Zappos, which reported a hack attack last week, is just the latest company to notify its customers that their names, email addresses and billing information had been compromised. The online shoe and clothing company isn’t alone. Hack attacks have recently hit government agencies, news sites and retailers ranging from the U.S. Justice Department and Gawker to Sony and Lockheed Martin, as hackers become more sophisticated in their ability to steal customers’ identities and personal information.
“It’s a human problem,” says Barry Wilson, head of Wharton’s technology security team, referring to consumers’ continual failure to follow oft-repeated password safety advice. Indeed, the most common passwords continue to be “password,” “123456” and “12345678” – all of them easy marks for hackers.
One of the reasons behind consumers’ continued laxness “is that IT people have made it difficult” to be vigilant, says Wilson. “If you go to a bank, it will have one set of password specifications. If you go to Amazon, it has another set. And some of [the requirements] are pretty bad. A number of financial companies require a short password,” but in order to comply, consumers are shoehorned into “choosing a password that is hard to remember.”
Security experts have long recommended that consumers divide their accounts into critical ones versus non-critical ones. Under this scenario, a bank password would be long and complex while passwords for a newspaper subscription, retailer or blogger site would be simpler. Wilson, however, recommends that consumers “have a unique password that is as complex as it can be for every website. Setting individual passwords is far and away the best thing you can do. Losing a password in one place is never as bad as losing it everywhere.”
As the Zappos incident shows, password and identity theft is rampant. Just a few recent examples: Valve, an online service that sells games and other software, found that its database was hacked in November, compromising credit card information and passwords. Sony’s PlayStation network was compromised twice in a six-month period. RSA, a high–level security vendor, was hacked in March and had to replace all 40 million SecurID tokens, including those used by defense contractor Lockheed Martin. Tokens are a device normally used in addition to a password; they display a number that changes every 30 seconds, says Wilson.
According to Symantec, the largest manufacturer of security software for computers (including Norton antivirus), web attacks increased 93% in 2010 compared to 2009, and the average number of identities exposed in each of the hacking incidents was 260,000. In addition, the range of prices “seen advertised in the underground economy for each ‘stolen’ credit card number” was between $0.07 and $100.
With all these and other hack attacks, is it likely that consumer confidence in online security will be shaken? Wilson doesn’t think so. “There is a tendency for people to believe it won’t happen to them,” he says. Nor does he think that such incidents will discourage online shopping. “That ship has sailed. I can’t go back to Borders. I buy books from Amazon.”
At the same time, consumers should be aware that “companies often don’t do a good job with your password,” Wilson adds. For example, many organizations “are not storing them correctly. Passwords have to be encrypted [scrambled in such a way that they are very difficult or impossible to track] when they are stored. If you, as a user, go to an ‘I’ve forgotten my password link’ and the site mails it to you, they aren’t storing it safely. When that password gets hacked, all the passwords will be immediately known.”
But Wilson does predict that companies’ consistent failure to deal with password safety means that many will “go out of business because [repeated hack attacks] do affect people’s confidence. One of the things that hurt Sony so much was that they covered their heads for a while and tried to pretend [the compromise] wasn’t bad. As shown time and time again, you have to get in front of the problem” and describe to consumers your plan for dealing with it. Zappos is an example of a company that responded quickly and effectively to the hack, Wilson says.
Since most people can’t remember their cell phone number, let alone a series of complex passwords for individual accounts, Wilson suggests using a password manager – software that integrates with the web browser and helps users organize their passwords and PIN codes. “The best ones cost money,” he notes, adding that he uses 1Password, which charges $69.99 for a “Mac + Windows bundle” single user license. He has also used Password Safe, which is free and exists on every platform, “but is not as well-integrated and not quite as graphically well done.”
Scott McNulty, senior IT project leader at Wharton and a member of the security team, advises consumers in a recent blog post not to use words based on personal information (such as your birthday or your pet’s name) or words found in the dictionary. The longer the password the better, he writes, but most of all, don’t use the same password for all your accounts. He cites hackers’ recent success gaining access to all the emails and passwords of registered Gawker network commentators, partly because the encryption system was outdated. McNulty also reviews various password managers, including 1Password, Password Safe and LastPass. Ironically, according to Wilson, LastPass recently suffered its own hack attack, although he doubts the company will suffer much damage because it appears to have caught the potential breach quickly “and responded promptly and openly.”
If consumers weren’t aware of the rise of hackers, two articles in the press today should help remind them. A front page story in The Wall Street Journal titled, “Hackers-for-Hire Are Easy to Find” points out “just how simple and affordable online espionage has become” and notes that one site “advertises online services including being able to ‘crack’ passwords for major email services in less than 48 hours.” A front page story in The New York Times business section titled “Cameras May Open Up the Board Room to Hackers” describes the ease with which hackers can access sensitive information in videoconference rooms. As the article notes: “Businesses spend billions each year beefing up security, but they rarely consider the vulnerability of their videoconferencing equipment.”