State University
Licensed as Creative Commons – attribution, no derivatives.
tag:theconversation.com,2011:article/188300
2022-09-11T20:10:03Z
2022-09-11T20:10:03Z
Apple’s PassKeys update could make traditional passwords obsolete
<figure><img src="https://images.theconversation.com/files/479816/original/file-20220818-18-al5pgb.jpeg?ixlib=rb-1.1.0&rect=64%2C29%2C3818%2C2555&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Shutterstock</span></span></figcaption></figure><p>Sometimes it seems like passwords have been with us forever, and yet every year we’re reminded how we <a href="https://theconversation.com/a-computer-can-guess-more-than-100-000-000-000-passwords-per-second-still-think-yours-is-secure-144418">still don’t</a> use them properly! </p>
<p>The annual publication of the “worst passwords” <a href="https://en.wikipedia.org/wiki/List_of_the_most_common_passwords">list</a> shows we haven’t become much more password savvy over the decade. And while several replacements for the humble password have been proposed, none have come close to the ease of using the traditional method. </p>
<p>But this changes today with the introduction of Passkeys – an update in Apple’s latest iOS 16 operating system. Passkeys could be the long-awaited solution to password malpractice, and the near-constant problem of compromised credentials.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/this-new-year-why-not-resolve-to-ditch-your-dodgy-old-passwords-172598">This New Year, why not resolve to ditch your dodgy old passwords?</a>
</strong>
</em>
</p>
<hr>
<h2>What’s wrong with passwords?</h2>
<p>The problem with passwords has been well documented. We choose weak ones, write them down (for others to see), share them, and re-use them on multiple websites. </p>
<p>The last of these is particularly problematic. Once your details are breached (and subsequently leaked), they’re vulnerable to “credential stuffing” – where cybercriminals take a set of login credentials and try them on multiple websites.</p>
<figure class="align-right ">
<img alt="A yellow sticky note with a password is stuck to a computer monitor." src="https://images.theconversation.com/files/478771/original/file-20220811-21-ef7ef4.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/478771/original/file-20220811-21-ef7ef4.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=450&fit=crop&dpr=1 600w, https://images.theconversation.com/files/478771/original/file-20220811-21-ef7ef4.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=450&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/478771/original/file-20220811-21-ef7ef4.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=450&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/478771/original/file-20220811-21-ef7ef4.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=566&fit=crop&dpr=1 754w, https://images.theconversation.com/files/478771/original/file-20220811-21-ef7ef4.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=566&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/478771/original/file-20220811-21-ef7ef4.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=566&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">People still stick passwords to their monitors!</span>
<span class="attribution"><span class="source">Author provided</span></span>
</figcaption>
</figure>
<p>“But I use a password manager,” you might say.</p>
<p>Well, that’s good. The standard advice for years has been to use password managers such as 1Password or LastPass. These let you create unique passwords for each website or service you use. So even if a website is compromised, only one password is revealed.</p>
<p>But this approach requires the ability to synchronise across all your devices – a feature not all password managers provide.</p>
<p>And even with a password manager, our passwords are still stored on the remote website we’re accessing. Although most websites store passwords in a secure (hashed) format, they are still <a href="https://theconversation.com/a-computer-can-guess-more-than-100-000-000-000-passwords-per-second-still-think-yours-is-secure-144418">routinely compromised</a>. It’s estimated more than two billion <a href="https://www.forgerock.com/resources/2022-consumer-identity-breach-report">sets of credentials</a> (including passwords) were <a href="https://haveibeenpwned.com/">leaked online</a> in 2021. </p>
<h2>Along come Passkeys</h2>
<p>Apple devices using the newest operating system release (iOS 16 or MacOS Ventura) will integrate a new password mechanism called Passkeys. Unfortunately iPad users will need to wait a <a href="https://9to5mac.com/2022/08/23/apple-delay-ipados-16-1-beta-now-available/">little longer</a> for the feature.</p>
<p>It’s worth noting you won’t be <em>forced</em> to use Passkeys, but your Apple device will prompt you with the opportunity to do so. Also, most websites will continue to support password access for people without the latest devices. </p>
<p>You’ll also have the option to use Apple’s secure cloud storage, iCloud, to back up your keys and share them across your Apple devices. </p>
<h2>How do they work?</h2>
<p>The concept behind Passkeys is <a href="https://support.apple.com/en-us/HT213305">relatively simple</a>. Every website you elect to use Passkeys on will securely generate a unique pair of secret codes (referred to as “keys”).</p>
<p>One of these is a public key, stored on the website you’re registered on. The other is a private key stored on your device. Both keys are related, but one can’t be used to get the other.</p>
<p>When you attempt to log in to the website, instead of entering a password, your device will ask you to verify your login using your device’s biometric unlocking mechanism. So you’ll either scan your face or your finger.</p>
<p>This deliberately limits Passkeys’ functionality to devices with biometric support (iPhones have offered Touch ID since 2013 and Face ID since 2017).</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/the-iphone-turns-15-a-look-at-the-past-and-future-of-one-of-the-21st-centurys-most-influential-devices-183137">The iPhone turns 15: a look at the past (and future) of one of the 21st century's most influential devices</a>
</strong>
</em>
</p>
<hr>
<p>Once your biometrics are verified, your device will use your private key to prove your identity to the website by tackling a complex mathematical “challenge” issued by the site. At no point is your private key sent across the internet to the website.</p>
<p>The response from your device can only be verified by the website, using the public key generated when you registered. And nobody can pretend to be you without your private key, which is safely stored on your device.</p>
<p>If a website is compromised, the public key alone is useless to cybercriminals.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/478866/original/file-20220812-5086-1m4mzo.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="A diagram of the four steps involved in passwordless web authentication, which happens between a user's device and the online site or service being accessed." src="https://images.theconversation.com/files/478866/original/file-20220812-5086-1m4mzo.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/478866/original/file-20220812-5086-1m4mzo.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=296&fit=crop&dpr=1 600w, https://images.theconversation.com/files/478866/original/file-20220812-5086-1m4mzo.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=296&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/478866/original/file-20220812-5086-1m4mzo.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=296&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/478866/original/file-20220812-5086-1m4mzo.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=372&fit=crop&dpr=1 754w, https://images.theconversation.com/files/478866/original/file-20220812-5086-1m4mzo.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=372&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/478866/original/file-20220812-5086-1m4mzo.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=372&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Passwordless web authentication uses a combination of two keys, one public and one private.</span>
<span class="attribution"><span class="source">Paul Haskell-Dowland</span></span>
</figcaption>
</figure>
<p>Moreover, while biometric technology <em>can</em> be compromised, this is <a href="https://www.macrumors.com/2019/08/08/face-id-bypassed-glasses-tape/">relatively</a> <a href="https://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid">difficult</a>. To exploit a biometrics/PassKeys combination, a criminal would first need to obtain your device and then do a great job faking your face or fingerprint (or force one from you) – unlikely circumstances for most users.</p>
<h2>Usability barriers</h2>
<p>Passkeys will initially launch on Apple, but others are close behind. Microsoft will likely launch its own equivalent soon, although it may not initially <a href="https://www.fastcompanyme.com/technology/theres-a-big-problem-with-apple-and-googles-plans-to-nix-passwords/">be compatible</a> with Apple’s implementation. This could be an issue for people wanting to use both an iPhone and Windows laptop.</p>
<p>Moving forward, it’s important Apple, Google and Microsoft work together to ensure maximum compatibility across devices. </p>
<p>Until then, there are some workarounds. If you need to access an Apple Passkeys-protected service on your Windows laptop (or any other device), you can scan a QR code with your iPhone and provide your biometric login verification that way.</p>
<figure class="align-center ">
<img alt="QRCodes allow for the use of Passkeys on non-supported devices (or when using a friends computer)." src="https://images.theconversation.com/files/478108/original/file-20220808-18-ox4drg.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/478108/original/file-20220808-18-ox4drg.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=342&fit=crop&dpr=1 600w, https://images.theconversation.com/files/478108/original/file-20220808-18-ox4drg.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=342&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/478108/original/file-20220808-18-ox4drg.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=342&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/478108/original/file-20220808-18-ox4drg.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=430&fit=crop&dpr=1 754w, https://images.theconversation.com/files/478108/original/file-20220808-18-ox4drg.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=430&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/478108/original/file-20220808-18-ox4drg.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=430&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">QR codes will allow for the use of Passkeys on non-supported devices (or when using a friend’s computer).</span>
<span class="attribution"><span class="source">Apple</span></span>
</figcaption>
</figure>
<p>This means users will always need to have their phone on them when they want to authenticate to a remote service – whereas currently they can just type out their password, or use a password manager synced across their devices. </p>
<p>For some users, needing to have their phone all the time could be enough to give Passkeys a pass altogether.</p>
<h2>The long tail of adoption</h2>
<p>The Passkeys approach has the potential to make passwords obsolete, but this will require organisations around the world to invest time, effort and money into it.</p>
<p>Big players like social media companies are well positioned to adopt Passkeys early on, but there will be millions of websites that may take years to do so – or may never.</p>
<p>Indeed, looking at the state of play today, many leading sites still <a href="https://doi.org/10.1016/j.cose.2022.102790">fall short</a> of applying existing good practice around passwords. So it’s hard to say exactly how quickly, and how widely, Passkeys will be implemented.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/four-ways-to-make-sure-your-passwords-are-safe-and-easy-to-remember-159164">Four ways to make sure your passwords are safe and easy to remember</a>
</strong>
</em>
</p>
<hr>
<img src="https://counter.theconversation.com/content/188300/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Steven Furnell is affiliated with the Chartered Institute of Information Security.</span></em></p><p class="fine-print"><em><span>Paul Haskell-Dowland does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>
The advice for years has been to use password managers. But even these don’t completely eliminate the risk of being compromised.
Paul Haskell-Dowland, Professor of Cyber Security Practice, Edith Cowan University
Steven Furnell, Professor of Cyber Security, University of Nottingham
Licensed as Creative Commons – attribution, no derivatives.
tag:theconversation.com,2011:article/178894
2022-03-10T03:43:47Z
2022-03-10T03:43:47Z
Is Russia really about to cut itself off from the internet? And what can we expect if it does?
<figure><img src="https://images.theconversation.com/files/451186/original/file-20220310-25-9yguew.jpeg?ixlib=rb-1.1.0&rect=123%2C30%2C5040%2C3406&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Shutterstock</span></span></figcaption></figure><p>The invasion of Ukraine has triggered a significant digital shift for Russia. Sanctions imposed by governments around the world – together with company closures or mothballing – have significantly impacted the country.</p>
<p>A plethora of events have escalated the invasion into the digital world, with cyber attacks, <a href="https://www.techtarget.com/searchsecurity/news/252513982/Conti-ransomware-gang-backs-Russia-threatens-US">cyber criminals taking sides</a>, and even an <a href="https://theconversation.com/ukraine-is-recruiting-an-it-army-of-cyber-warriors-heres-how-australia-could-make-it-legal-to-join-178414">IT army of civilians</a> being mobilised by Ukraine.</p>
<p>The sanctions imposed on Russia have not only directly hit its economy (and by extension the global economy), but are now also threatening Russian citizens’ access to the internet. </p>
<p>It’s expected the nation will limit its reliance on the global internet very soon. Although a complete <em>disconnection</em> isn’t yet confirmed, even a partial disconnection would be a difficult task. And the repercussions of Russia’s growing digital isolation for its citizens will be immense. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/the-power-of-tech-giants-has-made-them-as-influential-as-nations-heres-how-theyre-sanctioning-russia-178424">The power of tech giants has made them as influential as nations. Here's how they're sanctioning Russia</a>
</strong>
</em>
</p>
<hr>
<h2>Russia’s increasing digital isolation</h2>
<p>More than 85% of Russians use the <a href="https://www.statista.com/statistics/255129/internet-penetration-in-russia/">internet</a>. Since the Ukraine invasion began, people in Russia have found themselves increasingly deprived of online services such as Facebook, Twitter and even Netflix – with Russia either limiting access to sites, or providers withdrawing services.</p>
<figure class="align-right ">
<img alt="" src="https://images.theconversation.com/files/450924/original/file-20220309-4153-81eyim.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/450924/original/file-20220309-4153-81eyim.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/450924/original/file-20220309-4153-81eyim.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/450924/original/file-20220309-4153-81eyim.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/450924/original/file-20220309-4153-81eyim.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/450924/original/file-20220309-4153-81eyim.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/450924/original/file-20220309-4153-81eyim.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">There’s no Facebook in Russia right now.</span>
<span class="attribution"><span class="source">Pixbay</span></span>
</figcaption>
</figure>
<p>Major financial players have pulled out too, including <a href="https://www.techradar.com/au/news/apple-pay-and-google-pay-cut-off-some-russian-customers">Apple Pay</a>, Google Pay and most <a href="https://www.cbsnews.com/news/visa-mastercard-russia-ukraine-invasion/">major credit card providers</a>, significantly impacting <a href="https://www.digitalcommerce360.com/2022/03/04/russia-ecommerce-slows-retail-industry-looks-to-help-ukraine/">e-commerce</a>.</p>
<p>Russia itself has also introduced a digital <a href="https://www.washingtonpost.com/technology/2022/03/04/russia-ukraine-internet-cogent-cutoff/">divide with the rest of the world</a>, despite the fact this may further cripple its economy. It is expected to start withdrawing from the global internet by <a href="https://www.vice.com/en/article/88gevb/russia-is-preparing-to-cut-itself-off-from-the-global-internet">March 11</a>, according to Kremlin documents. </p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1500649169454878724"}"></div></p>
<p>Russia has long-imposed control over state-run media, but tolerated a level of free access to content and services through the internet. While such freedoms have been progressively diminished, citizens have still been able to stay connected to the wider web.</p>
<p>This open access is now being revoked. Russia will assert dominance over internet services and impose <a href="https://www.reuters.com/world/uk/bbc-halts-reporting-russia-after-new-law-passes-2022-03-04/">strict censorship</a> on local media organisations in an attempt to control <a href="https://www.scientificamerican.com/article/russia-is-having-less-success-at-spreading-social-media-disinformation/">information</a> and reinforce Kremlin propaganda.</p>
<h2>The Kremlin’s orders</h2>
<p>As part of this plan, the <a href="https://www.nytimes.com/2022/03/07/technology/russia-ukraine-internet-isolation.html">Russian government</a> has directed businesses to move their web hosting and business services to Russian servers.</p>
<p>While it may be assumed a “.ru” website is located in Russia, this isn’t always the case. Large organisations will often host their services in remote regions’ servers. This may be to gain access to enhanced technologies, increase the resilience of the service, or to benefit from reduced service costs.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/451187/original/file-20220310-20-zdtedu.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/451187/original/file-20220310-20-zdtedu.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/451187/original/file-20220310-20-zdtedu.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=450&fit=crop&dpr=1 600w, https://images.theconversation.com/files/451187/original/file-20220310-20-zdtedu.jpeg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=450&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/451187/original/file-20220310-20-zdtedu.jpeg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=450&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/451187/original/file-20220310-20-zdtedu.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=566&fit=crop&dpr=1 754w, https://images.theconversation.com/files/451187/original/file-20220310-20-zdtedu.jpeg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=566&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/451187/original/file-20220310-20-zdtedu.jpeg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=566&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Among the Kremlin’s demands is a request for all foreign-hosted Russian services to be relocated to within Russia.</span>
<span class="attribution"><span class="source">Shutterstock</span></span>
</figcaption>
</figure>
<p>A good example would be a <a href="https://theconversation.com/fastly-global-internet-outage-why-did-so-many-sites-go-down-and-what-is-a-cdn-anyway-162371">content delivery network</a>, where content is hosted on multiple servers around the world. This ensures fast access for users and resilience to outages and malicious attacks.</p>
<p>Relocating an individual website to a new server is relatively easy, but doing this on a national scale is a huge logistical challenge. It’s unknown whether Russia even has the capacity and capability to deliver the required resources.</p>
<h2>Not the first attempt at disconnection</h2>
<p>With mounting pressure from the West, Russia may <a href="https://abcnews.go.com/International/wireStory/china-russia-chief-strategic-partner-war-83292299">create its own version</a> of the “<a href="https://www.internationalaffairs.org.au/news-item/the-great-china-firewall/">great firewall of China</a>”. With this, the Chinese government implemented a number of measures allowing it to regulate and censor the domestic internet as it sees fit. </p>
<p>Although the current demands from the Kremlin relate to service availability – and migrating websites and services to Russian territories – this <em>could</em> be the first stage of a national disconnection from the global internet.</p>
<p>It’s worth noting, however, even if Russia adopts a domestic internet, it will still need to keep some bridges with the global internet to communicate with other countries.</p>
<p>In 2019, Russia tested <a href="https://www.bbc.com/news/technology-50902496">disconnecting the country from the internet</a>. There are few details relating to how long this test ran. </p>
<p>The test was reportedly successful, but not adopted. It could be the Kremlin stopped short of a full disconnection due to Russia’s reliance on global services, such as social media and financial gateways.</p>
<p>With Russia now becoming increasingly isolated from global networks, it’s potentially easier to implement network changes that would grant the Kremlin full control of Russia’s internet.</p>
<h2>The repercussions</h2>
<p>Disconnecting from the global internet and imposing censorship will inevitably slow down democratic progress in Russia. </p>
<p>It will also impact the country’s technological development. Russia is already facing significant <a href="https://www.protocol.com/newsletters/protocol-enterprise/russia-ukraine-chips-shields-up">chip shortages</a> and a loss of access to <a href="https://www.lightreading.com/5g/how-western-sanctions-will-hurt-russian-telecom-and-tech/d/d-id/775873">advanced telecommunication technologies</a>, including deliveries from Ericsson and Nokia.</p>
<p>Even if Russia successfully creates its own separate internet, this would be challenging for citizens to accept. </p>
<p>Until recently, Russian citizens have enjoyed the benefits of the global internet, and they will likely be concerned at its disappearance. The social impact would be incredibly difficult to manage. </p>
<p>And while virtual private networks have previously been used within Russia to maintain anonymity, or access censored sources, a properly implemented set of controls could effectively block the use of such techniques.</p>
<h2>Is the internet safer without Russia?</h2>
<p>Given the amount of cyber crime regularly <a href="https://www.theguardian.com/technology/2021/oct/11/russia-and-nearby-states-are-origin-of-most-ransomware-says-uk-cyber-chief">attributed to Russian sources</a>, you might imagine Russia’s withdrawal from the global internet would make it a more secure space for everyone else. </p>
<p>While isolating Russia will have an initial impact, cyber-criminal gangs and state-sponsored attacks will quickly return as perpetrators find ways to escape domestic controls. </p>
<p>In fact, state-sponsored attacks will likely increase in the coming months as Russia seeks retribution against the countries (and organisations) that imposed sanctions on Russia. </p>
<p>If cyber warfare reaches heightened levels, other nations will have to focus more on their defence capabilities to protect their infrastructure. We could see the digital economy reshape itself, as it tries to contend with increased Russian threats.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/as-russia-wages-cyber-war-against-ukraine-heres-how-australia-and-the-rest-of-the-world-could-suffer-collateral-damage-177909">As Russia wages cyber war against Ukraine, here's how Australia (and the rest of the world) could suffer collateral damage</a>
</strong>
</em>
</p>
<hr>
<img src="https://counter.theconversation.com/content/178894/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>
The Kremlin is pushing for a quick migration of all Russian websites and services to be hosted within the country. It could be the first stage of a larger disconnection effort.
Mohiuddin Ahmed, Lecturer of Computing & Security, Edith Cowan University
Paul Haskell-Dowland, Professor of Cyber Security Practice, Edith Cowan University
Licensed as Creative Commons – attribution, no derivatives.
tag:theconversation.com,2011:article/176027
2022-02-03T05:59:33Z
2022-02-03T05:59:33Z
Crypto theft is on the rise. Here’s how the crimes are committed, and how you can protect yourself
<figure><img src="https://images.theconversation.com/files/444197/original/file-20220203-17-bixps8.jpeg?ixlib=rb-1.1.0&rect=47%2C35%2C7940%2C4455&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Shutterstock</span></span></figcaption></figure><p><a href="https://www.coindesk.com/tech/2022/02/02/blockchain-bridge-wormhole-suffers-possible-exploit-worth-over-250m/">News emerged</a> overnight of the potential theft of more than US$326 million (A$457.7 million) of Ethereum tokens from a blockchain bridge (which connects two blockchains so cryptocurrency can be exchanged between them). </p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1489001949881978883"}"></div></p>
<p>It’s no surprise. Crypto crime has been on the rise – especially since the pandemic began. How are these crimes committed? And what can you do to stay ahead of scammers? </p>
<h2>Direct theft vs scams</h2>
<p>There are two main ways criminals obtain cryptocurrency: stealing it directly, or using a scheme to trick people into handing it over. </p>
<p>In 2021, crypto criminals directly stole a record US$3.2 billion (A$4.48 billion) worth of cryptocurrency, according to <a href="https://blog.chainalysis.com/reports/2022-crypto-crime-report-introduction/">Chainalysis</a>. That’s a <a href="https://go.chainalysis.com/2021-Crypto-Crime-Report.html">fivefold increase</a> from 2020. But schemes continue to overshadow outright theft, enabling scammers to lure US$7.8 billion (A$10.95 billion) worth of cryptocurrency from unsuspecting victims. </p>
<p>Crypto crime is a fast-growing enterprise. The rise of the crypto economy and decentralised finance (or DeFi), coupled with <a href="https://time.com/nextadvisor/investing/cryptocurrency/bitcoin-record-high-price/">record</a> cryptocurrency prices in 2021, has provided criminals with lucrative opportunities.</p>
<p>Australian data confirm the global trends. The <a href="https://www.accc.gov.au/publications/targeting-scams-report-on-scam-activity/targeting-scams-report-of-the-accc-on-scam-activity-2020">Australian Consumer and Competition Commission reported</a> more than A$26 million was lost to scams involving cryptocurrency in 2020 from 1,985 reports. In December, federal police <a href="https://www.abc.net.au/news/2021-12-08/cryptocurrency-scams-targeting-australians-losing-millions/100678848?utm_campaign=abc_news_web&utm_content=link&utm_medium=content_shared&utm_source=abc_news_web">told the ABC</a> crypto scam losses for 2021 exceeded A$100 million. That’s despite many incidents likely left unreported, often due to embarrassment by victims. </p>
<h2>Theft from exchanges</h2>
<p>Most consumers obtain cryptocurrency from an <a href="https://www.finder.com.au/cryptocurrency/exchanges">exchange</a>. This involves opening an account and depositing currency, such as Australian dollars, before converting it to a chosen cryptocurrency. </p>
<p>Typically the cryptocurrency is held in a “custodial wallet”. That means it’s assigned to the consumer’s account, but the private keys that control the cryptocurrency are held by the exchange. In other words, the exchange stores the cryptocurrency on the consumer’s behalf. </p>
<p>But just as a bank doesn’t hold all of its deposits in cash, an exchange will only hold enough cryptocurrency in “hot” wallets (connected to the internet) to facilitate customer transactions. For security, the remainder is held in “cold” wallets (not connected to the internet). </p>
<p>Unlike a bank, however, the government does not have a <a href="https://www.apra.gov.au/about-financial-claims-scheme">financial claims scheme</a> to guarantee cryptocurrency deposits if the exchange goes bust. </p>
<p>The recent BitMart hack is a cautionary tale. On December 4, <a href="https://support.bmx.fund//hc/en-us/sections/360000817854-Media-">the exchange announced</a> it had “identified a large-scale security breach” resulting in the theft of about US$150 million (A$210.6 million) in crypto assets from hot wallets. </p>
<p>BitMart temporarily suspended withdrawals and later promised it would use its “own funding to cover the incident and compensate affected users”. It’s unclear when this will happen, with the <a href="https://www.cnbc.com/2022/01/07/cryptocurrency-theft-bitmart-still-owes-victims-of-200-million-hack.html">CNBC reporting in January</a> that customers were still unable to access their cryptocurrency. BitMart wasn’t the first exchange to be hacked, and it won’t be the last. </p>
<p>Similarly, consumers may be left with losses if an exchange fails for commercial reasons, rather than theft. Australians were left stranded in December when liquidators were <a href="https://publishednotices.asic.gov.au/browsesearch-notices/notice-details/myCryptoWallet-Pty-Ltd-619265548/cf805712-a08f-46f2-8ace-45ab1300cb10">appointed over Melbourne-based exchange myCryptoWallet</a>. </p>
<p>One way consumers can protect themselves from exchange theft, or insolvency, is to transfer their cryptocurrency from the exchange to a software wallet (a secure application installed on a computer or smartphone) or a hardware wallet (a hardware device that can be disconnected from the computer and internet). </p>
<p>The cryptocurrency will then be under your direct control. But be warned, if you lose your private keys, <a href="https://www.cnbc.com/2021/01/15/uk-man-makes-last-ditch-effort-to-recover-lost-bitcoin-hard-drive.html">you lose your cryptocurrency</a>.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/the-metaverse-is-money-and-crypto-is-king-why-youll-be-on-a-blockchain-when-youre-virtual-world-hopping-171659">The metaverse is money and crypto is king – why you'll be on a blockchain when you're virtual-world hopping</a>
</strong>
</em>
</p>
<hr>
<h2>Types of scams</h2>
<p>Drawing on the ACCC’s latest edition of <a href="https://www.accc.gov.au/publications/the-little-black-book-of-scams">the Little Black Book of Scams</a>, the following types of scam are commonly observed in the cryptocurrency space, where the scammer is not personally known to the target: </p>
<ul>
<li><p>Email phishing</p>
<p>The scammer sends unsolicited emails asking for personal login details, which can be used to steal cryptocurrency. Alternatively, they may offer “prizes” or “rewards” in exchange for a deposit. </p></li>
<li><p>Investment scams</p>
<p>The scammer creates a website that resembles a legitimate investment trading platform. It may be a fraudulent copy of a real business, or a completely bogus one. They may even post fake advertisements on social media platforms, with fake celebrity endorsements. In the <a href="https://www.theguardian.com/australia-news/2022/feb/03/andrew-forrest-launches-criminal-action-against-facebook-over-scam-ads-that-used-his-image">latest news</a>, billionaire mining magnate Andrew “Twiggy” Forrest has launched criminal proceedings against Meta (previously Facebook) for allowing scam ads using his image.
<br><br>
More sophisticated operations will have multiple scammers emailing and calling victims to give the impression of being a legitimate organisation. After cryptocurrency deposits are made, victims may be able to “trade” on the fake platform but can’t withdraw their supposed earnings. Delay tactics include asking for further deposits to be made for fees or taxes. </p></li>
<li><p>Romance scams</p>
<p>The scammer creates a fake profile and matches with victims on a dating app or website. They may then ask for funds to help them with a personal crisis, such as needing a surgery. Or they may say they’re trading cryptocurrency and encourage the target to get involved, leading the victim into an investment scam, as described above. </p></li>
</ul>
<p>If a victim doesn’t already have a cryptocurrency exchange account, scammers may also coach them on how to open one. Some will mislead victims into installing remote access software on their computer, granting the scammer direct access to their internet banking or exchange account. </p>
<h2>Practical challenges</h2>
<p>There are practical legal challenges in the crypto crime environment. While <a href="https://www.scamwatch.gov.au/report-a-scam">reporting scams</a> can be helpful in providing data and intelligence for regulators and law enforcement, it’s unlikely to result in the recovery of funds.</p>
<p>Taking civil legal action may be possible, too, but identifying perpetrators is difficult. Since cryptocurrency is by its very nature global and decentralised, payments are often made to parties outside of Australia. </p>
<p>So prevention is easier than a cure. The main way to avoid being scammed is to ensure you know exactly who you’re dealing with, transact through a reputable exchange and ensure all the channels you go through are verified. If an offer sounds too good to be true, it almost certainly is. </p>
<h2>Regulation on the horizon</h2>
<p>In Australia, cryptocurrency exchanges must be registered with <a href="https://www.austrac.gov.au/">AUSTRAC</a>, in compliance with anti-money laundering and counter-terror financing obligations. But there are currently no other licensing requirements (such as capital requirements or cybersecurity, for example). </p>
<p>Last year, the Senate Select Committee into Australia as a Technology and Financial Centre <a href="https://www.aph.gov.au/Parliamentary_Business/Committees/Senate/Financial_Technology_and_Regulatory_Technology/AusTechFinCentre/Final_report">recommended</a> a more comprehensive licensing framework. The Australian government <a href="https://treasury.gov.au/publication/p2021-231824">agreed with the recommendation</a>, and the federal treasury department is due to begin consulting on what this will look like. </p>
<p>Mandatory measures to curb cryptocurrency crime at the exchange level will likely be high on the agenda.</p><img src="https://counter.theconversation.com/content/176027/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Aaron M. Lane works for the RMIT University Blockchain Innovation Hub and holds honorary research positions at the UCL Centre for Blockchain Technologies and the University of Divinity. Aaron is a member of the Digital Commerce Committee of the Law Council of Australia. Aaron is also Special Counsel at law firm Duxton Hill where he advises on matters involving cryptocurrency. </span></em></p>
Although it’s estimated illicit activity amounts to less than 1% of all cryptocurrency transactions, figures of losses are still staggering – and on the rise.
Aaron M. Lane, Senior Lecturer in Law, RMIT University
Licensed as Creative Commons – attribution, no derivatives.
tag:theconversation.com,2011:article/172257
2022-01-03T10:33:37Z
2022-01-03T10:33:37Z
Stop blaming people for choosing bad passwords – it’s time websites did more to help
<figure><img src="https://images.theconversation.com/files/437289/original/file-20211213-27-gnk86t.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C6196%2C4118&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/portrait-young-african-business-man-sitting-1407153674">Damir Khabirov/Shutterstock</a></span></figcaption></figure><p>Year after year, passwords like “123456”, “qwerty” and even “password” are found to be <a href="https://nordpass.com/most-common-passwords-list/">the most popular</a> choices and 2021 was no exception.</p>
<p>These reports generally come with the same advice to users: create better passwords to protect your security online. Although this is may well be true, it’s also time to realise that years of promoting this message has had little or no effect. </p>
<p>To improve things, I believe we need to stop blaming people and instead put the onus on websites and services to encourage and enforce better “cyber hygiene”.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/most-common-passwords-of-2021-heres-what-to-do-if-yours-makes-the-list-171985">Most common passwords of 2021: here's what to do if yours makes the list</a>
</strong>
</em>
</p>
<hr>
<p>Of course, it’s easy to point the finger at the users – they’re ultimately the ones making the poor password choices. But at the same time, it’s now <a href="https://www.ncsc.gov.uk/news/most-hacked-passwords-revealed-as-uk-cyber-survey-exposes-gaps-in-online-security">well known</a> that people commonly make these choices. So it’s fair to assume that without guidance or restrictions to prevent weak passwords, they’re likely to continue with the same habits. </p>
<p>Nonetheless, we have successive generations of users who are not told what a good password looks like, nor prevented from making lazy choices. It’s not hard to find examples of websites that will accept the very worst passwords without complaint. It’s similarly easy to find sites that require users to create passwords – yet give them no guidance in doing so. Or sites that will offer feedback that a user’s password choice is weak, but allow it anyway. </p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1462866016703332361"}"></div></p>
<h2>How providers can do better</h2>
<p>If you’re responsible for running a website or a service that will accept the likes of “123456”, “qwerty” or “password”, it’s time to rethink your system. If you let users get away with bad choices, they will believe that they are acceptable and continue this bad practice. </p>
<p>On the contrary, by implementing stronger protocols, you can help to address the problem at its source. Websites should have processes in place to filter out poor passwords – a “blacklist” of common choices.</p>
<p>And while it can be useful to offer guidance for users at the point of password creation, sites should stop insisting on things that authoritative organisations like the <a href="https://www.ncsc.gov.uk/collection/passwords/updating-your-approach">UK National Cyber Security Centre</a> and the <a href="https://pages.nist.gov/800-63-3/sp800-63b.html">US National Institute of Standards and Technology</a> now say ought not to be enforced. For example, they advise against the requirement for password complexity (like including upper and lower case letters, numbers and punctuation symbols). </p>
<p>Both organisations indicate that increasing password length is more important than complexity. This is because longer passwords are more resistant to <a href="https://www.techtarget.com/searchsecurity/definition/brute-force-cracking">brute force cracking</a> (where attackers try all letter, number and symbol combinations to find a match) and less complex passwords can be easier to remember.</p>
<p>Yet many sites continue to demand complexity and impose upper limits on length, in the process often blocking perfectly reasonable password choices that our browsers and other tools can automatically generate for us.</p>
<figure class="align-center ">
<img alt="A young woman lying on a couch using a smartphone." src="https://images.theconversation.com/files/437295/original/file-20211213-15-szh2hu.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/437295/original/file-20211213-15-szh2hu.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/437295/original/file-20211213-15-szh2hu.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/437295/original/file-20211213-15-szh2hu.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/437295/original/file-20211213-15-szh2hu.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/437295/original/file-20211213-15-szh2hu.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/437295/original/file-20211213-15-szh2hu.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Weak passwords leave many people vulnerable to hackers.</span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/woman-lying-on-sofa-using-smartphone-1297435480">Undrey/Shutterstock</a></span>
</figcaption>
</figure>
<p>You may wonder why this is important. If people want to choose weak passwords and put themselves at risk, then why should that become the provider’s problem? One argument is that if a service is charged with protecting users’ personal data (as providers are through <a href="https://gdpr-info.eu/">GDPR</a>) then it doesn’t make a lot of sense to allow users to leave themselves vulnerable by choosing weak passwords.</p>
<p>It’s also worth noting that in some cases one user’s weak password could give an attacker <a href="https://comtact.co.uk/penetration-tester-tales-password-are-a-security-weak-spot/">a foothold into the system</a> from which to exploit other weaknesses and increase their access. So it’s arguably in the provider’s interest to minimise these opportunities and protect other people’s data in the process.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/four-ways-to-make-sure-your-passwords-are-safe-and-easy-to-remember-159164">Four ways to make sure your passwords are safe and easy to remember</a>
</strong>
</em>
</p>
<hr>
<h2>Passwords aren’t going anywhere</h2>
<p>We’re now seeing a move towards <a href="https://www.microsoft.com/security/blog/2021/09/15/the-passwordless-future-is-here-for-your-microsoft-account/">passwordless authentication</a>, but this name in itself emphasises the dominance of password-based methods. Their <a href="https://www.cnet.com/news/gates-predicts-death-of-the-password/">death was predicted</a> more than 15 years ago, and yet they’re still here. It’s safe to assume they’re going to be with us for some time yet. </p>
<p>So we have a choice: take collective responsibility to get the basics right – which involves action by users and providers – or maintain the collective effort to shrug our shoulders and complain about users’ behaviour.</p>
<p>For those providing and operating password-based systems, sites and services, the call to action is hopefully clear: check what your site permits and see if it should do better. If it lets weak passwords pass, then either change this, or at a minimum do something that tries to deter users from choosing them.</p>
<p>If you are reading this as a user and you’re looking for some good advice on creating better passwords, the UK National Cyber Security Centre provides some <a href="https://www.ncsc.gov.uk/cyberaware/home">useful tips</a>. These include combining three random words to give yourself longer but more memorable passwords, and saving your passwords securely in your browser to further reduce the burden of remembering passwords across multiple sites. So even if providers are not doing enough, there are still some things you can do to protect yourself.</p><img src="https://counter.theconversation.com/content/172257/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Steven Furnell is affiliated with the Chartered Institute of Information Security.</span></em></p>
It’s time to think differently about how we address the password problem.
Steven Furnell, Professor of Cyber Security, University of Nottingham
Licensed as Creative Commons – attribution, no derivatives.
tag:theconversation.com,2011:article/162343
2021-06-08T07:36:08Z
2021-06-08T07:36:08Z
How an app to decrypt criminal messages was born ‘over a few beers’ with the FBI
<p>Australian and US law enforcement officials on Tuesday announced they’d sprung a trap three years in the making, catching major international crime figures using an encrypted app. </p>
<p>More than 200 underworld figures in Australia have been charged in what <a href="https://www.afp.gov.au/news-media/media-releases/afp-led-operation-ironside-smashes-organised-crime">Australian Federal Police</a> (AFP) say is their biggest-ever organised crime bust.</p>
<p>The operation, led by the US Federal Bureau of Investigations (FBI), spanned <a href="https://www.afp.gov.au/news-media/media-releases/afp-led-operation-ironside-smashes-organised-crime">Australia and 17 other countries</a>. In Australia alone, more than 4,000 police officers were involved.</p>
<p>At the heart of the sting, dubbed Operation Ironside, was a type of “<a href="https://www.kaspersky.com.au/resource-center/threats/trojans">trojan horse</a>” malware called AN0M, which was secretly incorporated into a messaging app. After criminals used the encrypted app, police decrypted their messages, which included plots to kill, mass drug trafficking and gun distribution. </p>
<figure class="align-center ">
<img alt="graphic of padlock and tech symbols" src="https://images.theconversation.com/files/405008/original/file-20210608-28372-fecede.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/405008/original/file-20210608-28372-fecede.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=366&fit=crop&dpr=1 600w, https://images.theconversation.com/files/405008/original/file-20210608-28372-fecede.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=366&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/405008/original/file-20210608-28372-fecede.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=366&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/405008/original/file-20210608-28372-fecede.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=460&fit=crop&dpr=1 754w, https://images.theconversation.com/files/405008/original/file-20210608-28372-fecede.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=460&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/405008/original/file-20210608-28372-fecede.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=460&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Police used an encrypted app used by underworld figures to bust the crime network.</span>
<span class="attribution"><span class="source">Shutterstock</span></span>
</figcaption>
</figure>
<h2>Millions of messages unscrambled</h2>
<p>AFP Commissioner Reece Kershaw <a href="https://www.abc.net.au/news/2021-06-08/fbi-afp-underworld-crime-bust-an0m-cash-drugs-murder/100197246">said</a> the idea for AN0M emerged from informal discussions “over a few beers” between the AFP and FBI in 2018.</p>
<p>Platform developers had worked on the AN0M app, along with modified mobile devices, before law enforcement acquired it legally and adapted it for their use. The AFP say the developers weren’t aware of the intended use.</p>
<p>Once appropriated by law enforcement, AN0M was reportedly programmed with a secret “back door”, enabling them to access and decrypt messages in real time.</p>
<p>A “back door” is a software agent that circumvents normal access authentication. It allows remote access to private information in an application, without the “owner” of the information being aware. </p>
<p>So the users — in this case the crime figures — believed communication conducted via the app and smartphones was secure. Meanwhile, law enforcement could <a href="https://www.abc.net.au/news/2021-06-08/fbi-afp-underworld-crime-bust-an0m-cash-drugs-murder/100197246">reportedly</a> unscramble up to 25 million encrypted messages simultaneously. </p>
<p>But without this back door, strongly encrypted messages would be almost impossible to decrypt. That’s because decryption generally requires a computer to run through trillions of possibilities before hitting on the right code to unscramble a message. Only the most powerful computers can do this within a reasonable time frame. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/cryptology-from-the-crypt-how-i-cracked-a-70-year-old-coded-message-from-beyond-the-grave-122465">Cryptology from the crypt: how I cracked a 70-year-old coded message from beyond the grave</a>
</strong>
</em>
</p>
<hr>
<figure class="align-center ">
<img alt="Scott Morrison and police official stand at lecterns" src="https://images.theconversation.com/files/405009/original/file-20210608-19-56gpeg.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/405009/original/file-20210608-19-56gpeg.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/405009/original/file-20210608-19-56gpeg.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/405009/original/file-20210608-19-56gpeg.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/405009/original/file-20210608-19-56gpeg.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/405009/original/file-20210608-19-56gpeg.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/405009/original/file-20210608-19-56gpeg.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Police programmed a secret ‘back door’ into the app to carry out the sting.</span>
<span class="attribution"><span class="source">Dean Lewins/AAP</span></span>
</figcaption>
</figure>
<h2>Providers resist pressure for ‘back-door’ access</h2>
<p>In the mainstream world of encrypted communication, the installation of “back-door” access by law enforcement has been <a href="https://www.securitymagazine.com/articles/91402-facebook-refuses-to-give-law-enforcement-access-to-its-messaging-app-whatsapp">strenuously resisted</a> by app providers, including Facebook who owns WhatsApp. </p>
<p>In January 2020, <a href="https://www.cnbc.com/2020/01/14/apple-refuses-barr-request-to-unlock-pensacola-shooters-iphones.html">Apple refused</a> law enforcement’s request to unlock the <a href="https://abcnews.go.com/US/suspect-pensacola-naval-base-shooting-wrote-countdown-started/story?id=67733495">Pensacola shooting</a> suspect’s iPhone, following a deadly 2019 Florida attack which killed three people. </p>
<p>Apple, like Facebook, has long <a href="https://time.com/4262480/tim-cook-apple-fbi-2/">refused to</a> allow back-door access, <a href="https://www.apple.com/customer-letter/">claiming</a> it would undermine customer confidence. Such incidents highlight the struggle of balancing competing demands for user privacy with the imperative of preventing crime for the greater good. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/facebook-is-merging-messenger-and-instagram-chat-features-its-for-zuckerbergs-benefit-not-yours-147261">Facebook is merging Messenger and Instagram chat features. It's for Zuckerberg's benefit, not yours</a>
</strong>
</em>
</p>
<hr>
<figure class="align-center ">
<img alt="phone showing Apple and Facebook apps" src="https://images.theconversation.com/files/405010/original/file-20210608-25-1k3h8jb.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/405010/original/file-20210608-25-1k3h8jb.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/405010/original/file-20210608-25-1k3h8jb.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/405010/original/file-20210608-25-1k3h8jb.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/405010/original/file-20210608-25-1k3h8jb.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/405010/original/file-20210608-25-1k3h8jb.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/405010/original/file-20210608-25-1k3h8jb.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Apple and Facebook have refused to allow back-door access, claiming it would undermine customer confidence.</span>
<span class="attribution"><span class="source">Shutterstock</span></span>
</figcaption>
</figure>
<h2>Getting criminals to use AN0M</h2>
<p>Once AN0M was developed and ready for use, law enforcement had to get it into the hands of criminal “underworld” figures. </p>
<p>To do so, <a href="https://www.abc.net.au/news/2021-06-08/fbi-afp-underworld-crime-bust-an0m-cash-drugs-murder/100197246">undercover agents</a> reportedly persuaded fugitive Australian drug trafficker Hakan Ayik to unwittingly champion the app to his associates. These associates were then be sold mobile devices pre-loaded with AN0M on the black market. </p>
<p>Purchase was only possible if referred through an existing user of the app, or by a distributor who could vouch for the potential customer as not working for law enforcement. </p>
<p>The AN0M-loaded mobiles — likely Android-powered smartphones — came with reduced functionality. They could do just three things: send and receive messages, make distorted voice calls and record videos — all of which was presumed to be encrypted by the users. </p>
<p>With time the AN0M phone increasingly became the device of choice for a significant number of criminal networks. </p>
<figure class="align-center ">
<img alt="Police official points to screen showing phones and monitor" src="https://images.theconversation.com/files/405012/original/file-20210608-135198-15ty3ry.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/405012/original/file-20210608-135198-15ty3ry.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/405012/original/file-20210608-135198-15ty3ry.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/405012/original/file-20210608-135198-15ty3ry.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/405012/original/file-20210608-135198-15ty3ry.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/405012/original/file-20210608-135198-15ty3ry.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/405012/original/file-20210608-135198-15ty3ry.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">The AN0M-loaded devices were mobiles — likely Android-powered smartphones — but with reduced functionality.</span>
<span class="attribution"><span class="source">Dean Lewins/AAP</span></span>
</figcaption>
</figure>
<h2>Building up a network picture</h2>
<p>Since 2018, law enforcement agencies across 18 countries, including Australia, had been patiently listening to millions of conversations through their back-door control of the AN0M app. </p>
<p>Information was retrieved on all manner of illegal activities. This gradually enabled police to etch a detailed picture of various crime networks. Some of the footage and images retrieved have been <a href="https://www.afp.gov.au/news-media/media-releases/afp-led-operation-ironside-smashes-organised-crime">cleared for public release</a>.</p>
<p>One major challenge was for police to match overheard conversations with <a href="https://www.newshub.co.nz/home/new-zealand/2021/06/what-is-the-an0m-app-and-how-was-it-used-to-catch-kiwi-criminals.html">identities</a> — as the AN0M phone could be purchased anonymously and paid for with Bitcoin (which allows secure transactions that can’t be traced). This may help explain why it took three years before police openly identified alleged perpetrators. </p>
<p>It’s likely the evidence obtained will be used in prosecutions now that a multitude of arrests have been made. </p>
<h2>The future of encryption</h2>
<p>Encryption technology is improving fast. It needs to — because computing power is also growing rapidly.</p>
<p>This means hackers are becoming increasingly capable of breaking encryption. Moreover, when quantum computers become available this problem will be further exacerbated, since they are massively more powerful than conventional computers today.</p>
<p>These developments will likely weaken the security of encrypted messaging apps used by law abiding people, including popular apps such as WhatsApp, LINE and Signal.</p>
<p>Strong encryption is an essential weapon in the cybersecurity arsenal and there are thousands of legitimate situations where it’s needed. It’s ironic then, that the technology intended by some to keep the public safe can also be leveraged by those with criminal intent. </p>
<p>Networks of organised crime have used these “legitmate” tools to conduct their business, secure in the knowledge that law enforcement can’t access their communications. Until AN0M, that is. </p>
<p>And while Operation Ironside may have sent a shiver through criminal subcultures operating around the world, these syndicates will likely develop their own countermeasures in this ongoing game of cat and mouse.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/seven-ways-the-government-can-make-australians-safer-without-compromising-online-privacy-111091">Seven ways the government can make Australians safer – without compromising online privacy</a>
</strong>
</em>
</p>
<hr>
<img src="https://counter.theconversation.com/content/162343/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>David Tuffley does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>
The AN0M app was programmed by law enforcement to allow ‘back-door’ access. This led to the retrieval of information that culminated in hundreds of search warrants.
David Tuffley, Senior Lecturer in Applied Ethics & CyberSecurity, Griffith University
Licensed as Creative Commons – attribution, no derivatives.
tag:theconversation.com,2011:article/158417
2021-04-06T05:22:36Z
2021-04-06T05:22:36Z
Facebook data breach: what happened and why it’s hard to know if your data was leaked
<figure><img src="https://images.theconversation.com/files/393503/original/file-20210406-23-j7rkr1.png?ixlib=rb-1.1.0&rect=86%2C13%2C887%2C639&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><a class="source" href="https://twitter.com/UnderTheBreach/status/1349671417625931778">Alon Gal/Twitter</a></span></figcaption></figure><p>Over the long weekend <a href="https://www.businessinsider.com.au/stolen-data-of-533-million-facebook-users-leaked-online-2021-4?r=US&IR=T">reports</a> emerged of an alleged data breach, impacting half a billion Facebook users from 106 countries. </p>
<p>And while this figure is staggering, there’s more to the story than 533 million sets of data. This breach once again highlights how many of the systems we use aren’t designed to adequately protect our information from cyber criminals. </p>
<p>Nor is it always straightforward to figure out whether your data have been compromised in a breach or not.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1349671417625931778"}"></div></p>
<h2>What happened?</h2>
<p>More than <a href="https://www.theguardian.com/technology/2021/apr/05/facebook-data-leak-2021-breach-check-australia-users">500 million Facebook users’ details</a> were published online on an underground website used by cyber criminals.</p>
<p>It quickly became clear this was not a new data breach, but an older one which had come back to haunt Facebook and the millions of users whose data are now available to purchase online. </p>
<p>The data breach is believed to relate to a vulnerability which Facebook reportedly <a href="https://www.businessinsider.com.au/stolen-data-of-533-million-facebook-users-leaked-online-2021-4?">fixed in August of 2019</a>. While the exact source of the data can’t be verified, it was likely acquired through the misuse of <a href="https://edition.cnn.com/2019/09/04/tech/facebook-phone-numbers-exposed">legitimate functions in the Facebook systems</a>. </p>
<p>Such misuses can occur when a seemingly innocent feature of a website is used for an unexpected purpose by attackers, as was the case with a PayID attack in 2019.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/393502/original/file-20210406-23-1m3m37p.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/393502/original/file-20210406-23-1m3m37p.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/393502/original/file-20210406-23-1m3m37p.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=116&fit=crop&dpr=1 600w, https://images.theconversation.com/files/393502/original/file-20210406-23-1m3m37p.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=116&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/393502/original/file-20210406-23-1m3m37p.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=116&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/393502/original/file-20210406-23-1m3m37p.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=146&fit=crop&dpr=1 754w, https://images.theconversation.com/files/393502/original/file-20210406-23-1m3m37p.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=146&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/393502/original/file-20210406-23-1m3m37p.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=146&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Chief technology officer of cybercrime intelligence firm Hudson Rock, Alon Gal, discovered the leaked database, posting screenshots on Twitter.</span>
<span class="attribution"><span class="source">Twitter</span></span>
</figcaption>
</figure>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/payid-data-breaches-show-australias-banks-need-to-be-more-vigilant-to-hacking-123529">PayID data breaches show Australia's banks need to be more vigilant to hacking</a>
</strong>
</em>
</p>
<hr>
<p>In the case of Facebook, criminals can mine Facebook’s systems for users’ personal information by using techniques which automate the process of harvesting data.</p>
<p>This may sound familiar. In 2018 Facebook was reeling from the <a href="https://www.theguardian.com/news/series/cambridge-analytica-files">Cambridge Analytica scandal</a>. This too was not a <a href="https://www.abc.net.au/news/2018-03-22/facebook-mark-zuckerberg-admits-mistakes-in-protecting-data/9574778"><em>hacking</em> incident</a>, but a misuse of a perfectly legitimate function of the Facebook platform. </p>
<p>While the data were initially obtained legitimately — as least, as far as Facebook’s rules were concerned — it was then passed on to a third party <a href="https://about.fb.com/news/2018/03/suspending-cambridge-analytica/">without the appropriate consent</a> from users.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/we-need-to-talk-about-the-data-we-give-freely-of-ourselves-online-and-why-its-useful-93734">We need to talk about the data we give freely of ourselves online and why it's useful</a>
</strong>
</em>
</p>
<hr>
<h2>Were you targeted?</h2>
<p>There’s no easy way to determine if your details were breached in the recent leak. If the website concerned is acting in your best interest, you should at least receive a notification. But this <a href="https://www.theguardian.com/technology/2021/apr/08/facebook-2019-breach-users">isn’t guaranteed</a>. </p>
<p>Even a tech-savvy user would be limited to hunting for the leaked data themselves on underground websites.</p>
<p>The data being sold online contain plenty of key information. <a href="https://haveibeenpwned.com/PwnedWebsites#Facebook">According to</a> haveibeenpwned.com, most of the records include names and genders, with many also including dates of birth, location, relationship status and employer.</p>
<p>Although, it has been <a href="https://www.theverge.com/2021/4/4/22366822/facebook-personal-data-533-million-leaks-online-email-phone-numbers">reported</a> only a small proportion of the stolen data contained a valid email address (about 2.5 million records).</p>
<p>This is important since a user’s data are less valuable without the corresponding email address. It’s the combination of date of birth, name, phone number and email which provides a useful starting point for <a href="https://www.theguardian.com/technology/2021/apr/05/facebook-data-leak-2021-breach-check-australia-users">identity theft and exploitation</a>. </p>
<p>If you’re not sure why these details would be valuable to a criminal, think about how you confirm your identity over the phone with your bank, or how you last reset a password on a website.</p>
<p>Haveibeenpwned.com creator and web security expert Troy Hunt has said a secondary use for the data could be to enhance phishing and SMS-based spam attacks.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1378485540425670657"}"></div></p>
<h2>How to protect yourself</h2>
<p>Given the nature of the leak, there is very little Facebook users could have done proactively to protect themselves from this breach. As the attack targeted Facebook’s systems, the responsibility for securing the data lies entirely with Facebook.</p>
<p>On an individual level, while you can opt to withdraw from the platform, for many this isn’t a simple option. That said, there are certain changes you can make to your social media behaviours to help reduce your risk from data breaches.</p>
<p>1) <strong>Ask yourself if you need to share all your <a href="https://www.theguardian.com/technology/askjack/2019/mar/07/is-there-a-way-to-use-facebook-without-giving-up-my-privacy">information with Facebook</a></strong></p>
<p>There are some bits of information we inevitably have to forfeit in exchange for using Facebook, including mobile numbers for new accounts (as a security measure, ironically). But there are plenty of <a href="https://theconversation.com/dont-be-phish-food-tips-to-avoid-sharing-your-personal-information-online-138613">details you can withhold</a> to retain a modicum of control over your data.</p>
<p>2) <strong>Think about what you share</strong> </p>
<p>Apart from the leak being reported, there are plenty of other ways to harvest user data from Facebook. If you use a fake birth date on your account, you should also avoid posting birthday party photos on the real day. Even our <a href="https://www.smh.com.au/technology/why-you-shouldn-t-post-a-picture-of-your-boarding-pass-on-social-media-20200918-p55wvf.html">seemingly innocent photos</a> can reveal sensitive information.</p>
<p>3) <strong>Avoid using Facebook to sign in to other websites</strong></p>
<p>Although the “sign-in with Facebook” feature is potentially time-saving (and reduces the number of accounts you have to maintain), it also increases <a href="https://threatpost.com/sneaky-phishing-scam-facebook/141869/">potential risk</a> to you — especially if the site you’re signing into isn’t a trusted one. If your Facebook account is compromised, the attacker will have automatic access to all the linked websites.</p>
<p>4) <strong>Use unique passwords</strong></p>
<p>Always use a different password for each online account, even if it is a pain. Installing a password manager will help with this (and this is how I have more than 400 different passwords). While it won’t stop your data from ever being stolen, if your password for a site is leaked it will only work for that <em>one</em> site.</p>
<p>If you really want a scare, you can always download a copy of all the <a href="https://www.facebook.com/help/212802592074644">data Facebook has on you</a>. This is useful if you’re considering leaving the platform and want a copy of your data before closing your account.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/new-evidence-shows-half-of-australians-have-ditched-social-media-at-some-point-but-millennials-lag-behind-156128">New evidence shows half of Australians have ditched social media at some point, but millennials lag behind</a>
</strong>
</em>
</p>
<hr>
<img src="https://counter.theconversation.com/content/158417/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Paul Haskell-Dowland does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>
More than 500 million people’s details were compromised. The records include various combinations of name, email, gender, date of birth, location, relationship status and employer.
Paul Haskell-Dowland, Associate Dean (Computing and Security), Edith Cowan University
Licensed as Creative Commons – attribution, no derivatives.
tag:theconversation.com,2011:article/151845
2021-02-28T19:06:52Z
2021-02-28T19:06:52Z
RMIT attack underlines need to train all uni staff in cyber safety
<figure><img src="https://images.theconversation.com/files/386573/original/file-20210225-23-ynzmtk.jpg?ixlib=rb-1.1.0&rect=0%2C17%2C5947%2C4012&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Rawpixel.com/Shutterstock</span></span></figcaption></figure><p>Cyber criminals are very persistent and the daily numbers of cyber attacks show no sign of decreasing. The latest reported attack on an Australian university has <a href="https://www.theage.com.au/national/victoria/rmit-university-races-to-recover-from-cyber-attack-before-students-return-20210225-p575st.html">disrupted the start of the semester at RMIT</a>. The <a href="https://www.abc.net.au/news/2021-02-19/melbournes-rmit-university-suffers-suspected-cyber-attack/13173704">suspected phishing attack</a> – luring the recipient of an email or other communication into inadvertently giving the attacker access to the IT system – highlights the need for cyber hygiene training for all staff. </p>
<p>The flexible working practices and roll-out of a remote workforce culture during the COVID-19 pandemic have been a challenge for cyber security at even the most prepared organisations. The <a href="https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics/notifiable-data-breaches-report-july-december-2020/">spike in cyber attacks</a> on organisations that have had to adapt quickly to the new normal just adds to the uncertainty and fears created by the pandemic. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/click-for-urgent-coronavirus-update-how-working-from-home-may-be-exposing-us-to-cybercrime-133778">'Click for urgent coronavirus update': how working from home may be exposing us to cybercrime</a>
</strong>
</em>
</p>
<hr>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1364940212330201088"}"></div></p>
<p>Academics have access to a vast range of sensitive information. It includes student profiles, academic records, research data and other intellectual property. If computer systems or even authentication data such as login details are compromised, it’s just a matter of time before cyber criminals exploit all that private information in several ways. </p>
<h2>Universities put themselves at risk</h2>
<p>Despite this threat, almost half of Australia’s top 20 institutions in the QS World University Rankings 2020 <a href="https://www.smh.com.au/politics/federal/common-target-only-10-per-cent-of-australian-universities-automatically-blocking-fraudulent-emails-20210120-p56vg0.html">appear to have had no protection</a> in place against hackers trying to trick people to take over their computer systems. An <a href="https://www.proofpoint.com/au/corporate-blog/post/australian-university-students-and-faculty-face-increased-email-fraud-risk">analysis</a> by cyber security firm Proofpoint found only two universities were actively blocking fraudulent emails from reaching students, alumni and faculty staff.</p>
<p>Cyber attacks can jeopardise the reputation of students and academics as well the institution itself. In addition to individual hackers, state-based actors are out to win the <a href="https://www.theguardian.com/world/2020/nov/22/hackers-try-to-steal-covid-vaccine-secrets-in-intellectual-property-war">intellectual property war</a>. </p>
<p>The latest <a href="https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics/notifiable-data-breaches-report-july-december-2020/">Notifiable Data Breaches Report</a> from the Office of the Australian Information Commissioner (OAIC) shows data breaches resulting from human error accounted for 38% of notifications in the second half of 2020. That’s 18% more than in the past. Education is one of the top five sectors for data breaches. </p>
<p>This highlights how important it is that universities provide cyber safety training for all academics working in areas other than cyber security, IT or the like. </p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/CpucuDJXWjI?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">Inside a massive cyber hack on Australian National University.</span></figcaption>
</figure>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/19-years-of-personal-data-was-stolen-from-anu-it-could-show-up-on-the-dark-web-118265">19 years of personal data was stolen from ANU. It could show up on the dark web</a>
</strong>
</em>
</p>
<hr>
<h2>3 ways staff and students can protect themselves</h2>
<p><strong>1. Use multi-factor authentication</strong></p>
<p>Universities are making greater use than ever before of learning management platforms such as BlackBoard, Canvas, Moodle and so on to deliver online content. During their design, cyber security was not high on the agenda. However, most learning management systems (LMS) have the option of <a href="https://www.cyber.gov.au/acsc/view-all-content/advice/multi-factor-authentication">multi-factor authentication</a> (MFA). </p>
<p>This typically requires a combination pin and secret questions. These days face detection and fingerprints are also used. For example, Canvas offers two options: SMS (text) or an authenticator app to support MFA. </p>
<p>This adds an extra layer of security. But, in reality, few students or academics use this option consistently.</p>
<p>This improves cyber criminals’ chances of penetrating their accounts with simple <a href="https://www.kaspersky.com/resource-center/definitions/brute-force-attack">brute-force approaches</a>, such as logically guessing credentials, or using social engineering, such as <a href="https://www.csoonline.com/article/3313323/cyber-scams-tips-to-avoid-being-a-victim.html">phishing, spear phishing and baiting</a>, to induce someone to “open the door” to an attacker. Readily available hacking tools and facilities (<a href="https://www.guru99.com/learn-everything-about-ethical-hacking-tools-and-skills.html">e.g. nmap, Netsparker etc</a>) make their job even easier. </p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/tFv101qURKE?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
</figure>
<p><strong>2. Use a VPN</strong></p>
<p>Working from home is the new normal now. Using home wi-fi to access university accounts creates opportunity for the cyber criminals. </p>
<p>Few people change their home router password from the factory default password. This means it’s easier to hack into home <a href="https://au.pcmag.com/how-to/28959/how-to-hack-wi-fi-passwords">wi-fi networks</a>. </p>
<p>To avoid such incidents, it is always better to use virtual private networks (VPN). The VPN uses “virtual” secured connections routed through the internet from the organisation’s private network or a third-party VPN service to the remote site or person.</p>
<p>Most universities, if not all, have the option of using a VPN. It’s a highly recommended safeguard against cyber attacks.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/lh-72JCv0rg?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
</figure>
<p><strong>3. Get training in cyber hygiene</strong></p>
<p>Academics deal with such sensitive and, for the criminal, exquisite data and resources that they should complete courses (micro-credentials) on cyber-safe teaching or cyber hygiene. This should be required to be compliant for teaching in the digital era. </p>
<p>Yet, currently, there are no such mandatory short courses on cyber hygiene for academic staff. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/universities-are-a-juicy-prize-for-cyber-criminals-here-are-5-ways-to-improve-their-defences-144859">Universities are a juicy prize for cyber criminals. Here are 5 ways to improve their defences</a>
</strong>
</em>
</p>
<hr>
<h2>Costs of security breaches can be huge</h2>
<p>The sensitive credentials of students and staff that hackers can obtain include names, residential addresses, dates of birth, phone numbers, email addresses, emergency contact details, tax file numbers, banking details and other payroll information. Hackers can use any combination of these details to launch successful social engineering attacks that manipulate the victims. And it’s not only the initial victims; cyber criminals also target victims’ friends and families. </p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1319158226592518144"}"></div></p>
<p>If learning management systems are compromised, that can lead to multiple worst-case scenarios. One example is tampering with grades recorded on the LMS. Cyber criminals are offering such services on the dark web and there are plenty of websites <a href="https://myassignmenthelp.com/buy-assignment-online.html">selling assignments</a>. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/how-australian-universities-can-get-better-at-cyber-security-99587">How Australian universities can get better at cyber security</a>
</strong>
</em>
</p>
<hr>
<p>Neglecting the cyber security of online platforms used by hundreds of thousands of students and academics across Australia presents an open invitation to cyber criminals. Cyber criminals find the lack of concern for cyber security in the education sector highly alluring. </p>
<p>And hackers can make a lot of money from successful ransomware attacks on students’ and academics’ computers.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/fFNiQJXFiG0?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">Some universities have paid ransoms to regain access to their data after cyber attacks.</span></figcaption>
</figure>
<p>Academic staff might feel they have no option but to pay the ransom to avoid all the legal and privacy-related issues. Students will do anything to regain access to their computer where they probably have stored countless hours of work. </p>
<p>To avoid being put in this position, it is essential for academics and students to complete courses in cyber hygiene. Such courses and regular compliance checks should be mandatory. It is better to be safe than sorry!</p><img src="https://counter.theconversation.com/content/151845/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>
Universities are a prime target for cyber attacks and the weakest links in their defences are all the non-expert users of their systems. Teaching everyone basic cyber hygiene is vital.
Abu Barkat ullah, Associate Professor of Cyber Security, University of Canberra
Mohiuddin Ahmed, Lecturer of Computing & Security, Edith Cowan University
Licensed as Creative Commons – attribution, no derivatives.
tag:theconversation.com,2011:article/152319
2021-02-26T03:16:50Z
2021-02-26T03:16:50Z
How to encourage cyber-safe behaviour at work without becoming the office grouch
<figure><img src="https://images.theconversation.com/files/385702/original/file-20210223-19-1hrhdoz.jpg?ixlib=rb-1.1.0&rect=0%2C9%2C6006%2C3998&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Shutterstock</span></span></figcaption></figure><p>Business etiquette has one golden rule: treat others with respect and care. The same is true for encouraging cyber safety at work, on everything from password security to keeping valuable information like tax file numbers safe.</p>
<p>But how can you encourage cyber-safe behaviour at work without becoming the office grouch?</p>
<p>The trick, as it often is in life, is to encourage the right behaviours tactfully and by offering helpful solutions. Vilifying or mocking those who “do the wrong thing” is unlikely to help.</p>
<p>In short, offer alternatives and not reproach. </p>
<h2>Hey, what’s your password?</h2>
<p>Many organisations have policies to prevent password sharing (and most, by now, would hopefully actively discourage people from keeping passwords on a Post-it note stuck to a computer). However, asking others for a password is not yet necessarily considered taboo.</p>
<p>Perhaps your colleague wants to use your computer and asks for your login. Or they may need access to a shared repository such as Dropbox but have forgotten the password.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/385710/original/file-20210223-15-r93ltv.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="Two women chat while looking at a computer." src="https://images.theconversation.com/files/385710/original/file-20210223-15-r93ltv.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/385710/original/file-20210223-15-r93ltv.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/385710/original/file-20210223-15-r93ltv.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/385710/original/file-20210223-15-r93ltv.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/385710/original/file-20210223-15-r93ltv.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/385710/original/file-20210223-15-r93ltv.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/385710/original/file-20210223-15-r93ltv.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">If you’re reluctant to share your personal password, your instincts are correct.</span>
<span class="attribution"><span class="source">Shutterstock</span></span>
</figcaption>
</figure>
<p>If you’re reluctant to share your personal password, or broadcast a team password in Slack or on a group chat, your instincts are correct. Passwords are deeply valuable pieces of information, and many catastrophic security breaches can be traced back to poor password management at work.</p>
<p>But if your colleague asks for a password, rather than responding with a short, sharp “no”, soften the blow by asking why they want it. If there is a legitimate reason, work with them to resolve the issue — without giving anything away. </p>
<p>For example, instead of posting a Dropbox password on Slack, can you direct them to your organisation’s password manager and help them learn how to retrieve passwords from it? If it’s access to a computer they need, can you help them restart a computer and log in as a guest instead of as you? </p>
<p>Never send usernames and passwords by email.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/a-computer-can-guess-more-than-100-000-000-000-passwords-per-second-still-think-yours-is-secure-144418">A computer can guess more than 100,000,000,000 passwords per second. Still think yours is secure?</a>
</strong>
</em>
</p>
<hr>
<p>If systems are not in place at work to help people who need access to a shared password or a computer terminal, talk to your IT team about finding long-term solutions. That might include investing in a password manager such as 1Password, Dashlane or LastPass.</p>
<p>Files can be shared within teams through OneDrive, Dropbox or other organisational repository to reduce the need for a colleague to access your computer to “just get a file off it”.</p>
<h2>‘Please fill in this confidential form and email it to me’</h2>
<p>It’s not uncommon for <a href="https://www.zdnet.com/article/three-out-of-five-tech-workers-share-sensitive-information-by-email/">IT</a>, HR, finance or well-meaning admin support staff to ask you to fill in a form with sensitive information and just “email it back”. </p>
<p><a href="https://www.ecu.edu.au/news/latest-news/2018/05/client-data-potentially-at-risk-due-to-lawyers-lack-of-cybersecurity">Even doctors and lawyers</a> have been known to mishandle documents with signatures, tax file numbers or other identifying information such as birthdays.</p>
<p>Don’t feel under pressure to do it. The fact is, such information is invaluable to hackers and identity thieves. Should your workplace email suffer a data breach, bad actors may be able to retrieve these scanned forms from inboxes they’ve invaded.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/everyone-falls-for-fake-emails-lessons-from-cybersecurity-summer-school-81389">Everyone falls for fake emails: lessons from cybersecurity summer school</a>
</strong>
</em>
</p>
<hr>
<p>Most organisations have secure ways of transferring files, varying from a secure cloud storage solution to secure file sharing sites. Use them, and never your personal email or cloud solutions.</p>
<p>If your organisation doesn’t have <a href="https://www.wired.com/story/securely-share-files-online/">a secure way to save the files</a> you can use one and send your colleague the link in a work email.</p>
<p>Alternatively, you can send an encrypted <a href="https://www.virtru.com/blog/encrypt-pdf-file/">PDF in an email</a>, which means much tighter control of who can access the file.</p>
<p>Sometimes the safest solutions are the simplest. Go old-school: walk the documents over to the person instead of scanning and emailing them. </p>
<p>If you’re asked to send personal information in an insecure way, hide your <a href="https://knowyourmeme.com/memes/surprised-pikachu">Pikachu face</a>. Instead, say: “We’re supposed to be transferring files this way. If you want, I can show you how for next time?”</p>
<p>Offering a solution, rather than shaming, is much more likely to lead to change.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/385703/original/file-20210223-23-mcjyh9.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="A person scans forms at work." src="https://images.theconversation.com/files/385703/original/file-20210223-23-mcjyh9.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/385703/original/file-20210223-23-mcjyh9.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/385703/original/file-20210223-23-mcjyh9.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/385703/original/file-20210223-23-mcjyh9.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/385703/original/file-20210223-23-mcjyh9.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/385703/original/file-20210223-23-mcjyh9.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/385703/original/file-20210223-23-mcjyh9.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Sometimes the safest solutions are the simplest; if you can, just walk the documents over to the person instead of scanning and emailing them.</span>
<span class="attribution"><span class="source">Shutterstock</span></span>
</figcaption>
</figure>
<h2>Can you pass on my resume?</h2>
<p>Job-hunters may try to get their foot in the door by leveraging a friend or ex-colleague. Many of us would be keen to help a friend by passing on their CV to the boss.</p>
<p>Unfortunately, malicious actors of all kinds also know this. As outlined in <a href="https://securitybrief.eu/story/new-phishing-campaign-disguises-malware-as-cv-attachments">this article</a>, fake CVs can be sent by email with a Microsoft Excel attachment. When opened, the attached file can launch malware that:</p>
<blockquote>
<p>…then attempts to hijack private information, credentials from users of targeted financial institutions, and passwords and cookies stored in web browsers. Attackers can then exploit these acquisitions to make financial transactions.</p>
</blockquote>
<p>Malware is not just embedded in links and attachments - <a href="https://www.linkedin.com/pulse/hackers-hit-your-inbox-malware-through-linkedin-alex-hartman">even LinkedIn messages</a> can contain malware. The consequences of opening such links or attachments can be extreme, and may even include <a href="https://www.cyber.gov.au/ransomware">ransomware</a> (where hackers refuse access to files or online systems until the victim pays up).</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/385709/original/file-20210223-15-1dyf86r.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="A computer displays the homepage of LinkedIn." src="https://images.theconversation.com/files/385709/original/file-20210223-15-1dyf86r.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/385709/original/file-20210223-15-1dyf86r.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=397&fit=crop&dpr=1 600w, https://images.theconversation.com/files/385709/original/file-20210223-15-1dyf86r.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=397&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/385709/original/file-20210223-15-1dyf86r.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=397&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/385709/original/file-20210223-15-1dyf86r.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=499&fit=crop&dpr=1 754w, https://images.theconversation.com/files/385709/original/file-20210223-15-1dyf86r.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=499&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/385709/original/file-20210223-15-1dyf86r.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=499&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Even LinkedIn messages can contain malware.</span>
<span class="attribution"><span class="source">Shutterstock</span></span>
</figcaption>
</figure>
<p>Don’t pass on CVs, especially if the person is a friend of a friend. Instead, pass on the person’s name to the boss, so she or he can look them up on LinkedIn. Don’t follow links sent to you, even by trusted contacts. Links can often be difficult to check without clicking on them and you may be redirected to a malicious site.</p>
<p>And if <em>you</em> are the jobseeker, demonstrate your own cyber-security awareness by not circulating CVs or other documents with personal information that may be valuable to identity thieves. No birthdays, addresses, just email, mobile number and LinkedIn.</p>
<p>The same rule applies to QR codes - don’t blindly open the webpage pointed to on a business card QR code. You may get more than you bargained for.</p>
<h2>Resist the urge to do something unsafe when on deadline</h2>
<p>Unfortunately, many workplaces still see cyber-unsafe behaviour as broadly acceptable and the pressure to do something unsafe, especially when on deadline, can be profound. </p>
<p>But by treading respectfully, and helpfully, you can improve your office reputation as a cybersafe staff member and help reduce the risk to your organisation.</p><img src="https://counter.theconversation.com/content/152319/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>
If you’re reluctant to share your password, or broadcast a team password in Slack in a groupchat, your instincts are correct. But mocking those who ‘do the wrong thing’ is unlikely to help.
Nathalie Collins, Academic Director (National Programs), Edith Cowan University
Jeff Volkheimer, Director, Collaborative Services, Duke Health, Duke University
Paul Haskell-Dowland, Associate Dean (Computing and Security), Edith Cowan University
Licensed as Creative Commons – attribution, no derivatives.
tag:theconversation.com,2011:article/152242
2021-01-04T19:08:57Z
2021-01-04T19:08:57Z
The Christmas gifts that keep giving (your data away) — and how to prevent this
<figure><img src="https://images.theconversation.com/files/376941/original/file-20210104-17-4umolp.jpg?ixlib=rb-1.1.0&rect=53%2C0%2C6000%2C3997&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Shutterstock</span></span></figcaption></figure><p>With the festive season having come to a close, consumers the world over will be playing with a variety of new tech toys. </p>
<p>In <a href="https://www.techguide.com.au/amp/news/gaming-news/amazon-reveals-top-selling-products-record-christmas-boxing-day-sales/">recent</a> <a href="https://www.cnet.com/pictures/the-most-popular-gadgets-on-amazon-right-now/">years</a>, the most popular gadgets sold on Amazon have included a variety of smartphones, wearable tech, tablets, laptops and digital assistants such as Amazon’s Echo Dot. </p>
<p>And it’s likely our gifting habits over Christmas reflected this. But <a href="https://theconversation.com/robots-ai-and-drones-when-did-toys-turn-into-rocket-science-127503">any device connected</a> to the internet (including almost all of the above) exposes our personal data to <a href="https://www.weforum.org/agenda/2019/01/who-should-take-charge-of-our-cybersecurity/">a host of threats</a>. </p>
<p>Few of us stop to consider how our new devices may impact our digital footprint, or whether they could build new channels between ourselves and cyber criminals. </p>
<p>With this in mind, here are some simple tips to help you lock down your digital footprint this year.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/376882/original/file-20210101-49872-1lvxtia.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="This cartoon graph explains how older devices are less likley to have security protections afforded by vendors." src="https://images.theconversation.com/files/376882/original/file-20210101-49872-1lvxtia.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/376882/original/file-20210101-49872-1lvxtia.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=403&fit=crop&dpr=1 600w, https://images.theconversation.com/files/376882/original/file-20210101-49872-1lvxtia.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=403&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/376882/original/file-20210101-49872-1lvxtia.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=403&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/376882/original/file-20210101-49872-1lvxtia.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=507&fit=crop&dpr=1 754w, https://images.theconversation.com/files/376882/original/file-20210101-49872-1lvxtia.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=507&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/376882/original/file-20210101-49872-1lvxtia.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=507&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">When it comes to smart home products in particular, almost all devices lose support from the vendor after a certain period (usually a couple of years). This means discontinued support and updates on security capabilities which may have once protected the device from hackers.</span>
<span class="attribution"><span class="source">xkcd.com/1966</span>, <a class="license" href="http://creativecommons.org/licenses/by/4.0/">CC BY</a></span>
</figcaption>
</figure>
<h2>Use more sophisticated credentials</h2>
<p>First, when it comes to setting up a new device and/or account, you should always use a unique password — every single time. </p>
<p>While this task may sound painful, it’s made much easier by <a href="https://www.techradar.com/au/best/password-manager">password managers</a>. Should your password for a particular account be stolen, at least the others will remain secure.</p>
<p>It’s also worth checking the <a href="https://haveibeenpwned.com/">Have I Been Pwned?</a> website, which can reveal whether your online credentials have already been leaked.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/a-computer-can-guess-more-than-100-000-000-000-passwords-per-second-still-think-yours-is-secure-144418">A computer can guess more than 100,000,000,000 passwords per second. Still think yours is secure?</a>
</strong>
</em>
</p>
<hr>
<p>And even if you’re using more sophisticated <a href="https://www.csoonline.com/article/3339565/what-is-biometrics-and-why-collecting-biometric-data-is-risky.html">biometric-based approaches</a> on a device (such as face or fingerprint login), you can still <a href="https://theconversation.com/fingerprint-login-should-be-a-secure-defence-for-our-data-but-most-of-us-dont-use-it-properly-127442">leave yourself exposed</a> by having a weak password that can allow hackers to bypass the biometric.</p>
<p>Also, if you ever have to enter a credit card number or other financial details to set up an account, you may want to remove them through the service provider’s site or app.</p>
<p>Some services require ongoing payments, but deleting stored payment details where they are no longer needed will help protect your finances. Most services will provide an option to do this, although others may require you to get in touch directly.</p>
<h2>You don’t always have to be transparent online</h2>
<p>We constantly <a href="https://theconversation.com/your-personal-data-is-the-currency-of-the-digital-age-146386">provide our personal information</a> online in exchange for access to accounts and services. </p>
<p>Often this includes date of birth (to validate your age), postcode (to offer regionally locked services) or details such as your mother’s maiden name (to help restrict unauthorised access to your account). </p>
<p>Consider having a <a href="https://www.itpro.co.uk/privacy/30584/how-to-stay-anonymous-online">fake identity</a>. That way, if your details are stolen, your real data will be safe.</p>
<p>You may want to set up a sacrificial email account, or even a <a href="https://helpdeskgeek.com/free-tools-review/5-best-free-disposable-email-accounts/">temporary address</a> (also called a “burner email”) to sign onto services that are likely to spam you in the future. </p>
<p>Apple device users may want to explore the “<a href="https://support.apple.com/en-gb/HT210318">Sign in with Apple</a>” feature. This restricts the amount of personal data shared with a service is being used. </p>
<p>It can also hide the user’s actual email address when registering — instead creating a site-specific alias that can later be blocked if necessary.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/your-personal-data-is-the-currency-of-the-digital-age-146386">Your personal data is the currency of the digital age</a>
</strong>
</em>
</p>
<hr>
<h2>What happens to our old devices?</h2>
<p>When new gadgets enter our lives, the old ones are often passed on to friends and family, sold to strangers, traded in, or simply recycled.</p>
<p>But before we discard our old devices into this growing <a href="https://www.abc.net.au/news/2019-07-31/getting-rid-of-ewaste-mobile-phones-study/11339412">technology mountain</a>, we should make sure they’re clear of our data. Otherwise, selling an old phone may also mean <a href="https://www.forbes.com/sites/kateashford/2015/07/31/old-phone/">inadvertently selling your private information</a>.</p>
<p>Many modern devices, particularly smartphones and tablets, have a factory reset option that removes all user data.</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/376884/original/file-20210101-95764-1lexr8s.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/376884/original/file-20210101-95764-1lexr8s.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=757&fit=crop&dpr=1 600w, https://images.theconversation.com/files/376884/original/file-20210101-95764-1lexr8s.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=757&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/376884/original/file-20210101-95764-1lexr8s.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=757&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/376884/original/file-20210101-95764-1lexr8s.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=952&fit=crop&dpr=1 754w, https://images.theconversation.com/files/376884/original/file-20210101-95764-1lexr8s.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=952&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/376884/original/file-20210101-95764-1lexr8s.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=952&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">You can erase content and settings (personal information) from an Apple device by going into ‘settings’, ‘general’ and then ‘reset’.</span>
<span class="attribution"><span class="source">Author provided</span></span>
</figcaption>
</figure>
<p>For devices without a distinct wipe or reset option, you can consult with the user manual or manufacturer’s website (which will often have a copy of the user manual). If in doubt, there’s <a href="https://www.consumerreports.org/cro/2013/11/remove-personal-data-from-any-device/index.htm">plenty of online advice</a> on how to reset devices.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/SyJ1g7xhqL0?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">This video shows how to backup data from a PlayStation 4 console onto a USB drive, before completely wiping the console.</span></figcaption>
</figure>
<p>You may need to remove or unlink the old device from your online identities, such as <a href="https://support.apple.com/en-au/HT205064">your Apple ID</a>. </p>
<p>It may also be necessary to delete cloud-based accounts — such as <a href="https://blog.dropbox.com/topics/work-culture/how-to-unlink-a-device-from-your-dropbox">Dropbox</a> or <a href="https://www.techrepublic.com/article/how-to-remove-connected-apps-from-google-drive/">Google Drive</a> — set up specifically for that device. And don’t forget about data stored on devices being <a href="https://www.tripwire.com/state-of-security/off-topic/consumer-carelessness-leaves-sensitive-data-returned-devices/">returned to the seller</a> (perhaps after Boxing Day sales). </p>
<p>A 2019 UK study examining second-hand phones on eBay found only <a href="https://www.comparitech.com/blog/information-security/personal-data-left-on-mobile-phones/">52% had been properly wiped or reset</a>. </p>
<p>Moreover, 19% contained some form of personal information, ranging from active social media logins to bank account details.</p>
<h2>Parental responsibility</h2>
<p>Children (especially those in primary school) who use devices should be educated on <a href="https://www.theguardian.com/technology/2014/aug/11/how-to-keep-kids-safe-online-children-advice">safe internet practices</a> and <a href="https://www.esafety.gov.au/">cyber safety</a>. </p>
<p>While younger people are becoming increasingly tech-savvy with time, they don’t necessarily know the risks associated with using internet-connected technologies. </p>
<p>It’s important for parents to first learn about appropriate safeguards, and then <a href="https://theconversation.com/what-teenagers-need-to-know-about-cybersecurity-81059">remind their children of them</a> regularly. </p>
<h2>Don’t panic</h2>
<p>The good news is you don’t need special cyber security training for each new tech purchase. The lessons above are transferable, so the key is simply to remember to use them.</p>
<p>There are plenty of sources for further learning, including UK <a href="https://www.ncsc.gov.uk/cyberaware/home">Cyber Aware</a>, the <a href="https://www.getsafeonline.org/">Get Safe Online</a> initiative, and the Australian <a href="https://www.esafety.gov.au/">eSafety Commissioner’s</a> website.</p>
<p>To quote from the film The Hitchhiker’s Guide to the Galaxy: “don’t panic”. Just think carefully about how you use (or get rid of) your devices from now on.</p><img src="https://counter.theconversation.com/content/152242/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>
Many of us will have received new gadgets this festive season. But how can we ensure these are set up safely? And what’s the best way to discard of old devices being replaced?
Paul Haskell-Dowland, Associate Dean (Computing and Security), Edith Cowan University
Steven Furnell, Professor of Cyber Security, University of Nottingham
Licensed as Creative Commons – attribution, no derivatives.
tag:theconversation.com,2011:article/144418
2020-09-15T05:01:14Z
2020-09-15T05:01:14Z
A computer can guess more than 100,000,000,000 passwords per second. Still think yours is secure?
<figure><img src="https://images.theconversation.com/files/358044/original/file-20200915-18-15h9xys.png?ixlib=rb-1.1.0&rect=125%2C89%2C3868%2C2155&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Paul Haskell-Dowland</span>, <span class="license">Author provided</span></span></figcaption></figure><p>Passwords have been used for thousands of years as a means of identifying ourselves to others and in more recent times, to computers. It’s a simple concept – a shared piece of information, kept secret between individuals and used to “prove” identity. </p>
<p>Passwords in an IT context <a href="https://www.wired.com/2012/01/computer-password/">emerged in the 1960s</a> with <a href="https://www.techopedia.com/definition/24356/mainframe">mainframe</a> computers – large centrally operated computers with remote “terminals” for user access. They’re now used for everything from the PIN we enter at an ATM, to logging in to our computers and various websites.</p>
<p>But why do we need to “prove” our identity to the systems we access? And why are passwords so hard to get right?</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/the-long-history-and-short-future-of-the-password-76690">The long history, and short future, of the password</a>
</strong>
</em>
</p>
<hr>
<h2>What makes a good password?</h2>
<p>Until relatively recently, a good password might have been a word or phrase of as little as six to eight characters. But we now have minimum length guidelines. This is because of “entropy”.</p>
<p>When talking about passwords, entropy is the <a href="https://www.itdojo.com/a-somewhat-brief-explanation-of-password-entropy/">measure of predictability</a>. The maths behind this isn’t complex, but let’s examine it with an even simpler measure: the number of possible passwords, sometimes referred to as the “password space”. </p>
<p>If a one-character password only contains one lowercase letter, there are only 26 possible passwords (“a” to “z”). By including uppercase letters, we increase our password space to 52 potential passwords. </p>
<p>The password space continues to expand as the length is increased and other character types are added.</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/358023/original/file-20200915-22-106wwtv.PNG?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/358023/original/file-20200915-22-106wwtv.PNG?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=133&fit=crop&dpr=1 600w, https://images.theconversation.com/files/358023/original/file-20200915-22-106wwtv.PNG?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=133&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/358023/original/file-20200915-22-106wwtv.PNG?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=133&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/358023/original/file-20200915-22-106wwtv.PNG?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=167&fit=crop&dpr=1 754w, https://images.theconversation.com/files/358023/original/file-20200915-22-106wwtv.PNG?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=167&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/358023/original/file-20200915-22-106wwtv.PNG?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=167&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Making a password longer or more complex greatly increases the potential ‘password space’. More password space means a more secure password.</span>
</figcaption>
</figure>
<p>Looking at the above figures, it’s easy to understand why we’re encouraged to use long passwords with upper and lowercase letters, numbers and symbols. The more complex the password, the more attempts needed to guess it.</p>
<p>However, the problem with depending on password complexity is that computers are highly efficient at repeating tasks – including guessing passwords. </p>
<p>Last year, a <a href="https://www.cbronline.com/news/stolen-user-credentials">record was set</a> for a computer trying to generate every conceivable password. It achieved a rate faster than 100,000,000,000 guesses per second.</p>
<p>By leveraging this computing power, cyber criminals can hack into systems by bombarding them with as many password combinations as possible, in a process called <a href="https://www.kaspersky.com/resource-center/definitions/brute-force-attack">brute force attacks</a>.</p>
<p>And with cloud-based technology, guessing an eight-character password can be achieved in as little as 12 minutes and cost as little as US$25.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1096071488262815744"}"></div></p>
<p>Also, because passwords are almost always used to give access to sensitive data or important systems, this motivates cyber criminals to actively seek them out. It also drives a lucrative online market selling passwords, some of which come with email addresses and/or usernames.</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/358018/original/file-20200915-18-gv34ol.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/358018/original/file-20200915-18-gv34ol.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=343&fit=crop&dpr=1 600w, https://images.theconversation.com/files/358018/original/file-20200915-18-gv34ol.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=343&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/358018/original/file-20200915-18-gv34ol.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=343&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/358018/original/file-20200915-18-gv34ol.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=431&fit=crop&dpr=1 754w, https://images.theconversation.com/files/358018/original/file-20200915-18-gv34ol.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=431&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/358018/original/file-20200915-18-gv34ol.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=431&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">You can purchase almost 600 million passwords online for just AU$14!</span>
</figcaption>
</figure>
<h2>How are passwords stored on websites?</h2>
<p>Website passwords are usually stored in a protected manner using a mathematical algorithm called <a href="https://www.wired.com/2016/06/hacker-lexicon-password-hashing/">hashing</a>. A hashed password is unrecognisable and can’t be turned back into the password (an irreversible process). </p>
<p>When you try to login, the password you enter is hashed using the same process and compared to the version stored on the site. This process is repeated each time you login.</p>
<p>For example, the password “Pa$$w0rd” is given the value “02726d40f378e716981c4321d60ba3a325ed6a4c” when calculated using the SHA1 hashing algorithm. Try it <a href="https://passwordsgenerator.net/sha1-hash-generator/">yourself</a>. </p>
<p>When faced with a file full of hashed passwords, a brute force attack can be used, trying every combination of characters for a range of password lengths. This has become such common practice that there are websites that list common passwords alongside their (calculated) hashed value. You can simply search for the hash to reveal the corresponding password.</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/358017/original/file-20200915-20-1xj66q1.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/358017/original/file-20200915-20-1xj66q1.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=226&fit=crop&dpr=1 600w, https://images.theconversation.com/files/358017/original/file-20200915-20-1xj66q1.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=226&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/358017/original/file-20200915-20-1xj66q1.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=226&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/358017/original/file-20200915-20-1xj66q1.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=285&fit=crop&dpr=1 754w, https://images.theconversation.com/files/358017/original/file-20200915-20-1xj66q1.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=285&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/358017/original/file-20200915-20-1xj66q1.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=285&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">This screenshot of a Google search result for the SHA hashed password value ‘02726d40f378e716981c4321d60ba3a325ed6a4c’ reveals the original password: ‘Pa$$w0rd’.</span>
</figcaption>
</figure>
<p>The theft and selling of passwords lists is now so common, a <a href="https://haveibeenpwned.com/">dedicated website</a> — haveibeenpwned.com — is available to help users check if their accounts are “in the wild”. This has grown to include more than 10 billion account details.</p>
<p>If your email address is listed on this site you should definitely change the detected password, as well as on any other sites for which you use the same credentials.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/will-the-hack-of-500-million-yahoo-accounts-get-everyone-to-protect-their-passwords-65987">Will the hack of 500 million Yahoo accounts get everyone to protect their passwords?</a>
</strong>
</em>
</p>
<hr>
<h2>Is more complexity the solution?</h2>
<p>You would think with so many password breaches occurring daily, we would have improved our password selection practices. Unfortunately, last year’s annual <a href="https://www.securitymagazine.com/articles/91461-the-worst-passwords-of-2019">SplashData password survey</a> has shown little change over five years.</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/358021/original/file-20200915-18-enzvfe.PNG?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/358021/original/file-20200915-18-enzvfe.PNG?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=247&fit=crop&dpr=1 600w, https://images.theconversation.com/files/358021/original/file-20200915-18-enzvfe.PNG?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=247&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/358021/original/file-20200915-18-enzvfe.PNG?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=247&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/358021/original/file-20200915-18-enzvfe.PNG?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=310&fit=crop&dpr=1 754w, https://images.theconversation.com/files/358021/original/file-20200915-18-enzvfe.PNG?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=310&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/358021/original/file-20200915-18-enzvfe.PNG?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=310&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">The 2019 annual SplashData password survey revealed the most common passwords from 2015 to 2019.</span>
</figcaption>
</figure>
<p>As computing capabilities increase, the solution would appear to be increased complexity. But as humans, we are not skilled at (nor motivated to) remember highly complex passwords. </p>
<p>We’ve also passed the point where we use only two or three systems needing a password. It’s now common to access numerous sites, with each requiring a password (often of varying length and complexity). A recent survey suggests there are, on average, <a href="https://www.newswire.com/news/new-research-most-people-have-70-80-passwords-21103705">70-80 passwords per person</a>.</p>
<p>The good news is there are tools to address these issues. Most computers now support password storage in either the operating system or the web browser, usually with the option to share stored information across multiple devices. </p>
<p>Examples include Apple’s <a href="https://www.computerworld.com/article/3254183/how-to-use-icloud-keychain-the-guide.html">iCloud Keychain</a> and the ability to save passwords in Internet Explorer, Chrome and Firefox (although <a href="https://www.howtogeek.com/447345/why-you-shouldnt-use-your-web-browsers-password-manager/">less reliable</a>).</p>
<p><a href="https://tech.co/password-managers/what-is-a-password-manager">Password managers</a> such as KeePassXC can help users generate long, complex passwords and store them in a secure location for when they’re needed. </p>
<p>While this location still needs to be protected (usually with a long “master password”), using a password manager lets you have a unique, complex password for every website you visit.</p>
<p>This won’t prevent a password from being stolen from a vulnerable website. But if it is stolen, you won’t have to worry about changing the same password on all your other sites. </p>
<p>There are of course vulnerabilities in these solutions too, but perhaps that’s a story for another day.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/facebook-hack-reveals-the-perils-of-using-a-single-account-to-log-in-to-other-services-104227">Facebook hack reveals the perils of using a single account to log in to other services</a>
</strong>
</em>
</p>
<hr>
<img src="https://counter.theconversation.com/content/144418/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>
One website dedicated to tracking stolen passwords suggests there are details of currently more than 10 billion compromised accounts available online.
Paul Haskell-Dowland, Associate Dean (Computing and Security), Edith Cowan University
Brianna O'Shea, Lecturer, Ethical Hacking and Defense, Edith Cowan University
Licensed as Creative Commons – attribution, no derivatives.
tag:theconversation.com,2011:article/144682
2020-09-03T20:01:33Z
2020-09-03T20:01:33Z
Can I still be hacked with 2FA enabled?
<figure><img src="https://images.theconversation.com/files/356028/original/file-20200902-20-1ogicca.jpg?ixlib=rb-1.1.0&rect=119%2C29%2C4872%2C3712&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Shutterstock</span></span></figcaption></figure><p>Cybersecurity is like a game of whack-a-mole. As soon as the good guys put a stop to one type of attack, another pops up. </p>
<p>Usernames and passwords were once good enough to keep an account secure. But before long, cybercriminals figured out how to get around this. </p>
<p>Often they’ll use “<a href="https://www.kaspersky.com/resource-center/definitions/brute-force-attacks">brute force attacks</a>”, bombarding a user’s account with various password and login combinations in a bid to guess the correct one.</p>
<p>To deal with such attacks, a second layer of security was added in an approach known as two-factor authentication, or 2FA. It’s widespread now, but does 2FA also leave room for loopholes cybercriminals can exploit?</p>
<iframe src="https://giphy.com/embed/IgLIVXrBcID9cExa6r" width="100%" height="480" frameborder="0" class="giphy-embed" allowfullscreen=""></iframe>
<h2>2FA via text message</h2>
<p>There are various types of 2FA. The most common method is to be sent a single-use code as an SMS message to your phone, which you then enter following a prompt from the website or service you’re trying to access. </p>
<p>Most of us are familiar with this method as it’s favoured by major social media platforms. However, while it may seem safe enough, it isn’t necessarily. </p>
<p>Hackers have been known to <a href="https://www.youtube.com/watch?v=kHI90LbBwaQ">trick</a> mobile phone carriers (such as Telstra or Optus) into transferring a victim’s phone number to their own phone.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/2-5-billion-lost-over-a-decade-nigerian-princes-lose-their-sheen-but-scams-are-on-the-rise-141289">$2.5 billion lost over a decade: 'Nigerian princes' lose their sheen, but scams are on the rise</a>
</strong>
</em>
</p>
<hr>
<p>Pretending to be the intended victim, the hacker contacts the carrier with a story about losing their phone, requesting a new SIM with the victim’s number to be sent to them. Any authentication code sent to that number then goes directly to the hacker, granting them access to the victim’s accounts.<br>
This method is called <a href="https://securelist.com/large-scale-sim-swap-fraud/90353/">SIM swapping</a>. It’s probably the easiest of <a href="https://www.forbes.com/sites/forbestechcouncil/2020/08/21/how-threat-actors-are-bypassing-two-factor-authentication-for-privileged-access/#50278f2b649e">several types</a> of scams that can circumvent 2FA.</p>
<p>And while carriers’ verification processes for SIM requests are improving, a competent trickster can talk their way around them. </p>
<h2>Authenticator apps</h2>
<p>The authenticator method is more secure than 2FA via text message. It works on a principle known as TOTP, or “time-based one-time password”. </p>
<p>TOTP is more secure than SMS because a code is generated on your device rather than being sent across the network, where it might be intercepted. </p>
<p>The authenticator method uses apps such as Google Authenticator, LastPass, 1Password, Microsoft Authenticator, Authy and Yubico.</p>
<p>However, while it’s safer than 2FA via SMS, there have been <a href="https://www.zdnet.com/article/android-malware-can-steal-google-authenticator-2fa-codes/">reports</a> of hackers stealing authentication codes from Android smartphones. They do this by tricking the user into installing <a href="https://au.pcmag.com/security/65791/android-malware-can-steal-2fa-codes-from-google-authenticator-app#:%7E:text=To%20steal%20the%20Google%20Authenticator,be%20advertised%20by%20Cerberus's%20creators.">malware</a> (software designed to cause harm) that copies and sends the codes to the hacker. </p>
<p>The Android operating system is easier to hack than the iPhone iOS. Apple’s iOS is proprietary, while Android is open-source, making it easier to install malware on.</p>
<h2>2FA using details unique to you</h2>
<p>Biometric methods are another form of 2FA. These include fingerprint login, face recognition, retinal or iris scans, and voice recognition. Biometric identification is becoming popular for its ease of use. </p>
<p>Most smartphones today can be unlocked by placing a finger on the scanner or letting the camera scan your face – much quicker than entering a password or passcode. </p>
<p>However, biometric data can be hacked, too, either from the servers where they are stored or from the software that processes the data. </p>
<p>One case in point is last year’s <a href="https://www.theverge.com/2019/8/14/20805194/suprema-biostar-2-security-system-hack-breach-biometric-info-personal-data">Biostar 2 data breach</a> in which nearly 28 million biometric records were hacked. BioStar 2 is a security system that uses facial recognition and fingerprinting technology to help organisations secure access to buildings.</p>
<p>There can also be false negatives and false positives in biometric recognition. Dirt on the fingerprint reader or on the person’s finger can lead to false negatives. Also, faces can sometimes be similar enough to <a href="https://www.wired.co.uk/article/avoid-facial-recognition-software">fool facial recognition systems</a>.</p>
<iframe src="https://giphy.com/embed/jnEQ1YoSLy9gSic7Qv" width="100%" height="480" frameborder="1" class="giphy-embed" allowfullscreen=""></iframe>
<p><a href=""></a></p>
<p>Another type of 2FA comes in the form of personal security questions such as “what city did your parents meet in?” or “what was your first pet’s name?”</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/dont-be-phish-food-tips-to-avoid-sharing-your-personal-information-online-138613">Don't be phish food! Tips to avoid sharing your personal information online</a>
</strong>
</em>
</p>
<hr>
<p>Only the most determined and resourceful hacker will be able to find answers to these questions. It’s unlikely, but still possible, especially as more of us adopt public online profiles.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/356182/original/file-20200903-14-1hxkata.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="Person looks at a social media post from a woman, on their mobile." src="https://images.theconversation.com/files/356182/original/file-20200903-14-1hxkata.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/356182/original/file-20200903-14-1hxkata.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/356182/original/file-20200903-14-1hxkata.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/356182/original/file-20200903-14-1hxkata.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/356182/original/file-20200903-14-1hxkata.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/356182/original/file-20200903-14-1hxkata.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/356182/original/file-20200903-14-1hxkata.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Often when we share our lives on the internet, we fail to consider what kinds of people may be watching.</span>
<span class="attribution"><span class="source">Shutterstock</span></span>
</figcaption>
</figure>
<h2>2FA remains best practice</h2>
<p>Despite all of the above, the biggest vulnerability to being hacked is still the human factor. Successful hackers have a bewildering array of psychological tricks in their arsenal.</p>
<p>A cyber attack could come as a polite request, a scary warning, a message ostensibly from a friend or colleague, or an intriguing “clickbait” link in an email.</p>
<p>The best way to protect yourself from hackers is to develop a healthy amount of scepticism. If you carefully check websites and links before clicking through and also use 2FA, the chances of being hacked become vanishingly small. </p>
<p>The bottom line is that 2FA is effective at keeping your accounts safe. However, try to avoid the less secure SMS method when given the option. </p>
<p>Just as burglars in the real world focus on houses with poor security, hackers on the internet look for weaknesses. </p>
<p>And while any security measure can be overcome with enough effort, a hacker won’t make that investment unless they stand to gain something of greater value.</p><img src="https://counter.theconversation.com/content/144682/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>David Tuffley does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>
Two-factor authentication is certainly an added layer of security as we traverse the online world. But it comes in various forms, and they’re not all equally protective.
David Tuffley, Senior Lecturer in Applied Ethics & CyberSecurity, Griffith University
Licensed as Creative Commons – attribution, no derivatives.
tag:theconversation.com,2011:article/135799
2020-04-10T12:17:15Z
2020-04-10T12:17:15Z
Videoconferencing keeps people connected while the coronavirus keeps them inside – but privacy and security are far from perfect
<figure><img src="https://images.theconversation.com/files/326675/original/file-20200408-150164-wo6t5f.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C3000%2C1998&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Face to face, virtually.</span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/photo/asian-woman-working-with-laptop-on-the-bed-royalty-free-image/1204226034?adppopup=true">SammyVision/Moment via Getty Images</a></span></figcaption></figure><p>If, before COVID-19, you were concerned about all the <a href="https://www.theguardian.com/commentisfree/2018/mar/28/all-the-data-facebook-google-has-on-you-privacy">data that technology companies had about you</a>, just wait. As stay-at-home orders push more professional and social activities online, it’s becoming harder to remain in control.</p>
<p>Look no further than Zoom, which suffered <a href="https://www.vox.com/recode/2020/3/31/21201019/zoom-coronavirus-privacy-hacks">dual security and privacy crises</a> in the past few weeks. Lawsuits alleging data sharing violations and hackers have descended on the software, which has led <a href="https://www.cnet.com/news/zoom-every-security-issue-uncovered-in-the-video-chat-app/">Google and school districts to ban Zoom</a> for professional use.</p>
<p>I’m a researcher who investigates <a href="https://doi.org/10.1177%2F1461444818801317">how these concerns affect the use of online platforms</a>. The first thing to understand is that privacy and security are two different things, and they have different consequences for using videoconferencing platforms.</p>
<h2>Privacy versus security</h2>
<p>Privacy refers to individuals’ <a href="https://www.un.org/en/universal-declaration-human-rights/">universal rights</a> to control their data. Security is how that data is protected. One or both can be compromised when using popular videoconferencing tools, leaving personal information vulnerable.</p>
<p>For example, say someone signs up for a new videoconferencing platform using full name, email address and phone number. Ideally, the platform company would maintain both privacy and security, meaning the company wouldn’t share that person’s information outside the company, and would keep their system protected from hackers and viruses. The most private platforms, like <a href="https://signal.org/">Signal</a> and <a href="https://apps.apple.com/us/app/facetime/id1110145091">FaceTime</a>, use end-to-end encryption to ensure that even the companies themselves do not have access to the contents of anyone’s communication. When such systems are kept secure, they are the best communication tools to use.</p>
<p>Alternatively, a company could compromise privacy but maintain security, meaning it would collect information about video calls and sell that data to a third party for marketing purposes. Many companies will include such conditions in their terms of service, <a href="https://doi.org/10.1080/1369118X.2018.1486870">which users rarely read</a>. However, companies have incentive to maintain security; they don’t want to be overrun with criminals or pranksters, which could damage their reputations. </p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/327021/original/file-20200409-122223-6hh2v4.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/327021/original/file-20200409-122223-6hh2v4.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=429&fit=crop&dpr=1 600w, https://images.theconversation.com/files/327021/original/file-20200409-122223-6hh2v4.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=429&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/327021/original/file-20200409-122223-6hh2v4.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=429&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/327021/original/file-20200409-122223-6hh2v4.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=539&fit=crop&dpr=1 754w, https://images.theconversation.com/files/327021/original/file-20200409-122223-6hh2v4.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=539&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/327021/original/file-20200409-122223-6hh2v4.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=539&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Videoconferencing software mapped in terms of security and privacy protections.</span>
<span class="attribution"><span class="source">Elizabeth Stoycheff</span>, <a class="license" href="http://creativecommons.org/licenses/by-nd/4.0/">CC BY-ND</a></span>
</figcaption>
</figure>
<p>Worst case is when a company surrenders both privacy and security, meaning they share personal information with third parties, and they <a href="https://www.cnet.com/news/2019-data-breach-hall-of-shame-these-were-the-biggest-data-breaches-of-the-year/">fail to prevent data breaches</a>. Offerings from these companies are the riskiest of all digital tools, and unfortunately, they’re all too common.</p>
<p>Here’s how some of the most popular video conferencing services stack up.</p>
<h2>Videoconferencing options</h2>
<p>Zoom’s most updated <a href="https://zoom.us/privacy">privacy policy</a> states that the company “do[es] not allow third parties to use any personal data obtained from users for their own purposes, unless you consent.” However, Zoom is currently facing a lawsuit alleging that it violated this agreement and <a href="https://www.cbsnews.com/news/zoom-app-personal-data-selling-facebook-lawsuit-alleges/">shared user data with Facebook</a>. The company claims that this was a security, not a privacy, breach and that it was not compensated for data sharing. </p>
<p>Zoom has also come under fire for security flaws that have allowed “<a href="https://www.cbsnews.com/news/zoom-video-conferencing-feature-freeze-security-flaws/">Zoom-bombers</a>” to intrude on personal calls, often using profane or obnoxious content. The company admitted that it has <a href="https://www.cbsnews.com/news/zoom-video-conferencing-feature-freeze-security-flaws/">fallen short on protecting users’ privacy and security</a> and is working to fix the problems.</p>
<p>Microsoft Teams’ <a href="https://privacy.microsoft.com/en-us/privacystatement">privacy policy</a> leaves no questions. It explicitly states that it “collects data from you, through our interactions with you and through our products.” It is upfront about using this information to market to users, personalize their experiences and even participate in legal investigations. In other words, make no presumptions of privacy here – all personal data on the platform is fair game.</p>
<p>To differentiate its security from Zoom, Microsoft’s Teams has implemented <a href="https://docs.microsoft.com/en-us/microsoftteams/sign-in-teams">dual-factor authentication</a>, meaning passwords are not enough. Users need to also enter email or text codes to log in. The Microsoft family of software – though not Teams specifically – confronted a number of security problems this year, including a <a href="https://www.forbes.com/sites/daveywinder/2020/01/22/microsoft-security-shocker-as-250-million-customer-records-exposed-online/#6b52e7eb4d1b">breach of its customer service center</a> that exposed 14 years of information. The jury is still out on whether it’s a more secure alternative to Zoom. </p>
<p>Unlike Zoom and Teams, Webex offers hosts the option of <a href="https://help.webex.com/en-us/WBX44739/What-Does-End-to-End-Encryption-Do">end-to-end encryption</a>, meaning only the sender of a message and its recipient have access to the data within. This is a strong privacy feature, but it’s elective and tends to limit the usefulness of the tool. </p>
<p>Webex is not immune to security breaches, but the difference between this company and their competitors is their transparency and quick patches. The platform actively maintains a <a href="https://tools.cisco.com/security/center/publicationListing.x?product=Cisco&keyword=webex&sort=-day_sir#%7EVulnerabilities">public list of vulnerabilities</a>, which documents how the company has resolved them. </p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/327034/original/file-20200409-165427-jnt7sf.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/327034/original/file-20200409-165427-jnt7sf.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=450&fit=crop&dpr=1 600w, https://images.theconversation.com/files/327034/original/file-20200409-165427-jnt7sf.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=450&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/327034/original/file-20200409-165427-jnt7sf.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=450&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/327034/original/file-20200409-165427-jnt7sf.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=566&fit=crop&dpr=1 754w, https://images.theconversation.com/files/327034/original/file-20200409-165427-jnt7sf.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=566&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/327034/original/file-20200409-165427-jnt7sf.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=566&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Zoom’s virtual waiting room, which prevents participants from joining a meeting without the host’s permission, is now on by default.</span>
<span class="attribution"><a class="source" href="https://flickr.com/photos/pswansen/3063800085/in/photolist-5EJM2p-JPi3FZ-7t2yqf-8ZXGeW-2g3JYxh-eiVy7g-e4aj2K-myiYTZ-CmrmN-LavrPD-4SeE5A-9Fa1B7-CGE2MP-2hik4n2-28xqcvB-27ay7yw-zZVya-59uCCp-KUGD7U-5SS6g4-2biAdP8-ssKBF-25gDuEE-gqR2w-yJvxX-jP4Bw-8GtNWR-8ET3eb-8ESVQE-53xshM-7yuQFL-n79k9-8ET6e1-MaG4Q-GUP3p-GPp44-tLRgh-24GP516-EsqKvb-ps2H3X-Nfx8dX-nLDitH-b4PyCK-bgHNJT-dFrFn5-noXW3G-MBipMs-FfZEbr-4Y5poN-2gP6pLo">Paul Swansen/Flickr</a>, <a class="license" href="http://creativecommons.org/licenses/by-nd/4.0/">CC BY-ND</a></span>
</figcaption>
</figure>
<p>Skype has a privacy problem. It <a href="https://www.comparitech.com/blog/information-security/is-skype-safe-and-secure-what-are-the-alternatives/">shares user data</a> with third parties, across the entire Microsoft family, and even with law enforcement when asked. In a benign effort to improve customer service, it <a href="https://www.theguardian.com/technology/2020/jan/10/skype-audio-graded-by-workers-in-china-with-no-security-measures">allowed employees to access recordings of Skype conversations</a> from their personal computers over a period of several years. Such tasks have since been transferred to a secure facility, but it doesn’t change the fact that if you’ve used Skype lately, your privacy has been compromised. </p>
<p>Like Teams, Skype uses dual-factor authentication but it was also likely compromised in the <a href="https://docs.microsoft.com/en-us/microsoftteams/sign-in-teams">massive Microsoft customer service breach</a> earlier this year. </p>
<p>Long before Facebook acquired WhatsApp, the video chat service provided <a href="https://faq.whatsapp.com/en/android/28030015/">end-to-end encryption</a> on calls and messages. The privacy of chats here are, and always have been, protected. </p>
<p>However, WhatsApp suffered a very public security breach when Jeff Bezos’ personal messages were compromised by spyware and leaked. That was one of <a href="https://www.businessinsider.com/jeff-bezos-hack-whatsapp-disclosed-security-flaws-last-year-ft-2020-1">12 vulnerabilities</a> the platform faced last year. </p>
<p>Apple’s FaceTime also boasts <a href="https://www.apple.com/privacy/features/">end-to-end protections</a>, and the company has upheld its commitment to privacy by <a href="https://www.npr.org/sections/thetwo-way/2016/02/25/468158520/why-apple-says-it-wont-help-unlock-that-iphone-in-5-key-quotes">refusing requests from the FBI</a> to access user devices. It’s positioning itself as a steward of user privacy.</p>
<p>Like other services, FaceTime has been susceptible to occasional security hacks. In early 2019, users reported a <a href="https://www.npr.org/2019/01/29/689581417/apple-disables-group-facetime-after-security-flaw-let-callers-secretly-eavesdrop">security glitch in its group calls</a> where recipients could hear and see callers before answering. The feature was disabled and patched, and the service has been without a major incident since. </p>
<h2>Settings and choices</h2>
<p>Across all these platforms, people should use complex passwords, turn on enhanced security features, like the use of <a href="https://support.zoom.us/hc/en-us/articles/115000332726-Waiting-Room">waiting rooms</a> and <a href="https://docs.microsoft.com/en-us/microsoftteams/manage-channel-moderation-in-teams">channel moderation</a>, and make sure conferences are restricted to intended guests. It’s also important to consider what can be seen on camera, like a loan statement pinned to a bulletin board or an envelope with a home address visible. Try videoconferencing in front of a neutral wall or using <a href="https://support.skype.com/en/faq/FA34896/what-is-background-blur-in-skype">blurred</a> or <a href="https://office365itpros.com/2020/04/06/teams-meeting-background-image/">customized</a> backdrops to keep the home environment off camera. </p>
<p>There’s still room in the market for more reliably secure, private videoconferencing systems. But in the meantime, not all communication requires the same levels of privacy and security. People might not care much if marketers or even pranksters crash their G-rated happy hours. But confidential client meetings and remote health care consultations are another matter. The companies’ offerings and track records, outlined here, should help people choose the videoconferencing tool that best balances usefulness with privacy and security.</p>
<p>[<em>Get facts about coronavirus and the latest research.</em> <a href="https://theconversation.com/us/newsletters?utm_source=TCUS&utm_medium=inline-link&utm_campaign=newsletter-text&utm_content=upper-coronavirus-facts">Sign up for The Conversation’s newsletter.</a>]</p><img src="https://counter.theconversation.com/content/135799/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Elizabeth Stoycheff has received grant funding from WhatsApp, but it has not influenced the information in this article.</span></em></p>
Zoom’s privacy and security shortcomings are just the latest videoconferencing vulnerabilities. Knowing each platform’s risks can help people avoid many of the downsides of virtual gatherings.
Elizabeth Stoycheff, Associate Professor of Communication, Wayne State University
Licensed as Creative Commons – attribution, no derivatives.
tag:theconversation.com,2011:article/131355
2020-02-18T12:55:59Z
2020-02-18T12:55:59Z
Quantum internet: the next global network is already being laid
<figure><img src="https://images.theconversation.com/files/315929/original/file-20200218-11044-1kipupu.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">shutterstock</span> </figcaption></figure><p>Google reported a remarkable breakthrough towards the end of 2019. The <a href="https://www.nature.com/articles/s41586%20019%201666%205">company claimed</a> to have achieved something called <a href="https://theconversation.com/why-are-scientists-so-excited-about-a-recently-claimed-quantum-computing-milestone-124082">quantum supremacy</a>, using a new type of “quantum” computer to perform a benchmark test in 200 seconds. This was in stark contrast to the 10,000 years that would supposedly have been needed by a state-of-the-art conventional supercomputer to complete the same test.</p>
<p>Despite <a href="https://theconversation.com/google-and-ibm-are-at-odds-over-quantum-supremacy-an-expert-explains-what-it-really-means-125827">IBM’s claim</a> that its supercomputer, with a little optimisation, could solve the task in a matter of days, Google’s announcement made it clear that we are entering a new era of incredible computational power.</p>
<p>Yet with much less fanfare, there has also been rapid progress in the development of quantum communication networks, and a master network to unite them all called the quantum internet. Just as the internet as we know it followed the development of computers, we can expect the quantum computer to be accompanied by the safer, better synchronised quantum internet.</p>
<p>Like quantum computing, quantum communication records information in what are known as qubits, similar to the way digital systems use bits and bytes. Whereas a bit can only take the value of zero or one, a qubit can also use the principles of quantum physics to take the value of zero and one at the same time. This is what allows quantum computers to perform certain computations very quickly. Instead of solving several variants of a problem one by one, the quantum computer can handle them all at the same time.</p>
<p>These qubits are central to the quantum internet because of a property called entanglement. If two entangled qubits are geographically separated (for instance, one qubit in Dublin and the other in New York), measurements of both would yield the same result. This would enable the ultimate in secret communications, a shared knowledge between two parties that cannot be discovered by a third. The resulting ability to code and decode messages would be one of the most powerful features of the quantum internet. </p>
<h2>Commercial applications</h2>
<p>There will be no shortage of commercial applications for these advanced cryptographic mechanisms. The world of finance, in particular, looks set to benefit as the quantum internet will lead to enhanced privacy for online transactions and stronger proof of the funds used in the transaction.</p>
<p>Recently, at the <a href="https://connectcentre.ie/">CONNECT Centre in Trinity College Dublin</a>, we successfully implemented an algorithm that could achieve this level of security. That this took place <a href="https://labs.ripe.net/Members/becha/results-of-the-pan-european-quantum-internet-hackathon">during a hackathon</a> – a sort of competition for computer programmers – shows that even enthusiasts without detailed knowledge of quantum physics can create some of the building blocks that will be needed for the quantum internet. This technology won’t be confined to specialist university departments, just as the original internet soon <a href="https://theconversation.com/how-the-internet-was-born-from-the-arpanet-to-the-internet-68072">outgrew its origins</a> as a way to connect academics around the world. </p>
<p>But how could this quantum internet be built anytime soon when we currently can only build very limited quantum computers? Well, the devices in the quantum internet don’t have to be completely quantum in nature, and the network won’t require massive quantum machines to handle the communication protocols.</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/315926/original/file-20200218-11011-145z3x8.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/315926/original/file-20200218-11011-145z3x8.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/315926/original/file-20200218-11011-145z3x8.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/315926/original/file-20200218-11011-145z3x8.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/315926/original/file-20200218-11011-145z3x8.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/315926/original/file-20200218-11011-145z3x8.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/315926/original/file-20200218-11011-145z3x8.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Future devices wouldn’t need to be full quantum computers to connect to the quantum internet.</span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/innovative-technologies-science-medicine-410054164">Sergey Nivens/Shutterstocks</a></span>
</figcaption>
</figure>
<p>One qubit here and there is all a quantum communication network needs to function. Instead of replacing the current infrastructure of optical fibres, data centres and base stations, the <a href="https://science.sciencemag.org/content/362/6412/eaam9288.abstract">quantum internet</a> will build on top of and make maximum use of the existing, classical internet.</p>
<p>With such rapid progress being made, quantum internet technology is set to shape the business plans of telecom companies in the near future. Financial institutions are <a href="https://www.digfingroup.com/huishang/">already using</a> quantum communication networks to make inter-bank transactions safer. And <a href="https://theconversation.com/chinas-quantum-satellite-could-make-data-breaches-a-thing-of-the-past-66863">quantum communication satellites</a> are up and running as the first step to extending these networks to a global scale.</p>
<p>The pipes of the quantum internet are effectively being laid as you read this. When a big quantum computer is finally built, it can be plugged into this network and accessed on the cloud, with all the privacy guarantees of quantum cryptography.</p>
<p>What will the ordinary user notice when the enhanced cryptography of the quantum internet becomes available? Very little, in all likelihood. Cryptography is like waste management: if everything works well, the customer doesn’t even notice.</p>
<p>In the constant race of the codemakers and codebreakers, the quantum internet won’t just prevent the codebreakers taking the lead. It will move the race track into another world altogether, with a significant head start for the codemakers. With data becoming the currency of our times, the quantum internet will provide stronger security for a new valuable commodity.</p><img src="https://counter.theconversation.com/content/131355/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Harun Šiljak works for CONNECT, Science Foundation Ireland Research Centre for Future Networks and Communications.</span></em></p>
Quantum communication is needed to make the internet much more secure.
Harun Šiljak, Postdoctoral Research Fellow in Complex Systems Science for Telecommunications, Trinity College Dublin
Licensed as Creative Commons – attribution, no derivatives.
tag:theconversation.com,2011:article/130200
2020-01-27T18:52:30Z
2020-01-27T18:52:30Z
Australia’s National Digital ID is here, but the government’s not talking about it
<figure><img src="https://images.theconversation.com/files/311774/original/file-20200124-81362-r2ebg0.jpg?ixlib=rb-1.1.0&rect=5%2C0%2C3589%2C2398&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">A national digital ID system would hold huge amounts of personal information.</span> <span class="attribution"><span class="source">Shutterstock</span></span></figcaption></figure><p>The Australian government’s Digital Transformation Agency (DTA) has <a href="https://www.itnews.com.au/news/australias-digital-identity-bill-tops-200m-535700">spent more than A$200 million</a> over the past five years developing a National Digital ID platform. If successful, the project could streamline commerce, resolve bureaucratic quagmires, and improve national security.</p>
<p>The emerging results of the project may give the Australian public cause for concern. </p>
<p>Two mobile apps built on the DTA’s Trusted Digital Identification Framework (TDIF) have <a href="https://www.itnews.com.au/news/ato-set-to-launch-mygovid-on-android-devices-531544">recently</a> been <a href="https://www.itnews.com.au/news/ausposts-digital-id-accredited-by-government-528637">released</a> to consumers. The apps, <a href="https://www.mygovid.gov.au">myGovID</a> and <a href="https://www.digitalid.com">Digital ID</a>, were developed by the Australian Taxation Office (ATO) and Australia Post, respectively. </p>
<p>Both apps were released without fanfare or glossy marketing campaigns to entice users. This is in keeping with more than five years of stealthy administrative decision-making and policy development in the National Digital ID project.</p>
<p>Now, it seems, we are set to hear more about it. An existing digital identity scheme for businesses called <a href="https://www.abr.gov.au/auskey">AUSkey</a> will be retired and replaced with the new National Digital ID in March, and the DTA has <a href="https://www.innovationaus.com/digital-id-gets-a-pr-makeover/">recently</a> put out a contract for a “Digital Identity Communication and Engagement Strategy”.</p>
<p>The DTA’s renewed investment in public communications is a welcome change of pace, but instead of top-down decision-making, why not try consultation and conversation? </p>
<h2>We fear what we don’t understand</h2>
<p>Ever since the Hawke government’s ill-fated Australia Card proposal in the 1980s, Australians have consistently viewed national identification schemes with contempt. <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3224115">Some</a> have suggested that the DTA’s silence comes from fear of a backlash.</p>
<p>History provides insight into some, but not all, of the numerous potential reasons for the DTA’s strategic opacity. </p>
<p>For example, people do not respond positively to what they do not understand. Surveys suggest that <a href="https://www.innovationaus.com/2019/11/Digital-ID-gets-a-poor-focus-reception">fewer than one in four Australians</a> have a strong understanding of digital identification. </p>
<p>The National Digital ID project was launched more than five years ago. Why hasn’t the public become familiar with these technologies? </p>
<h2>What is the TDIF?</h2>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/311035/original/file-20200121-145026-iufjxx.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/311035/original/file-20200121-145026-iufjxx.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/311035/original/file-20200121-145026-iufjxx.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=365&fit=crop&dpr=1 600w, https://images.theconversation.com/files/311035/original/file-20200121-145026-iufjxx.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=365&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/311035/original/file-20200121-145026-iufjxx.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=365&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/311035/original/file-20200121-145026-iufjxx.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=459&fit=crop&dpr=1 754w, https://images.theconversation.com/files/311035/original/file-20200121-145026-iufjxx.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=459&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/311035/original/file-20200121-145026-iufjxx.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=459&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Part of an overview of the TDIF available on the DTA website.</span>
<span class="attribution"><a class="source" href="https://www.dta.gov.au/our-projects/digital-identity/trusted-digital-identity-framework/public-consultation-4th-release-tdif">Trusted Digital Identity Framework (TDIF)™: 02 - Overview © Commonwealth of Australia (Digital Transformation Agency) 2019.</a>, <a class="license" href="http://creativecommons.org/licenses/by/4.0/">CC BY</a></span>
</figcaption>
</figure>
<p>The TDIF is what’s known as a federated digital identification system. This means it relies on multiple organisations called Identity Providers, who act as central repositories for identification. </p>
<p>In essence, you identify yourself to the Identity Provider, which then vouches for you to third parties in much the same way you might use a Google or Facebook account to log in to a news website. </p>
<p>The difference in this case is that Identity Providers will control, store and manage all user information – which is likely to include birth certificates, marriage certificates, tax returns, medical histories, and perhaps eventually biometrics and behavioural information too.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/94-of-australians-do-not-read-all-privacy-policies-that-apply-to-them-and-thats-rational-behaviour-96353">94% of Australians do not read all privacy policies that apply to them – and that’s rational behaviour</a>
</strong>
</em>
</p>
<hr>
<p>There are currently two government organisations offering Identity Service Providers: the Australian Tax Office (ATO) and Australia Post. By their nature, Identity Providers consolidate information in one place and risk becoming a single point of failure. This exposes users to harms associated with the possibility of stolen or compromised personal information. </p>
<p>Another weakness of the TDIF is that it doesn’t allow for releasing only partial information about a person. For example, people might be willing to share practically all their personal information with a large bank. </p>
<p>However, few will voluntarily disclose such a large amount of personal information indiscriminately – and the TDIF doesn’t give the option to control what is disclosed. </p>
<h2>Securing sovereignty over identity</h2>
<p>It might have been reasonable to keep the National Digital ID project quiet when it launched, but a lot has changed in the past five years. </p>
<p>For example, some localities in <a href="https://digitalcanada.io/bc-orgbook-tell-us-once/">Canada</a> and <a href="https://procivis.ch/about-us/">Switzerland</a>, faced with similar challenges, chose an alternative to the federated model for their Digital ID systems. Instead, they used the principles of what is called Self Sovereign Identity (SSI).</p>
<p>Self-sovereign systems offer the same functions and capabilities as the DTA’s federated system. And they do so without funnelling users through government-controlled Identity Providers.</p>
<p>Instead, self-sovereign systems let users create, manage and use multiple discrete digital identities. Each identity can be tailored to its function, with different attributes attached according to necessity. </p>
<p>Authentication systems like this offer control over the disclosure of personal information. This is a feature that may considerably enhance the privacy, security and usability of digital identification. </p>
<h2>Moving forward</h2>
<p>Based on the idea of giving control to users, self-sovereign digital identification puts its users ahead of any institution, organisation or state. Incorporating elements from the self-sovereign approach might make the Australian system more appealing by addressing public concerns. </p>
<p>And self-sovereign identity is just one example of many technologies already available to the DTA. The possibilities are vast.</p>
<p>However, those possibilities can only be explored if the DTA starts engaging directly with the general public, industry and academia. Keeping Australia’s Digital National ID scheme cloaked will only increase negative sentiment towards digital identity schemes. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/why-arent-more-people-using-the-my-health-record-73606">Why aren't more people using the My Health Record?</a>
</strong>
</em>
</p>
<hr>
<p>Even if self-sovereign identity proved appealing to the public, there would still be plenty of need for dialogue. For example, people would need to enrol into the identification program by physically visiting a white-listed facility (such as a post office). That alone poses several technological, economic, social and political challenges. </p>
<p>Regardless of the direction Australia takes for the Digital National ID, there will be problems that need to be solved – and these will require dialogue and transparency.</p>
<p>Government and other organisations may not support a self-sovereign identity initiative, as it would give them less information about and administrative control over their constituents or clients.</p>
<p>Nonetheless, the implementation of a national identity scheme by stealth will only give the Australian public good reason for outrage, and it might culminate in intensified and unwanted scrutiny. </p>
<p>To prevent this from occurring, the DTA’s project needs to be brought out of hiding. It is only with transparency and a dialogue open to all Australians that the public’s concerns can be addressed in full.</p><img src="https://counter.theconversation.com/content/130200/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Dr Scolyer-Gray is a member of the Australian Information Security Association (AISA). He has received no funding for this project, and has no affiliations of relevance to this work other than the institution of which he is an employee. Any opinions expressed within are the author's, and they do not necessarily represent those of Deakin University or any other affiliated organisations.</span></em></p><p class="fine-print"><em><span>Jongkil Jay Jeong and Yevhen Zoltavkin do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>
A new digital ID system will gather piles of personal information in one place – and you won’t have full control over who has access
Patrick Scolyer-Gray, Research Fellow, Cyber Security, Deakin University
Jongkil Jay Jeong, Research Fellow, Cyber Security, Deakin University
Yevhen Zoltavkin, Research Fellow, Cyber Security, Deakin University
Licensed as Creative Commons – attribution, no derivatives.
tag:theconversation.com,2011:article/128782
2019-12-16T05:24:02Z
2019-12-16T05:24:02Z
Facebook’s push for end-to-end encryption is good news for user privacy, as well as terrorists and paedophiles
<figure><img src="https://images.theconversation.com/files/307065/original/file-20191216-124004-1zmrcu.jpg?ixlib=rb-1.1.0&rect=0%2C80%2C4270%2C2910&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Facebook's initiative places the company in a complicated situation, as increased user privacy, while positive, could come with potential impunity for offenders. </span> <span class="attribution"><span class="source">SHUTTERSTOCK</span></span></figcaption></figure><p>Facebook is <a href="https://thenextweb.com/facebook/2019/10/31/facebook-is-testing-end-to-end-encryption-for-secret-messenger-calls/">planning end-to-end encryption on all its messaging services</a> to increase privacy levels. </p>
<p>The tech giant started <a href="https://www.theverge.com/2019/1/25/18197222/facebook-messenger-instagram-end-to-end-encryption-feature-zuckerberg">experimenting</a> with this <a href="https://www.facebook.com/notes/mark-zuckerberg/a-privacy-focused-vision-for-social-networking/10156700570096634/">earlier this year</a>. Soon, end-to-end encryption will be standard for every Facebook message. </p>
<p>But Australian, British and United States governments and <a href="https://www.news18.com/news/tech/facebook-wants-to-expand-encryption-across-all-its-platforms-but-lawmakers-are-wary-2376161.html">law makers</a> aren’t <a href="https://www.smh.com.au/politics/federal/encryption-can-t-put-tech-giants-beyond-the-reach-of-the-law-minister-says-20191211-p53ize.html">happy about it</a>. They fear it will make it impossible to recover criminal conversations from Facebook’s platforms, thus offering impunity to offenders. </p>
<p>For instance, this was a major concern following <a href="https://www.independent.co.uk/news/uk/home-news/khalid-masood-whatsapp-westminster-london-attack-parliament-message-isis-terror-network-contacts-a7649206.html">the 2017 London terror attacks</a>. Attackers used WhatsApp (Facebook’s end-to-end encrypted platform), and this frustrated police investigations.</p>
<p>But does Facebook’s initiative place the company between a political rock and an ethical hard place?</p>
<h2>What is end-to-end encryption?</h2>
<p><a href="https://en.wikipedia.org/wiki/End-to-end_encryption">End-to-end encryption</a> is a method of communicating more securely, compared to non-encrypted communications. </p>
<p>It involves using encryption (via cryptographic keys) that excludes third parties from accessing content shared between communicating users. </p>
<p>When the sender wants to communicate with the receiver, they share a unique <a href="https://searchsecurity.techtarget.com/definition/encryption">algorithmic key to decrypt</a> the message. No one else can access it, not even the service provider.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/social-media-and-crime-the-good-the-bad-and-the-ugly-66397">Social media and crime: the good, the bad and the ugly</a>
</strong>
</em>
</p>
<hr>
<h2>The real incentive</h2>
<p>Facebook’s plan to <a href="https://www.forbes.com/sites/zakdoffman/2019/10/06/is-facebooks-new-encryption-fight-hiding-a-ruthless-secret-agenda/#6ec67b3b5699">enact this change is paradoxical</a>, considering the company has a history of <a href="https://heinonline.org/HOL/Page?handle=hein.journals/jmjcila31&div=20&g_sent=1&casa_token=9vXpTPHtJw8AAAAA:B6FRTbg2DmAm5BkVzfidBoBgvSwEM6DcOepLuWUbEM-4ICx8U5kUPS7496BddNrArud0rRPh">harvesting user data</a> and <a href="https://www.businessinsider.com.au/why-you-should-delete-facebook-messenger-2018-4?r=US&IR=T">selling it to third parties</a>. </p>
<p>Now, it supposedly wants to protect the privacy of the same users.</p>
<p>One possible reason Facebook is pushing for this development is because it will solve many of <a href="https://www.forbes.com/sites/zakdoffman/2019/10/06/is-facebooks-new-encryption-fight-hiding-a-ruthless-secret-agenda/#6ec67b3b5699">its legal woes</a>. </p>
<p>With end-to-end encryption, the company will no longer have <a href="https://en.wikipedia.org/wiki/Backdoor_(computing)">backdoor</a> access to users’ messages. </p>
<p>Thus, it won’t be forced to comply with requests from law enforcement agencies to access data. And even if police were able to get hold of the data, they would still need the key required to read the messages. </p>
<p>Only users would have the ability to share the key (or messages) with law enforcement.</p>
<h2>Points in favour</h2>
<p>Implementing end-to-end encryption will positively impact Facebook users’ privacy, as their messages will be protected from eavesdropping. </p>
<p>This means Facebook, law enforcement agencies and hackers will find it harder to intercept any communication done through the platform. </p>
<p>And although end-to-end encryption is arguably not necessary for most everyday conversations, it does have <a href="https://www.usenix.org/system/files/conference/soups2016/way_2016_paper_vaziripour.pdf">advantages</a>, including: </p>
<p>1) protecting users’ personal and financial information, such as transactions on Facebook Marketplace </p>
<p>2) increasing trust and cooperation between users </p>
<p>3) preventing criminals eavesdropping on individuals to harvest their information, which can render them victim to <a href="https://www.thebalance.com/beware-of-these-11-facebook-scams-1947431">stalking, scamming and romance frauds</a></p>
<p>4) allowing those with sensitive medical, political or sexual information to be able to share it with others online</p>
<p>5) enabling journalists and intelligence agencies to communicate privately with sources.</p>
<h2>Not foolproof</h2>
<p>However, even though end-to-end encryption will increase users’ privacy in certain situations, it may still not be enough to make conversations completely safe.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/end-to-end-encryption-isnt-enough-security-for-real-people-82054">End-to-end encryption isn't enough security for 'real people'</a>
</strong>
</em>
</p>
<hr>
<p>This is because the biggest threat to eavesdropping is the very act of using a device. </p>
<p>End-to-end encryption doesn’t <a href="https://medium.com/@BlackwaveLtd/end-to-end-encryption-is-not-secure-without-proper-authentication-67bfa3c8108">guarantee</a> the people we are talking to online are who they say they are. </p>
<p>Also, while cryptographic algorithms are hard to crack, third parties can still <a href="https://www.us-cert.gov/bsi/articles/knowledge/principles/securing-the-weakest-link">obtain the key to open the message</a>. For example, this can be done by using apps to <a href="https://recon.meddle.mobi/papers/panoptispy18pets.pdf">take screenshots</a> of a conversation, and sending them to third parties.</p>
<h2>A benefit for criminals</h2>
<p>When Facebook messages become end-to-end encrypted, it will be <a href="https://journals.plos.org/plosone/article?id=10.1371/journal.pone.0150300#pone.0150300.ref009">harder to detect criminals</a>, including people who use the platform to commit <a href="http://milwaukeenns.org/2014/05/21/special-report-diploma-mill-scams-continue-to-plague-milwaukees-adult-students">scams</a> and launch <a href="https://www.helpnetsecurity.com/2014/05/27/instant-messaging-trojan-spreads-through-the-uk/">malware</a>.</p>
<p>Others use Facebook <a href="https://gulfnews.com/world/gulf/kuwait/kuwait-cracks-down-on-illegal-racket-on-selling-housemaids-using-app-1.1572855473783">for human</a> or sex trafficking, as well as <a href="https://www.justice.gov/usao-ednc/pr/jacksonville-man-sentenced-child-pornography-case">child grooming</a> and <a href="https://www.smh.com.au/politics/federal/facebook-must-pick-a-side-in-fight-against-online-child-sex-abuse-dutton-20191004-p52xnw.html">exploitation</a>.</p>
<p>Facebook Messenger can also help <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3005872">criminals organise themselves</a>, as well as plan and carry out crimes, including terror attacks and cyber-enabled fraud extortion hacks.</p>
<p>The unfortunate <a href="https://philpapers.org/rec/ORRRSA-2">trade-off</a> in <a href="https://books.google.com.au/books?hl=en&lr=&id=xpsA2Cq997wC&oi=fnd&pg=PP2&dq=increasing+privacy+surveillance+internet&ots=nSKCdoaLWu&sig=IIRuxqn5731sXp8A989Vyl9Ef00&redir_esc=y#v=onepage&q=increasing%20privacy%20surveillance%20internet&f=false">increasing user privacy</a> is reducing the capacity for surveillance and national security efforts. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/can-photos-on-social-media-lead-to-mistaken-identity-in-court-cases-63887">Can photos on social media lead to mistaken identity in court cases?</a>
</strong>
</em>
</p>
<hr>
<p>End-to-end encryption on Facebook would also increase criminals’ feeling of <a href="https://www.sciencedirect.com/science/article/pii/S0747563217305812">security</a>. </p>
<p>However, although tech companies can’t deny the risk of having their technologies exploited for illegal purposes – they also don’t have a <a href="https://www.industry.gov.au/data-and-publications/australias-tech-future/cyber-security/what-is-the-government-doing-in-cyber-security">complete duty to keep a particular country’s cyberspace safe</a>. </p>
<h2>What to do?</h2>
<p>A potential solution to the dilemma can be found in various <a href="https://www.computerworld.com/article/3427019/the-snoopers-charter-everything-you-need-to-know-about-the-investigatory-powers-act.html">critiques</a> of the <a href="https://publications.parliament.uk/pa/bills/lbill/2016-2017/0066/17066.pdf">UK’s 2016 Investigatory Powers Act</a>. </p>
<p>It proposes that, on certain occasions, a communications service provider may be asked to remove encryption (where possible). </p>
<p>However, this power must come from an authority that <a href="https://cadmus.eui.eu/handle/1814/25714">can be held accountable</a> in court for its actions, and this should be used as a last resort. </p>
<p>In doing so, encryption will increase user privacy without allowing total privacy, which carries <a href="https://guardtime.com/blog/6-reasons-why-encryption-isnt-working">harmful consequences</a>. </p>
<p>So far, several governments have pushed back against Facebook’s encryption plans, fearing it will place <a href="https://www.smh.com.au/politics/federal/encryption-can-t-put-tech-giants-beyond-the-reach-of-the-law-minister-says-20191211-p53ize.html">the company and its users beyond their reach</a>, and make it more difficult to <a href="https://www.occrp.org/en/61-ccblog/8822-encryption-a-godsend-to-all-who-seek-privacy-even-criminals">catch criminals</a>. </p>
<p>End-to-end encryption is perceived as a bulwark for surveillance by third parties and governments, despite <a href="https://cs.stanford.edu/people/eroberts/cs181/projects/ethics-of-surveillance/tech_wiretapping.html">other ways of intercepting communications</a>.</p>
<p>Many also agree surveillance is not only <a href="https://www.alrc.gov.au/wp-content/uploads/2019/08/119_org_pirate_party_australia.pdf">invasive, but also prone to abuse</a> by governments and third parties. </p>
<p>Freedom from invasive surveillance also <a href="https://www.ohchr.org/EN/Issues/FreedomOpinion/Pages/CallForSubmission.aspx">facilitates freedom of expression</a>, opinion and privacy, as observed by the United Nations High Commissioner for Human Rights. </p>
<p>In a world where debate is polarised by social media, Facebook and similar platforms are caught amid the politics of security. </p>
<p>It’s hard to say how a perfect balance can be achieved in such a multifactorial dilemma. </p>
<p>Either way, the decision is a political one, and governments - as opposed to tech companies - should ultimately be responsible for such decisions.</p><img src="https://counter.theconversation.com/content/128782/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Roberto Musotto is affiliated with the Cyber Security Research Cooperative Centre (CSCRC).</span></em></p><p class="fine-print"><em><span>David S. Wall receives funding from the EPSRC (CRiTiCal & EMPHASIS Projects)</span></em></p>
Facebook is planning to put end-to-end encryption on all its messaging services soon. But governments aren’t happy about it, as it could make it harder to catch criminals.
Roberto Musotto, Cyber Security Cooperative Research Centre Postdoctoral Fellow, Edith Cowan University
David S. Wall, Professor of Criminology, University of Leeds
Licensed as Creative Commons – attribution, no derivatives.
tag:theconversation.com,2011:article/123865
2019-10-22T04:56:03Z
2019-10-22T04:56:03Z
Data lakes: where big businesses dump their excess data, and hackers have a field day
<figure><img src="https://images.theconversation.com/files/298026/original/file-20191022-56238-1x4hl74.jpg?ixlib=rb-1.1.0&rect=16%2C58%2C2779%2C2737&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Unlike purpose-built data storage systems, a data lake can be used to dump data in its original form. This data usually remains unsupervised.</span> <span class="attribution"><span class="source">Shutterstock.com</span></span></figcaption></figure><p>Machines and the internet are woven into the fabric of our society. A growing number of users, devices and applications work together to produce what we now call “<a href="https://www.forbes.com/sites/gilpress/2014/09/03/12-big-data-definitions-whats-yours/#511b182d13ae">big data</a>”. And this data helps drive many of the everyday services we access, such as banking. </p>
<p>A <a href="https://www.visualcapitalist.com/what-happens-in-an-internet-minute-in-2019/">comparison</a> of internet snapshots from 2018 and 2019 sheds light on the increasing rate at which digital information is exchanged daily. The challenge of safely capturing and storing data is becoming more complicated with time. </p>
<p>This is where data warehouses and data lakes are relevant. Both are online spaces used by businesses for internal data processing and storage. </p>
<p>Unfortunately, since the concept of data lakes <a href="https://www.dataversity.net/brief-history-data-lakes/">originated</a> in 2010, not enough has been done to address issues of cyber security. </p>
<p>These valuable repositories remain exposed to an increasing amount of cyber attacks and data breaches.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/australia-is-vulnerable-to-a-catastrophic-cyber-attack-but-the-coalition-has-a-poor-cyber-security-track-record-113470">Australia is vulnerable to a catastrophic cyber attack, but the Coalition has a poor cyber security track record</a>
</strong>
</em>
</p>
<hr>
<h2>A proposed panacea for big data problems</h2>
<p>The traditional approach used by service providers is to store data in a “<a href="https://www.forbes.com/sites/bernardmarr/2018/08/27/what-is-a-data-lake-a-super-simple-explanation-for-anyone/#76e16f1476e0">data warehouse</a>” – a single repository that can be used to analyse data, create reports, and consolidate information.</p>
<p>However, data going into a warehouse needs to be pre-processed. With <a href="https://www.forbes.com/sites/andrewcave/2017/04/13/what-will-we-do-when-the-worlds-data-hits-163-zettabytes-in-2025/#6965df7d349a">zettabytes of data</a> in cyber space, this isn’t an easy task. Pre-processing requires a hefty amount of computation done by high-end supercomputers, and costs time and money.</p>
<p><a href="https://aws.amazon.com/big-data/datalakes-and-analytics/what-is-a-data-lake/">Data lakes</a> were proposed to solve this. Unlike warehouses, they can store raw data of any type. Data lakes are often considered a panacea for big data problems, and have been embraced by many organisations trying to drive innovation and new services for users.</p>
<p>James Dixon, the US data technician who reputedly coined the term, describes data lakes thus:</p>
<blockquote>
<p>If you think of a datamart as a store of bottled water – cleansed and packaged and structured for easy consumption – the data lake is a large body of water in a more natural state. The contents of the data lake stream in from a source to fill the lake, and various users of the lake can come to examine, dive in, or take samples.</p>
</blockquote>
<h2>Be careful swimming in a data lake</h2>
<p>Although data lakes create opportunities for data crunchers, their digital doors remain unguarded, and solving cyber safety issues remains an afterthought.</p>
<p>Our ability to analyse and extract intelligence from data lakes is threatened in the realms of cyber space. This is evident through the <a href="https://www.itgovernance.co.uk/blog/list-of-data-breaches-and-cyber-attacks-in-august-2019-114-6-million-records-leaked">high number</a> of recent data breaches and cyber attacks worldwide. </p>
<p>With technological advances, we become even more prone to cyber attacks. Confronting malicious cyber activity should be a priority in the current digital climate. </p>
<p>While research into this has flourished in <a href="https://ieeexplore.ieee.org/document/8394461">recent years</a>, a strong connection between effective cyber security and data lakes is yet to be made. </p>
<h2>Not uncommon to be compromised</h2>
<p>Due to advances in malicious software, specifically in <a href="https://www.zdnet.com/article/a-question-of-security-what-is-obfuscation-and-how-does-it-work/">malware obfuscation</a>, it’s easy for hackers to hide a dangerous virus within a harmless-looking file.</p>
<p><a href="https://link.springer.com/chapter/10.1007/978-981-13-0292-3_12">False data injection</a> attacks have <a href="https://www.mdpi.com/2076-3417/9/20/4328">increased</a> over the past decade.</p>
<p>The attack happens when a cyber criminal exploits <a href="https://cyberx.tech/free-cybersecurity-tools/#targetText=Metasploit&targetText=Metasploit%20is%20probably%20one%20of,all%20systems%20to%20gain%20access.">freely available tools</a> to compromise a system connected to the internet, to inject it with false data.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/aerial-threat-why-drone-hacking-could-be-bad-news-for-the-military-124588">Aerial threat: why drone hacking could be bad news for the military</a>
</strong>
</em>
</p>
<hr>
<p>The foreign data injected gains unauthorised access to the data lake and manipulates the stored data to mislead users. There are many <a href="https://www.vircom.com/blog/cybercriminals-who-they-are-and-why-they-do-it/">potential motivators</a> behind such an attack. </p>
<h2>Components of data lakes</h2>
<p>Data lake architecture can be divided into three components: data ingestion, data storage and data analytics. </p>
<p>Data ingestion refers to data coming into the lake from a diverse range of sources. This usually happens with no legitimate security policies in place. When incoming data is not checked for security threats, a golden opportunity is presented for cyber criminals to inject false data. </p>
<p>The second component is data storage, which is where all the raw data gets dumped. Again, this happens without any sizeable cyber safety considerations. </p>
<p>The most important component of data lakes is data analytics, which combines the expertise of analysts, scientists and data officers. The objective of data analytics is to design and develop modelling algorithms which can use raw data to produce meaningful insights. </p>
<p>For instance, data analytics is how <a href="https://neilpatel.com/blog/how-netflix-uses-analytics/">Netflix learns</a> about its subscribers’ viewing habits.</p>
<h2>Challenges ahead for data experts</h2>
<p>The slightest change or manipulation in data lakes can hugely mislead data crunchers and have widespread impact.</p>
<p>For instance, compromised data lakes have huge implications for healthcare, because any deviation in data can lead to a wrong diagnosis, or even casualties. </p>
<p>Also, government agencies using compromised data lakes may face mayhem in international affairs and trade situations. The defence, finance, governance and educational sectors are also vulnerable to data lake attacks. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/whos-afraid-of-the-bad-big-data-you-might-want-to-read-this-13080">Who's afraid of the bad, big data? You might want to read this</a>
</strong>
</em>
</p>
<hr>
<p>Considering the volume of data stored in data lakes, the consequences of cyber attacks are far from trivial. </p>
<p>And since generating huge amounts of data in today’s world is inevitable, it’s crucial that data lake architects try harder to ensure these at-risk data depots are correctly looked after.</p><img src="https://counter.theconversation.com/content/123865/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Mohiuddin Ahmed does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>
A major cyber attack on a data lake could have immense consequences for any of us. And the damage could be felt anywhere from banking to the healthcare sector.
Mohiuddin Ahmed, Lecturer of Computing & Security, Edith Cowan University
Licensed as Creative Commons – attribution, no derivatives.
tag:theconversation.com,2011:article/122860
2019-09-04T19:52:46Z
2019-09-04T19:52:46Z
Apple iPhones could have been hacked for years – here’s what to do about it
<p>For many years, the Apple iPhone has been considered one of the most secure smart phones available. But despite this reputation, security issues that might affect millions of users came to light last week, when <a href="https://www.gizmodo.com.au/2019/08/google-hackers-reveal-websites-hacked-thousands-of-iphone-users-silently-for-years/">researchers at Google</a> revealed they had discovered websites that can infect iPhones, iPads, and iPods with dangerous software. </p>
<p>Simply visiting one of these websites is enough to infect your device with malicious software, allowing a high level of access to the device. Worryingly, it seems these vulnerabilities have been “in the wild” (that is, actively used by cyber-criminals) for around two years. </p>
<p>As there is no visible sign of infection on the device, it is likely users are completely unaware of the risks they’re facing.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/dont-click-that-link-how-criminals-access-your-digital-devices-and-what-happens-when-they-do-109802">Don't click that link! How criminals access your digital devices and what happens when they do</a>
</strong>
</em>
</p>
<hr>
<p>The vulnerabilities being exploited are present on devices running recent (but not the most recent) versions of Apple’s iOS operating system — specifically, iOS 10 through to early versions of iOS 12. Every device running the vulnerable versions of iOS is a potential target for these websites.</p>
<p>Devices are infected via several methods, using <a href="https://www.gizmodo.com.au/2019/08/google-hackers-reveal-websites-hacked-thousands-of-iphone-users-silently-for-years/">14 different security flaws</a> — an unusual number of ways to compromise a device. Worse is that seven of the flaws involve Safari, the default web browser for many of these devices (and web browsing is a common activity for many users). </p>
<p>It’s not all bad news though. After Google reported the issues to Apple earlier this year, the vulnerabilities were promptly patched with the latest release of iOS (12.4.1). </p>
<p>Any user updating their device to the latest version of iOS should be protected against this attack. The easiest way to do it is to go to Settings > General > Software Update on your phone and then follow the prompts.</p>
<h2>What happens when you visit an infected site?</h2>
<p>As soon you open the web page, <a href="https://www.bbc.com/news/technology-49520355">malicious software is installed on the device</a>. This software has the potential to access location data and information stored by various apps (such as iMessage, WhatsApp, and Google Hangouts). </p>
<p>This information can be transmitted to a remote location and potentially misused by an attacker. The information extracted can include messages that are otherwise protected when sent and received by the user, removing the protection offered through encryption. Hackers can also potentially access private files stored on the device, including photos, emails, contact lists, and sensitive information such as WiFi passwords. </p>
<p>All of this data has value and can be <a href="https://www.trendmicro.com/vinfo/us/security/special-report/cybercriminal-underground-economy-series/global-black-market-for-stolen-data/">sold on the Internet to other cyber-criminals</a>.</p>
<p><a href="https://blog.malwarebytes.com/mac/2019/08/unprecedented-new-iphone-malware-discovered/">According to antivirus firm Malwarebytes</a>, the malicious software is removed when the infected device is restarted. While this limits the amount of time that the device is compromised, the user risks being reinfected the next time they visit the same website (if still using a vulnerable version of iOS). </p>
<p>The list of websites involved has not yet been made publicly available, so users have no means to protect themselves other than by updating their device’s operating system. But we do know the number of visitors to these sites are estimated in the <a href="https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html">thousands per week</a>.</p>
<h2>Are Apple devices no longer secure?</h2>
<p>High-profile attacks on these devices might dispel the myth that Apple devices are not susceptible to serious security breaches. However, Apple does have a bug-bounty program that offers a <a href="https://www.businessinsider.com.au/apple-offers-1-million-bug-bounty-reward-for-hacking-iphone-2019-8">US$1 million reward</a> to users who report problems that help to identify security flaws. </p>
<p>But considering the impact of this incident, it’s obvious someone out there is making considerable efforts to target Apple devices. While the tech giant regularly updates its software, there have been recent incidents in which <a href="https://techcrunch.com/2019/08/26/apple-security-fix-jailbreak/">previously fixed security flaws were reintroduced</a>. This highlights the complexity of these devices and the challenge of maintaining a secure platform.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/everyone-falls-for-fake-emails-lessons-from-cybersecurity-summer-school-81389">Everyone falls for fake emails: lessons from cybersecurity summer school</a>
</strong>
</em>
</p>
<hr>
<p>The most important lesson for Apple’s millions of users is to ensure you keep up to date with the latest patches and fixes. Simply installing the latest iOS update is sufficient to remove the threats caused by this vulnerability. </p>
<p>If you’re concerned your details may have been stolen, changing passwords and checking your credit card and bank account statements are also important steps to take.</p><img src="https://counter.theconversation.com/content/122860/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>
The news that malware can invade iPhones and other Apple devices via the Safari web browser has damaged Apple’s reputation for security. But you can fix the problem by updating your phone’s software.
Leslie Sikos, Lecturer, Edith Cowan University
Paul Haskell-Dowland, Associate Dean (Computing and Security), Edith Cowan University
Licensed as Creative Commons – attribution, no derivatives.
tag:theconversation.com,2011:article/93118
2018-03-21T10:43:14Z
2018-03-21T10:43:14Z
Think Facebook can manipulate you? Look out for virtual reality
<figure><img src="https://images.theconversation.com/files/211198/original/file-20180320-31624-13znwph.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">What these people are seeing isn't real – but they might think it is.</span> <span class="attribution"><a class="source" href="http://www.apimages.com/metadata/Index/APTOPIX-Spain-Wireless-Show-Flagship-Phones/55557e265ea948089fc69dadde97782a/5/0">AP Photo/Francisco Seco</a></span></figcaption></figure><p>As Facebook users around the world are coming to understand, some of their favorite technologies can be used against them. It’s not just the scandal over psychological profiling firm <a href="https://www.theguardian.com/news/2018/mar/17/cambridge-analytica-facebook-influence-us-election">Cambridge Analytica getting access</a> to data from tens of millions of Facebook profiles. People’s filter bubbles are filled with carefully tailored information – and misinformation – altering their <a href="https://www.onlineprivacyfoundation.org/opf-research/psychographic-targeting/">behavior and thinking, and even their votes</a>.</p>
<p>People, both individually and as a society at large, are wrestling to understand <a href="https://techcrunch.com/2018/03/18/move-fast-and-fake-things/">how their newsfeeds turned against them</a>. They are coming to realize exactly how carefully controlled Facebook feeds are, with highly tailored ads. That set of problems, though, pales in comparison to those posed by the next technological revolution, which is already underway: virtual reality. </p>
<p>On one hand, virtual worlds hold almost limitless potential. VR games can <a href="https://www.tennessean.com/picture-gallery/news/2018/02/23/virtual-reality-games-used-in-drug-rehab-therapy/110761470/">treat drug addiction</a> and maybe help solve the <a href="https://theconversation.com/the-opioid-epidemic-in-6-charts-81601">opioid epidemic</a>. Prison inmates can use VR simulations to <a href="https://news.vice.com/en_us/article/bjym3w/this-prison-is-using-vr-to-teach-inmates-how-to-live-on-the-outside">prepare for life after their release</a>. People are racing to enter these immersive experiences, which have the potential to be more psychologically powerful than any other technology to date: The first modern equipment offering the opportunity <a href="https://www.telegraph.co.uk/technology/ces/12085175/Oculus-Rift-to-go-on-sale-in-March-for-599.html">sold out in 14 minutes</a>.</p>
<p>In these new worlds, every leaf, every stone on the virtual ground and every conversation is carefully constructed. In our research into the emerging definition of ethics in virtual reality, my colleagues and I interviewed the developers and early users of virtual reality to understand <a href="http://hdl.handle.net/1903/20513">what risks are coming and how we can reduce them</a>.</p>
<h2>Intensity is going to level up</h2>
<p>“VR is a very personal, intimate situation. When you wear a VR headset … you really believe it, it’s really immersive,” says one of the developers with whom we spoke. If someone harms you in VR, <a href="https://theconversation.com/sexual-assault-enters-virtual-reality-67971">you’re going to feel it</a>, and if someone manipulates you into believing something, it’s going to stick. </p>
<p>This immersion is what users want: “VR is really about being immersed … As opposed to a TV where I can constantly be distracted,” one user told us. That immersiveness is what gives VR unprecedented power: “really, what VR is trying to do here is duplicate reality where it tricks your mind.”</p>
<p>These tricks can be enjoyable – allowing people to <a href="https://vrsource.com/best-vr-flight-simulators-5901/">fly helicopters</a> or journey back to <a href="https://www.virtualiteach.com/single-post/2017/07/24/Uncover-the-Tomb-of-Tutankhamen-in-VR">ancient Egypt</a>. They can be helpful, offering <a href="https://www.tandfonline.com/doi/abs/10.1586/14737175.8.11.1667">pain management</a> or treatment for <a href="http://www.icdvrat.org/2008/papers/ICDVRAT2008_S01_N05_Rizzo_et_al.pdf">psychological conditions</a>.</p>
<p>But they can also be malicious. Even a common prank that friends play on each other online – logging in and posting as each other – can take on a whole new dimension. One VR user explains, “Someone can put on a VR head unit and go into a virtual world assuming your identity. I think that identity theft, if VR becomes mainstream, will become rampant.”</p>
<h2>Data will be even more personal</h2>
<figure class="align-left zoomable">
<a href="https://images.theconversation.com/files/210915/original/file-20180318-104673-196iysp.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/210915/original/file-20180318-104673-196iysp.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/210915/original/file-20180318-104673-196iysp.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=454&fit=crop&dpr=1 600w, https://images.theconversation.com/files/210915/original/file-20180318-104673-196iysp.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=454&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/210915/original/file-20180318-104673-196iysp.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=454&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/210915/original/file-20180318-104673-196iysp.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=571&fit=crop&dpr=1 754w, https://images.theconversation.com/files/210915/original/file-20180318-104673-196iysp.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=571&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/210915/original/file-20180318-104673-196iysp.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=571&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">An image of what the Oculus DK2 sees via its infrared sensors.</span>
<span class="attribution"><a class="source" href="https://forums.oculusvr.com/community/discussion/11385/what-can-the-dk2-ir-camera-see">MaglevNL/reddit</a></span>
</figcaption>
</figure>
<p>VR will be able to collect data on a whole new level. Seemingly innocuous infrared sensors designed to help with motion sickness and alignment can capture near-perfect representations of users’ real-world surroundings. </p>
<p>Further, the data and interactions that give VR the power to treat and diagnose <a href="https://futurism.com/ai-and-vr-could-completely-transform-how-doctors-diagnose-and-treat-mental-disorders/">physical and mental health conditions</a> can be used to hyper-personalize experiences and information to the precise vulnerabilities of individual users.</p>
<p>Combined, the intensity of virtual reality experiences and the even more personal data they collect present the specter of fake news that’s much more powerful than text articles and memes. Rather, immersive, personalized experiences may thoroughly convince people of entirely alternate realities, to which they are perfectly susceptible. Such immersive VR advertisements are on the horizon <a href="https://www.wired.com/story/vr-ads-are-almost-here/">as early as this year</a>.</p>
<h2>Building a virtual future</h2>
<p>A person who uses virtual reality is, often willingly, being controlled to far greater extents than were ever possible before. Everything a person sees and hears – and perhaps even feels or smells – is totally created by another person. That surrender brings both promise and peril. Perhaps in carefully constructed virtual worlds, people can solve problems that have eluded us in reality. But these virtual worlds will be built inside a real world that can’t be ignored. </p>
<p>While technologists and users are cleaning up the malicious, manipulative past, they’ll need to go far beyond <a href="https://www.wired.com/story/what-would-healthy-twitter-look-like/">making social media healthier</a>. As carefully as developers are building virtual worlds themselves, society as a whole must intentionally and painstakingly construct the culture in which these technologies exist. </p>
<p>In many cases, developers are the first allies in this fight. Our research found that VR developers were more concerned about their users’ well-being than the users themselves. Yet, one developer admits that “the fact of the matter is … I can count on my fingers the number of experienced developers I’ve actually met.” Even <a href="http://doi.org/10.1145/2580723.2580730">experts have only begun to explore</a> ethics, security and privacy in virtual reality scenarios. </p>
<p>The developers we spoke with expressed a desire for guidelines on where to draw the boundaries, and how to prevent dangerous misuses of their platforms. As an initial step, we <a href="http://hdl.handle.net/1903/20513">invited VR developers and users</a> from nine online communities to work with us to create a set of guidelines for VR ethics. They made suggestions about inclusivity, protecting users from manipulative attackers and limits on data collection. </p>
<p>As the debacle with Facebook and Cambridge Analytica shows, though, people don’t always follow guidelines, or even <a href="https://www.washingtonpost.com/business/economy/facebooks-rules-for-accessing-user-data-lured-more-than-just-cambridge-analytica/2018/03/19/31f6979c-658e-43d6-a71f-afdd8bf1308b_story.html">platforms’ rules and policies</a> – and the effects could be all the worse in this new VR world. But, our initial success reaching agreement on VR guidelines serves as a reminder that people can go beyond reckoning with the technologies others create: We can work together to create beneficial technologies we want.</p><img src="https://counter.theconversation.com/content/93118/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Elissa Redmiles receives research funding from a variety of sources including the National Science Foundation, National Center for Women in Technology, and Facebook.</span></em></p>
As the internet-connected world reels from revelations about personalized manipulation based on Facebook data, a scholar of virtual reality warns there’s an even bigger crisis of trust on the horizon.
Elissa M. Redmiles, Ph.D. Student in Computer Science, University of Maryland
Licensed as Creative Commons – attribution, no derivatives.
tag:theconversation.com,2011:article/91177
2018-02-21T11:46:20Z
2018-02-21T11:46:20Z
What cybersecurity investigators can learn from airplane crashes
<figure><img src="https://images.theconversation.com/files/206287/original/file-20180213-44642-1b4c4ni.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Detailed digital forensics could help make everyone safer online.</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/technology-business-concept-407150779">Rawpixel.com/Shutterstock.com</a></span></figcaption></figure><p>While some countries <a href="http://www.bbc.com/news/world-europe-43024235">struggle with safety</a>, U.S. airplane travel has lately had a <a href="https://www.usatoday.com/story/travel/columnist/mcgee/2015/06/03/amtrak-rail-bus-flying-safety/28358899/">remarkable safety record</a>. In fact, from 2014 through 2017, there were <a href="http://www.latimes.com/business/la-fi-aviation-safety-20180102-story.html">no fatal commercial airline crashes</a> in the U.S. </p>
<p>But those years were fraught with other kinds of trouble: Security breaches and electronic espionage affected <a href="https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do">nearly every adult in the U.S.</a>, along with the <a href="https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/">power grid in Ukraine</a> and the <a href="https://www.nytimes.com/news-event/russian-election-hacking">2016 U.S. presidential campaign</a>, to name a few. As a <a href="https://papers.ssrn.com/sol3/cf_dev/AbsByAuth.cfm?per_id=1195469">scholar</a> of cybersecurity policy, I think it’s time that <a href="https://www.csoonline.com/article/2886326/security-awareness/it-s-time-for-a-national-cybersecurity-safety-board-ncsb.html">my own industry took some lessons</a> from one of the safest high-tech transportation methods of the 21st century.</p>
<p>Like today in cybersecurity, the early days of U.S. air travel weren’t regulated particularly closely. And there were a <a href="http://www.check-six.com/lib/Crash_Sites.htm">huge number of accidents</a>. Only after public tragedies struck did changes occur. In 1931, a plane crash in Kansas killed <a href="http://125.nd.edu/moments/the-last-flight-of-knute-rockne/">legendary Notre Dame football coach Knute Rockne</a>. And in 1935, U.S. Sen. <a href="https://www.politico.com/story/2015/05/sen-bronson-cutting-died-may-6-1935-117639">Bronson Cutting of New Mexico died</a> in the Missouri crash of TWA flight 6. These events helped contribute to the <a href="https://babel.hathitrust.org/cgi/pt?id=mdp.39015013920528;view=1up;seq=7">1938 creation</a> of the first U.S. Air Safety Board. But it took until 1967 for the new Department of Transportation to be created with an independent <a href="https://www.ntsb.gov/">National Transportation Safety Board</a>.</p>
<p>Since then, the NTSB has rigorously <a href="https://www.ntsb.gov/investigations/AccidentReports/Pages/aviation.aspx">investigated all airplane crashes</a> and other transportation incidents in the U.S. Its <a href="https://www.ntsb.gov/investigations/Pages/default.aspx">public reports about its findings</a> have informed changes in government regulations, corporate policies and manufacturing standards, <a href="http://www.pbs.org/wgbh/nova/space/making-air-travel-safer.html">making air travel safer</a> in the U.S. and around the world.</p>
<p>As cybersecurity incidents proliferate around the country and the globe, businesses, government agencies and the public shouldn’t wait for an inevitable disaster before investigating, understanding and preventing these failures. Nearly a century after the original <a href="https://www.politico.com/story/2013/05/this-day-in-politics-091600">Air Commerce Act in 1926</a>, <a href="https://www.nsf.gov/cise/news/CybersecurityIdeasLab_July2014.pdf">calls</a>, <a href="https://ssrn.com/abstract=3100962">including my own</a>, <a href="https://www.whitehouse.senate.gov/imo/media/doc/2016-01-03%20-%20CSIS%20Lewis%20Cyber%20Recommendations%20Next%20Administration.pdf">are mounting</a> for the information industry to take a page from aviation and create a <a href="https://www.csoonline.com/article/2886326/security-awareness/it-s-time-for-a-national-cybersecurity-safety-board-ncsb.html">cybersecurity safety board</a>.</p>
<h2>The flight plan to safer skies</h2>
<p>The creation of the National Transportation Safety Board was the first independent agency charged with investigating the safety of various transportation systems, from highways and pipelines to railroads and airplanes. Since 1967, the NTSB has <a href="https://www.ntsb.gov/about/history/Pages/default.aspx">investigated</a> more than 130,000 accidents.</p>
<p>These investigations are vital since they <a href="https://www.nsf.gov/cise/news/CybersecurityIdeasLab_July2014.pdf">help establish</a> “the who, what, where, when, how and [perhaps] why behind an incident.” After the facts are determined, policymakers can back up, and often have backed up, NTSB recommendations with new regulations. Failing that, it is common for air carriers, for example, to <a href="https://www.cfr.org/report/creating-federally-sponsored-cyber-insurance-program">voluntarily implement</a> changes it suggests. A similar approach could help improve the internet, a new technology that, like airplanes, is tying the world closer together even as it threatens our shared security.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/206276/original/file-20180213-44627-pebv4b.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/206276/original/file-20180213-44627-pebv4b.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/206276/original/file-20180213-44627-pebv4b.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/206276/original/file-20180213-44627-pebv4b.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/206276/original/file-20180213-44627-pebv4b.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/206276/original/file-20180213-44627-pebv4b.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/206276/original/file-20180213-44627-pebv4b.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/206276/original/file-20180213-44627-pebv4b.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Independent federal investigators study the causes of airline crashes and other transportation disasters.</span>
<span class="attribution"><a class="source" href="http://www.apimages.com/metadata/Index/Inquirer-Owner-Plane-Crash/73976eff1a85409f8855f463521bc836/57/0">AP Photo/Boston Herald, Mark Garfinkel, Pool</a></span>
</figcaption>
</figure>
<h2>The case for a cybersecurity safety board</h2>
<p>Two elements of the NTSB may be particularly useful for enhancing cybersecurity. First, it separates <a href="https://www.rand.org/blog/2012/06/the-case-for-a-cyber-security-safety-board-a-global.html">fact-finding proceedings</a> from any questions of legal liability. Second, these investigations are broad, involving various stakeholders like manufacturers and airline companies. Cyberspace is similarly made up of a <a href="http://heinonline.org/HOL/LandingPage?handle=hein.journals/geojaf16&div=70&id=&page=">wide range of companies and technologies</a>. </p>
<p>A cybersecurity safety board need not in fact be national. It could begin from the bottom up, with <a href="https://www.dhs.gov/topic/cybersecurity-information-sharing">companies partnering together</a> to protect their customers by sharing best practices.</p>
<p>Critics of establishing a cybersecurity safety board would likely contend that the <a href="https://infragardmagazine.com/how-to-reduce-cyber-risk-in-a-dynamic-threat-environment/">speed at which technologies change</a> makes it difficult for any recommendations, even if they were quickly implemented, to sufficiently protect organizations from cyber attacks. NTSB investigations <a href="https://www.ntsb.gov/investigations/process/Pages/default.aspx">can take a year or more</a>; to ensure findings were still relevant, cybersecurity inquiries would need to be faster, such as by streamlining cyberforensics and relying on <a href="http://www.tilj.org/content/journal/50/14%20SHACKELFORD%20PUB%20PROOF.pdf">widely used tools</a> such as the National Institute for Standards and Technology <a href="https://www.nist.gov/cyberframework">Cybersecurity Framework</a>.</p>
<p>Other challenges include standardizing terminology across the industry and identifying the right experts to look into data breaches, which might be easier said than done given the <a href="https://hbr.org/2017/05/cybersecurity-has-a-serious-talent-shortage-heres-how-to-fix-it">talent shortage</a> among cybersecurity professionals. Broad-based cybersecurity <a href="https://kelley.iu.edu/programs/executive-education/open-enrollment/badges/badge-programs/cybersecurity.cshtml">educational programs</a>, like a new partnership between the law, business and computer science schools here at <a href="https://cybersecurityprograms.indiana.edu/">Indiana University</a>, should be encouraged to help address this shortfall.</p>
<h2>A path forward</h2>
<p>Additional measures would likely be required to make a cybersecurity safety board successful, such as launching investigations only for serious breaches like those involving <a href="https://digitalcommons.unl.edu/nlr/vol96/iss2/5/">critical infrastructure</a>. </p>
<p>More nations and regions – including the <a href="https://ec.europa.eu/info/law/law-topic/data-protection_en">European Union</a> – are imposing stringent requirements on companies that suffer data breaches, including mandatory reporting of cyberattacks within 72 hours and more rigorous preventive measures. Businesses, governments and scholars around the world are working on how to improve data security. If they <a href="http://www.presidency.ucsb.edu/ws/?pid=88410">came together</a> to support a global network of <a href="https://ssrn.com/abstract=3100962">cybersecurity safety boards</a>, their efforts could promote <a href="http://www.slate.com/blogs/future_tense/2017/10/26/the_world_needs_a_cyber_peace_corps.html">cyberpeace</a> for people and institutions alike.</p>
<p>All that is needed is the will to act, the desire to experiment with new models of cybersecurity governance and the recognition that we should learn from history. As President Franklin D. Roosevelt famously said, “It is common sense to take a method and try it: If it fails, admit it frankly and try another. But above all, try something.”</p><img src="https://counter.theconversation.com/content/91177/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Scott Shackelford does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>
An ultra-safe industry has important experience that could help a vulnerable new industry improve its safety.
Scott Shackelford, Associate Professor of Business Law and Ethics; Director, Ostrom Workshop Program on Cybersecurity and Internet Governance; Cybersecurity Program Chair, IU-Bloomington, Indiana University
Licensed as Creative Commons – attribution, no derivatives.
tag:theconversation.com,2011:article/87998
2017-11-24T05:13:42Z
2017-11-24T05:13:42Z
Uber was hacked, so change your password right now. Here’s what else you need to know
<p>Uber has admitted that a 2016 <a href="https://www.uber.com/newsroom/2016-data-incident/">data breach</a> put at risk the personal information of 57 million Uber users worldwide and at least 600,000 drivers in the United States.</p>
<p>The ride-share firm’s CEO <a href="https://www.uber.com/newsroom/2016-data-incident/">said</a> that: </p>
<blockquote>
<p>two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use.</p>
</blockquote>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/will-australians-ever-give-up-uber-79754">Will Australians ever give up Uber?</a>
</strong>
</em>
</p>
<hr>
<p>Now it has <a href="http://www.afr.com/technology/uber-confirms-australians-caught-in-hack-20171122-gzr61i">been reported</a> that Australian riders and drivers are part of the data breach.</p>
<p>It would be prudent for Australian Uber users and drivers to change their passwords as soon as possible. Here’s what else you need to know:</p>
<h2>If you use Uber, your name, email address and mobile phone number may have been leaked</h2>
<p>Uber <a href="https://help.uber.com/h/12c1e9d1-4042-4231-a3ec-3605779b8815">says</a>:</p>
<blockquote>
<p>Rider information [put at risk in this data breach] included the names, email addresses and mobile phone numbers related to accounts globally. Our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded.</p>
</blockquote>
<p>Breaches of this kind can mean an increase in people receiving spam email. Some experts have <a href="http://www.huffingtonpost.co.uk/entry/uber-hack-what-does-the-data-breach-mean-if-ive-been-hacked-and-should-i-be-worried_uk_5a154b7ce4b025f8e9327fa4">said</a> that any personal information could be worth something to criminals.</p>
<h2>What evidence is there that the hack included data from Australian users of Uber?</h2>
<p>The public disclosures Uber has made so far make it very difficult to identify Australians caught up in the data breach. That’s because the firm was not very transparent about it.</p>
<p>Media reports that Uber worked hard to <a href="https://www.bloomberg.com/news/articles/2017-11-21/uber-concealed-cyberattack-that-exposed-57-million-people-s-data">conceal the data breach</a> suggest Uber’s corporate governance needs improvement.</p>
<p>In its recent <a href="https://www.uber.com/newsroom/2016-data-incident/">statement</a> on the data breach, Uber CEO Dara Khosrowshahi acknowledged the firm’s “failure to notify affected individuals or regulators last year” and promised to do better.</p>
<h2>I’m an Uber driver. What do I need to know?</h2>
<p>Uber has <a href="https://help.uber.com/h/0ded7de4-ed4d-4c75-a3ee-00cddeafc372">said</a>:</p>
<blockquote>
<p>Driver information included the names, email addresses and mobile phone numbers related to accounts globally. In addition, the driver’s license numbers of around 600,000 drivers in the United States were downloaded.</p>
</blockquote>
<p>As with the message to riders, Uber says it has seen no indication that trip location history, credit card numbers, bank account numbers, Social Security numbers, or dates of birth were downloaded.</p>
<p>The firm says that it is directly notifying affected drivers by mail or email, and is offering them free credit monitoring and identity theft protection – but, in any case, it’s a good idea for any Uber driver to change their password.</p>
<p>The longer-term issue is that news of the hack might conceivably dissuade some people from using Uber at all, which would be bad news for drivers.</p>
<p>So a fundamental part of Uber’s crisis management strategy should be educating drivers on how to respond to consumer questions about data privacy. This will not only assure the drivers but also help rebuild the trust of customers.</p>
<p>That said, it is pre-Christmas party time in cities throughout the world, and that means boom time for the Uber, taxi and personal transport industries. </p>
<p>So it’s easy to imagine there would be only a small impact on Uber drivers over this period.</p>
<h2>What’s the cost of online convenience?</h2>
<p>Uber is not the first and won’t be the last to be involved in a data breach. As transactions are increasingly made over the internet, it is highly likely Australians will fall victim to more and more data hacks.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/sorry-everyone-on-the-internet-youre-always-the-product-77235">Sorry everyone: on the internet, you're always the product</a>
</strong>
</em>
</p>
<hr>
<p>Consumers who may be left out-of-pocket, receiving increased spam email and risking other privacy breaches such as identity theft may be less than loyal to firms that don’t look after their data.</p>
<p>Moreover, as there is <a href="https://insidesmallbusiness.com.au/planning-management/what-do-hackers-do-with-your-stolen-data">money and influence to be gained</a> through online data crime, it is highly likely that criminals will become better organised to reap the incentives in a very strategic manner.</p>
<p>It’s worth remembering that, in many cases, the <a href="https://theconversation.com/sorry-everyone-on-the-internet-youre-always-the-product-77235">cost of convenience</a> for using a service over the internet is your private information. </p>
<p>Many <a href="https://www.forbes.com/sites/firewall/2010/04/08/who-reads-the-fine-print-online-less-than-one-person-in-1000/">people</a> do <a href="https://www.theguardian.com/commentisfree/2014/apr/24/terms-and-conditions-online-small-print-information">not</a> <a href="https://www.npr.org/2016/08/23/491024846/do-you-read-terms-of-service-contracts-not-many-do-research-shows">read the terms and conditions</a> they agreed to for internet transactions, and they may shocked by the level of exposure they face. </p>
<p>Consumers <a href="https://theconversation.com/you-may-be-sick-of-worrying-about-online-privacy-but-surveillance-apathy-is-also-a-problem-86474">accept financial and privacy risk</a> by trading over the internet, all for the sake of cheap tickets, discount car rides and other conveniences.</p>
<p>As these breaches happen more often, it may be impossible to totally avoid one’s exposure to internet-based transactions and online data storage. So there will likely be increasing pressure on politicians and regulators to add some real teeth to prosecutions (although many seem to be based in difficult-to-prosecute jurisdictions).</p>
<p>The Australian government’s <a href="https://www.oaic.gov.au/engage-with-us/consultations/notifiable-data-breaches/">notifiable data breach scheme</a> will start on February 22, 2018. It only applies to eligible data breaches that occur on, or after, that date.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/you-may-be-sick-of-worrying-about-online-privacy-but-surveillance-apathy-is-also-a-problem-86474">You may be sick of worrying about online privacy, but 'surveillance apathy' is also a problem</a>
</strong>
</em>
</p>
<hr>
<h2>How can Uber prevent this from happening again?</h2>
<p>In the short term, Uber says it has “implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts”.</p>
<p>The longer-term problem is changing the attitudes that led to the data breach being concealed for so long.</p>
<p>When Dara Khosrowshahi took over as Uber’s CEO last August, hopes were high that he would soften some aspects of the extreme-performance culture that led to earlier ethical lapses in Uber.</p>
<p>There may be a perception among consumers that the firm’s desire to keep secret its intellectual property relating to algorithms has spread to its broader operations. </p>
<p>A good start for Uber would be to increase its public reporting on its operations. A widely publicised code of ethics, whistleblowing protections and ethics training for all staff would certainly not go amiss.</p><img src="https://counter.theconversation.com/content/87998/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>
Uber has admitted that the 2016 data breach puts at risk the personal information of 57 million users.
Rohan Miller, Senior Lecturer, Marketing and Digital Business, University of Sydney
David Oliver, Senior Lecturer in Management, University of Sydney
Licensed as Creative Commons – attribution, no derivatives.
tag:theconversation.com,2011:article/86295
2017-10-25T22:48:27Z
2017-10-25T22:48:27Z
Ransomware like Bad Rabbit is big business
<p>October is <a href="https://www.getcybersafe.gc.ca/index-en.aspx">Cybersecurity Awareness month</a>, which is being observed in the <a href="https://www.fbi.gov/news/stories/national-cyber-security-awareness-month-2017">United States</a>, <a href="https://cybersecuritymonth.eu/about-ecsm/whats-ecsm">Europe</a>, and elsewhere around the world. Ironically, it began with updates about a large-scale hack, and is ending with a large-scale ransomware outbreak.</p>
<p>Internet firm Yahoo kicked things off on Oct. 3 when it admitted that hackers in 2013 had accessed information about <a href="http://www.cbc.ca/news/technology/yahoo-breach-three-billion-1.4322100">all three billion of its user accounts</a>, not “just” the one billion first reported.</p>
<p>Ransomware “<a href="https://www.theguardian.com/technology/2017/oct/25/bad-rabbit-game-of-thrones-ransomware-europe-notpetya-bitcoin-decryption-key">Bad Rabbit</a>” is providing the finale with attacks that began Oct. 24. So far, the outbreak is mostly affecting business computers in Russia.</p>
<p>Both stories are fitting, in a way. The FBI considers computer break-ins and data ransoming the <a href="https://www.fbi.gov/investigate/cyber">top two cyber threats</a> we face. But while the former is old-fashioned e-crime, ransomware is much trendier. Much like <a href="https://theconversation.com/tailoring-the-customer-experience-boosts-online-sales-84941">online retailing</a>, <a href="https://theconversation.com/online-shopping-retailers-seek-visibility-in-face-of-google-control-80129">online advertising</a>, and <a href="https://theconversation.com/by-concealing-identities-cryptocurrencies-fuel-cybercrime-82282">online currencies</a>, ransomware is soaring.</p>
<h2>Your money or your data</h2>
<p>Traditional criminal hackers obtain their ill-gotten gains by stealing valuable data such as credit card numbers or passwords. They then look for customers, such as other criminals, to buy that data.</p>
<p>In contrast, ransomware hackers instead sell data back to the owners. If ransomware infects your computer, it encrypts your files to render them inaccessible until you pay a ransom. This simplifies cybercrime by replacing theft with extortion.</p>
<p>For example, in summer 2016, ransomware locked down the University of Calgary email system. <a href="http://www.cbc.ca/news/canada/calgary/university-calgary-ransomware-cyberattack-1.3620979">The university paid $20,000</a> to unlock it.</p>
<p>Today, that looks cheap. In July, a <a href="https://www.itworldcanada.com/article/canadian-firm-pays-425000-to-recover-from-ransomware-attack/394844">Canadian company reportedly paid $425,000</a> to regain its data. The month before, South Korean firm <a href="http://www.foxnews.com/tech/2017/06/21/ransomware-attack-costs-south-korean-company-1m-largest-payment-ever.html">Nayana paid $1 million</a>, the highest ransom publicly admitted so far.</p>
<h2>Growing scale and sophistication</h2>
<p>Much like legitimate firms, some ransomware charges lower “prices” but targets larger volumes. Bad Rabbit demands only a few hundred dollars to decrypt each computer. But it is affecting machines across Russia.</p>
<p>Similarly, the <a href="https://theconversation.com/how-wannacry-caused-global-panic-but-failed-to-turn-much-of-a-profit-77740">Wannacry ransomware attack</a> in May affected computers in about 100 countries. It forced many <a href="http://www.cbc.ca/news/canada/ottawa/cgi-cybersecurity-wannacry-ransomware-small-business-at-risk-1.4116429">British hospitals</a> to cancel surgeries.</p>
<p>An <a href="https://www-03.ibm.com/press/us/en/pressrelease/51230.wss">IBM survey</a> found that almost half of businesses suffered ransomware attacks in 2016. Some 70 per cent of those paid a ransom to regain their data.</p>
<p>The survey also indicates small businesses are particularly vulnerable. They often lack the computer expertise to defend themselves. Only 30 per cent provided cybersecurity training to employees, compared to 58 per cent within larger companies.</p>
<p>Ransomware’s sophistication is growing too. Ransomware “worms” like <a href="http://www.securityweek.com/zcryptor-ransomware-spreads-removable-drives">ZCryptor</a> spread themselves across networks, rather than riding on infected emails.</p>
<p>Some ransomware specialists are selling their services to organized crime. This crime-as-a-service business model allows criminals to outsource their technology needs. User-friendly <a href="https://www.pcworld.com/article/3190852/security/at-175-this-ransomware-service-is-a-boon-to-cybercriminals.html">ransomware “kits” can be purchased for $175</a>.</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/191908/original/file-20171025-25533-1q52a0e.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/191908/original/file-20171025-25533-1q52a0e.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=368&fit=crop&dpr=1 600w, https://images.theconversation.com/files/191908/original/file-20171025-25533-1q52a0e.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=368&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/191908/original/file-20171025-25533-1q52a0e.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=368&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/191908/original/file-20171025-25533-1q52a0e.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=462&fit=crop&dpr=1 754w, https://images.theconversation.com/files/191908/original/file-20171025-25533-1q52a0e.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=462&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/191908/original/file-20171025-25533-1q52a0e.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=462&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">A specialist works at the U.S. National Cybersecurity and Communications Integration Center (NCCIC) in Arlington, Va. in Sept. 2014.</span>
<span class="attribution"><a class="source" href="http://www.cpimages.com/fotoweb/cpimages_details.pop.fwx?position=22&archiveType=ImageFolder&sorting=ModifiedTimeAsc&search=cybersecurity&fileId=7ED4E565C8CEED276553137C3F07278F0211563F5E7047DF3AAB663AE59BB0CF1642B0B80D34257E6710EC2568FB7698B59B4D70A14C35A5085499F7776FCE74F2B7765E8750034730859FC82D50AED936F94C876BDCF9BEC438833511658A5442F841C1FF39A6F82A1B1FF576DC98DFDEBAE60A57D8B1868787E68E4DB65177C56CA13FE83A463BAFB139FF949304109FA1D488C8D1A475">(AP Photo/Manuel Balce Ceneta)</a></span>
</figcaption>
</figure>
<h2>Future possibilities</h2>
<p>What might come next? Imagine state-sponsored hackers using ransomware. Host countries might give — or even sell — permission for local hackers to attack rival countries’ computers.</p>
<p>These cyber-<a href="https://www.britannica.com/topic/privateer">privateers</a> could plunder commerce abroad, without the host country’s direct involvement or accountability. Think of regional rivals like North and South Korea, or major powers like the U.S., Russia and China.</p>
<p>Sound far-fetched? Russian security services have already been accused of <a href="https://www.ft.com/content/21be48ec-0a48-11e7-97d1-5e720a26771b">working with organized crime</a> on cyberattacks. The Russian government denies any involvement. But its president, Vladimir Putin, did suggest independent “<a href="http://www.cnn.com/2017/06/01/politics/russia-putin-hackers-election/index.html">patriotic hackers</a>” may have tampered with the U.S. election process.</p>
<p>How about virtual protection rackets? Instead of one-time payments for decryption, users might be “convinced” to pay ongoing fees for the “service” of avoiding encryption.</p>
<p>Or instead of hiding virtual data, ransomware could shut down physical objects. The <a href="https://www.wired.com/2013/05/internet-of-things-2/">Internet of Things</a> is exposing new targets. Control systems for factories, utilities and our homes are increasingly online.</p>
<p>What if ransomware turned them off? Businesses begrudgingly pay thousands to recover emails. Imagine what they’d pay to restart assembly lines.</p>
<h2>Precautions to take</h2>
<p>To defend themselves, computer users need to do the basics. Run antivirus programs to detect threats. Think before clicking on unexpected email attachments. Keep application software and operating systems updated. (Surely you’re not <a href="https://www.wired.com/2017/05/still-use-windows-xp-prepare-worst/">still running Windows XP</a>?)</p>
<p>Users should also back-up files regularly. If ransomware strikes, backups allow ransom-free recovery. But keep them on removable drives to prevent their infection.</p>
<p>Infected users can also try decrypting files with tools from sites like <a href="https://www.nomoreransom.org/en/index.html">NoMoreRansom.org</a>. But these might work only on simple cases.</p>
<h2>Corporate and government action</h2>
<p>Software makers should do more to facilitate safe computing practices. For example, it’s great that Windows now has self-updating antivirus protection. Unfortunately, it’s still awkward to back-up data onto removable drives.</p>
<p>Business insurers could also play a role. They might require corporate computers to be updated and backed-up to qualify for coverage.</p>
<p>Co-operation among independent agencies is needed to fight ransomware’s breadth. Canada’s <a href="http://www.cbc.ca/news/canada/cse-what-do-we-know-about-canada-s-eavesdropping-agency-1.1400396">Communications Security Establishment</a> set a good example two weeks ago when it made its <a href="http://www.cbc.ca/news/technology/cse-canada-cyber-spy-malware-assemblyline-open-source-1.4361728">Assemblyline malware analysis software</a> publicly available to tech professionals.</p>
<p>In contrast, the U.S. National Security Agency sets a bad example: It <a href="https://theconversation.com/should-spies-use-secret-software-vulnerabilities-77770">had known about a weakness in Windows</a> for years, but didn’t tell Microsoft until early 2017.</p>
<p>Law enforcement likewise needs to cooperate across jurisdictions. September’s <a href="https://www.interpol.int/News-and-media/Events/2017/5th-Europol-INTERPOL-Cybercrime-Conference/5th-Europol-INTERPOL-Cybercrime-Conference">Interpol-Europol Cybercrime Conference</a> was a good step in this direction.</p>
<p>As foreign hackers increasingly “tax” domestic businesses, ransomware becomes a national security issue. Governments may need to negotiate agreements like those covering <a href="http://www.un.org/depts/los/piracy/piracy.htm">seaborne piracy</a>.</p>
<p>Finally, firms might consider keeping key systems disconnected from the internet, as some military computers have always been. Just because anything can be online, it doesn’t mean everything should be.</p><img src="https://counter.theconversation.com/content/86295/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>
Like legitimate e-commerce, ransomware e-crime is increasing in scale, value and sophistication.
Michael J. Armstrong, Associate professor of operations research, Brock University
Teju Herath, Associate Professor of Information Systems, Brock University
Licensed as Creative Commons – attribution, no derivatives.
tag:theconversation.com,2011:article/83987
2017-09-26T16:43:59Z
2017-09-26T16:43:59Z
Here’s why South Africa’s online shoppers keep coming back for more
<figure><img src="https://images.theconversation.com/files/185822/original/file-20170913-23154-1d3reon.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Online retailing is a relatively new phenomenon and a small element of retailing in Africa.</span> <span class="attribution"><span class="source">Shutterstock</span></span></figcaption></figure><p>Online shopping is becoming ubiquitous in many parts of the world. The internet today enables retailers to open online and serve customers at any time of the day without the need for them to visit a physical store.</p>
<p>This is especially true in countries like China, the US and the UK, which <a href="https://www.business.com/articles/10-of-the-largest-ecommerce-markets-in-the-world-b/">lead the pack</a> when it comes to e-commerce. Globally, e-commerce is a trillion-dollar industry and <a href="http://www.emarketer.com/Article/Global-B2C-Ecommerce-Sales-Hit-15-Trillion-This-Year-Driven-by-Growth-EmergingMarkets/1010575">online retailing</a> is a major part of it.</p>
<p>Online retailing is a relatively new phenomenon and still a small element of total retailing in Africa. In South Africa, for instance, <a href="http://mybroadband.co.za/news/business/105151-big-money-behind-online-shopping-in-south-africa.html%20http://mybroad%20band.co.za/news/business/105151-big-money-behind-online-shopping-in-south-africa.html">total online sales</a> in 2016 were estimated at <a href="https://www.moneyweb.co.za/in-depth/ecommerce/growth-of-ecommerce-in-sa-still-exceptionally-high/">R9 billion</a> which was only 1% of <a href="http://www.worldwideworx.com/retail2016/">total retail sales</a>.</p>
<p>The <a href="http://www.itnewsafrica.com/2017/03/nigeria-leads-africas-7-highest-internet-using-countries/">rapid penetration</a> of internet technologies around the continent provides hope for e-commerce’s continued growth. Firms that want to enter the online retailing market must learn and develop strategies that will help them benefit from this growth.</p>
<p>I undertook a <a href="http://www.tandfonline.com/doi/full/10.1080/20421338.2016.1222752">study</a> that looked at various factors that influence customer attitudes towards online stores. It focused on existing online shoppers from South Africa’s Gauteng province, which is the country’s economic powerhouse. There were 201 respondents in the study. All were older than 18 and from the middle- to upper-income groups according to the <a href="http://www.saarf.co.za/lsm/lsms.asp">South African Living Standard Measure</a>. 98 were men and 103 were women. </p>
<p>The respondents completed a structured questionnaire. They gave answers on a scale from 1 (strongly disagree) with a statement to 5 (strongly agree). The customers were asked to have a specific online store in mind when answering the questions.</p>
<h2>The findings</h2>
<p>The findings showed that customers, in general, were positive about the online retail stores they were using. Four main factors influenced their attitudes and intentions to shop at a particular online store again. These were: </p>
<ol>
<li><p>Store offerings: Denoted by the choice of products and the price at which the products are offered, this emerged as the main source of customer value associated with a store. Customers rate an online store’s offering as high when they are happy with the type and quality of products on offer as well as the price at which these are offered.</p></li>
<li><p>Navigation aids: This refers to website elements that help shoppers to easily find what they are looking for. Navigation aids can make online store visits easy and encourage shoppers to take desirable action like visiting more pages associated with an online store and purchasing products. Examples of online store navigation aids include a good site map, a FAQ (frequently asked questions) section and a built in search facility.</p></li>
<li><p>Security concerns: Online shopping entails sharing of personal information, including credit card details and many respondents were anxious about the security of such information. They worry about data breaches and the possibility of their personal information ending up in the hands of hackers or other unauthorised people. </p></li>
<li><p>Fulfilment reliability: this refers to dependability in the way in which online shopping orders are processed. It is about having the right products delivered to customers within stipulated time frames.</p></li>
</ol>
<h2>Implications for retailers</h2>
<p>Online retailers need to realise that not everyone who has access to internet is a potential customer. Segmentation and target marketing is key to ensuring that customers are satisfied with an online store’s offering. When this is properly done, it will help an online store to stock products and implement pricing strategies that will have high appeal to the target market. </p>
<p>It’s also important to give serious attention to online store design issues. They need to provide good navigation aids to facilitate the provision of access and search convenience. Ease of navigation is critical to enhancing any online customer’s shopping experience. </p>
<p>Thirdly, online retailers need to appreciate that their customers are likely to have some security concerns. Online retailers have a duty to help ensure their customers’ security by keeping up to date with technological developments in this area and using the best security systems available. </p>
<p>The study’s findings about order fulfilment show how important it is to invest in a good order processing system. Customers need a clear indication of when they can expect their orders. If there are any delays customers must be informed in good time to quell their anxiety. Online retailers should invest in order tracking services so customers can easily follow the progress of their orders. </p>
<p>It is worth noting that focusing on these four factors – store offerings, navigation aids, security concerns and reliability in order fulfilment – can encourage customers to repurchase from the same store. Any online retailer must work not just to acquire new customers, but to retain existing ones.</p>
<h2>Limitations and future studies</h2>
<p>All these findings must be understood bearing in mind that the study had some limitations.</p>
<p>It was based on a sample of respondents drawn from Gauteng, which is South Africa’s most urbanised province. This means the findings may not be generalised to all parts of the country. </p>
<p>Secondly, it looked at online stores in general rather than those in a particular industry. This means that any industry differences in factors that influence attitude towards online stores could not be established. </p>
<p>Future studies may include samples drawn from different parts of the country or the continent as well as aim at establishing industry differences or similarities by focusing on retailing within a single or a few industries.</p><img src="https://counter.theconversation.com/content/83987/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Mercy Mpinganjira receives funding from University of Johannesburg. </span></em></p>
The rapid penetration of internet technologies in Africa provides hope for e-commerce’s continued growth. Potential online stores need to understand what draws or pushes customers away.
Mercy Mpinganjira, Professor, Director: School of Consumer Intelligence and Information Systems, University of Johannesburg
Licensed as Creative Commons – attribution, no derivatives.
tag:theconversation.com,2011:article/82088
2017-08-08T05:00:18Z
2017-08-08T05:00:18Z
Banks can’t fight online credit card fraud alone, and neither can you
<figure><img src="https://images.theconversation.com/files/181305/original/file-20170808-25514-2w1qw5.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Online credit card fraud is on the rise in Australia. What can we do?</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/closer-credit-card-background-232260670?src=V_2QsPKHq_H1WXAql_D4Gw-1-44">Ti_ser/Shutterstock</a></span></figcaption></figure><p>Online credit card fraud is on the rise in Australia, but pointing the finger at any one group won’t help. It’s an ecosystem problem: from the popularity of online shopping, to the insecure sites that process our transactions, and the banks themselves.</p>
<p><a href="http://www.apca.com.au/docs/default-source/fraud-statistics/australian_payments_fraud_details_and_data_2017.pdf">A recent report</a> from the Australian Payments Network found that:</p>
<ul>
<li>the overall amount of fraud on Australian cards increased from A$461 million in 2015 to A$534 million in 2016</li>
<li>“card not present” fraud increased to A$417.6 million in 2016, up from A$363 million in 2015</li>
<li> 78% of all fraud on Australian cards in 2016 was “card not present” fraud.</li>
</ul>
<p>“Card not present” fraud happens when valid credit card details are stolen and used to make purchases or other payments without the physical card, mainly online or by phone. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/inside-the-fight-against-malware-attacks-81433">Inside the fight against malware attacks</a>
</strong>
</em>
</p>
<hr>
<p>While these numbers may seem alarming, it’s important to put them in context. Australians are increasingly carrying out transactions online; the report notes that we made 8.1 billion card transactions totalling A$715.5 billion in 2016.</p>
<p>The shift towards online credit card fraud also comes at the cost of other types of fraud. Cheque fraud, for example, was down to A$6.4 million in 2016, from A$8.4 million in 2015. </p>
<p>Still, it’s fair to ask: are the banks doing enough to keep our details secure?</p>
<h2>The banks and security</h2>
<p>The banks currently have a range of measures in place to protect customers from card fraud:</p>
<ul>
<li><p><em>Chip and pin:</em> Australia mandates the use of “chip and pin” technology. This replaced the need to swipe the magnetic strip on credit cards and is recognised as being <a href="http://www.zdnet.com/article/emv-why-the-world-adopted-it/">more secure</a>.</p></li>
<li><p><em>Two-factor authentication:</em> Many Australian banks use text messages or tokens that generate a unique, time-limited code to help verify the legitimacy of transactions.</p></li>
<li><p><em>Monitoring of customer habits:</em> Australian banks typically have a complex set of algorithms that monitor the spending habits and transactions of their customers. They frequently have the ability to identify a suspicious (often fraudulent) transaction and block it.</p></li>
</ul>
<p>Overall, Australian financial institutions are investing time and technology into the prevention of fraud. However, <a href="http://www.abc.net.au/news/2017-08-03/cba-risks-massive-fines-over-law-breaches/8770992">recent allegations</a> that the Commonwealth Bank of Australia breached anti-money laundering laws suggest that the big banks are not immune from the problem.</p>
<h2>Data breaches and malware</h2>
<p>Credit card fraud is going where the action is.</p>
<p><a href="http://www.nielsen.com/au/en/insights/news/2016/information-is-crucial-for-online-australian-shoppers.html">According to the research company Neilsen</a>, “nearly all online Australians have used the internet to do some form of purchasing activity”. This means that Australians are increasingly sharing their credit card details with companies around the world. </p>
<p>Large-scale <a href="http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/">data breaches</a> are a common occurrence. Many organisations have been compromised in some way, including Australian companies like <a href="https://www.cso.com.au/article/585904/after-kmart-david-jones-confirms-hack-too-un-patched-ibm-websphere-blame/">Kmart and David Jones</a>. A variety of personal information can be exposed, and this often includes customers’ credit card details.</p>
<p>Batches of stolen credit card details can be sold on the <a href="https://www.businessinsider.com.au/heres-how-much-your-personal-data-costs-on-the-dark-web-2015-5?r=US&IR=T">dark web</a> to other motivated offenders. In one <a href="https://www.theguardian.com/technology/2015/oct/30/stolen-credit-card-details-available-1-pound-each-online">UK example</a>, such details were being sold for as little as £1 per card. </p>
<p>Offenders are also using different types of malware, or computer viruses, to obtain the personal information of unsuspecting victims. In many cases, this includes bank account and credit card details through successful phishing attempts (or spam emails). </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/everyone-falls-for-fake-emails-lessons-from-cybersecurity-summer-school-81389">Everyone falls for fake emails: lessons from cybersecurity summer school</a>
</strong>
</em>
</p>
<hr>
<h2>The liability fight</h2>
<p>Banks will generally refund customers for any fraudulent losses incurred on their credit cards. However, customer must take “<a href="http://www.apca.com.au/docs/default-source/fraud-statistics/australian_payments_fraud_details_and_data_2017.pdf">due care with their confidential data</a>”.</p>
<p>There is also <a href="https://www.commbank.com.au/content/dam/commbank/personal/apply-online/download-printed-forms/CC2-01062010.pdf">an onus</a> on the customer to check their credit card statements and notify their bank of any suspicious activity. </p>
<p>But this may not always be the case. In 2016, the former Metropolitan Police Commissioner in the UK <a href="http://www.bbc.com/news/business-35890028">made headlines</a> for suggesting that customers should not be refunded by banks if they failed to protect themselves from fraud. </p>
<p>Instead, he argued that customers were being “<a href="https://www.theguardian.com/uk-news/2016/mar/24/dont-refund-online-victims-met-chief-tells-banks">rewarded for bad behaviour</a>” rather than being encouraged to adopt cyber-safety practices, such as antivirus software and strong passwords. </p>
<p>These statements were met with anger by many advocacy groups who equated them with victim blaming. It was further exacerbated by a <a href="http://www.telegraph.co.uk/personal-banking/current-accounts/banks-shouldnt-refund-online-fraud-victims-says-police-chief/">leaked proposal</a> by the City of London Police to shift the responsibility of fraud losses from banks to the individual. </p>
<p>While this recommendation was never adopted, the tension may continue to grow when it comes to fraud liability.</p>
<h2>Looking for answers</h2>
<p>Pointing the finger of blame at any one party is not a constructive solution. Banks alone cannot combat online credit card fraud. Neither can their customers. </p>
<p>There are simple steps to reduce the likelihood of online fraud: having up-to-date antivirus software and strong passwords is an important step. There are sites such as <a href="https://haveibeenpwned.com/Passwords">haveibeenpwned</a> that demonstrate how vulnerable and exposed our passwords can be. </p>
<p>Still, it’s difficult to protect against social engineering techniques used by offenders to manipulate victims into handing over their personal details. Not to mention, the risks posed by third-party data breaches, which are beyond the control of individuals. </p>
<p>The introduction of <a href="https://www.legislation.gov.au/Details/C2017A00012">mandatory data breach reporting legislation</a> in Australia in 2017 may have a positive impact. By requiring organisations to let their customers know when their personal information has been compromised, individuals can be proactive about cancelling cards, changing passwords and taking out credit reports to check for fraudulent activity. </p>
<p>Businesses also need to recognise the importance of protecting their customer information. It is critical to overcome the mentality that cybersecurity is simply a <a href="https://www2.deloitte.com/au/en/pages/risk/articles/cybercrime-tech-problem.html">technology problem</a> or an <a href="https://www.ft.com/content/f6b50038-92a1-11e5-bd82-c1fb87bef7af">IT issue</a>. It should be firmly on the corporate management agenda.</p>
<p>Fraud is inevitable, regardless of the technology being used. Collaborative efforts between banks, businesses, government and individual consumers must improve.</p>
<p>No one group alone can effectively end online credit card fraud. Nor should they be expected to.</p><img src="https://counter.theconversation.com/content/82088/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Cassandra Cross has received funding from the Criminology Research Grants Scheme (Australian Institute of Criminology). </span></em></p>
The banks are dealing with rising rates of online credit card fraud, but they can’t fix it on their own.
Cassandra Cross, Senior Lecturer in Criminology, Queensland University of Technology
Licensed as Creative Commons – attribution, no derivatives.