How many times has your email address been compromised? You can find out at Have I been pwned?, here.
Unless you change your password regularly enough, you risk being hacked. Seriously don’t put your head in the sand over weak passwords. Many people think it won’t happen to them, but one day it will. However, with the number of data breaches that have happened in the past few years, it won’t be surprising to learn that your credentials have been hacked several times over.
In one high profile case, British Airways is facing a record fine of £183m for last year’s breach of its security systems, when details of around 500,000 customers were harvested by attackers. BA initially said the breach included names, email addresses, and information such as credit card numbers, expiration dates and the three-digit CVV code found on the back of credit cards, although BA has said it did not store CVV numbers.
The General Data Protection Regulation (GDPR) that came into force last year was the biggest shake-up to data privacy in 20 years. The penalty imposed on BA by the Information Commissioner’s Office (ICO) was the first one to be made public since those rules were introduced, which make it mandatory to report data security breaches to the information commissioner. It also increased the maximum penalty to 4% of turnover. The BA penalty amounts to 1.5% of its worldwide turnover in 2017, less than the possible maximum.
In another example, if you had stayed at a Marriott Hotel (including the Sheraton chain) in the past 5 years, then it is likely all your personal information on file with them was stolen. The hack obtained your name, address, password, card details, passport number, date of birth and gender. 339 million records were taken including 33m guest records belonging to Europeans. The UK watchdog plans to fine the hotel group £99.2m for the data breach under the new GDPR regulations.
And just recently, the credit agency Equifax agreed to pay up to $700m (£561m) as part of a settlement with a US regulator following a highly publicised data breach in 2017. The Federal Trade Commission had alleged the Atlanta-based firm failed to take reasonable steps to secure its network. The records of at least 147 million people were exposed in the incident.
These data hacks are becoming all too common and more companies will likely face fines as data breaches will continue. Therefore, in order to protect your account information, it is important for online users to update their passwords regularly.
The worst passwords from last year were revealed recently. “123456” tops the list, as it has done for the last five years. For the fourth consecutive year, the next entry on the list is “password”.
Variations of each of these passwords comprise six of the other 23 entries in the top 25. “123456789”, “12345678” and “12345”, meanwhile, complete the top five. Are you guilty? Unfortunately, online users are still using very weak passwords which are not only easy to guess by criminals but in many cases, people are using the same password for almost everything!
Nowadays we are expected to make passwords stronger. IT expert Bill Burr, the man who made passwords so hard to remember, regrets what he did saying that making people remember long, complicated passwords “drives people bananas”. Nearly 15 years ago, Mr. Burr wrote guidelines for password security for the US National Institute of Standards and Technology (NIST). It included suggestions that passwords should be changed every three months and be made up of a range of different characters.
Sadly we are all guilty of using easy to remember passwords, and with a large number of data security breaches, we have to find alternative ways to protect our personal data, particularly with our bank accounts.
The past two years have been particularly devastating for data security, with a number of well-publicised hacks, attacks, ransoms, and even extortion attempts. Millions and millions of records that have been stolen, as shown on the website Information is Beautiful.
Yes, even I am not immune! It happened to me recently when someone posed as a good friend of mine who was doing some building work. The fraudster had my friend’s email address and was asking for payment via email. In reality, my friend’s BT Yahoo account had been hacked and I came close to making a bank transfer. Fortunately, I made a call to verify his bank details. One thing you should always do is Google the bank sort code to see if the bank is genuine. I discovered this bank sort code was flagged on the internet by many other people who were caught by this scam! It is so easy to believe an email that appears to be coming from someone you know. No doubt, other people could be fooled into making these payments. I cannot blame my friend, but did suggest that he change his password more regularly! We all need to be more vigilant.
Many leading security experts are predicting the end of passwords and their replacement with other technology like biometrics, including the fingerprint sensor that has made its way into Apple’s iPhones and other handsets. Facial recognition is also predicted to be at the forefront of password replacement.
In a recent survey by GMX, a third of the UK respondents said they prefer to use passwords to authenticate over biometric credentials. And 22% also said that they prefer fingerprint biometrics over face or voice.
Of course, fingerprints are still more popular because of the introduction of Apple’s iPhone 4 and TouchID five years ago in 2014. Face authentication is also gaining in popularity and this too can be attributed to FaceID on the iPhoneX (10). However, in order for biometrics to go truly mainstream, consumers need choice. Therefore a blend of face, voice, iris, and fingerprint modalities are needed, particularly because environmental conditions affect all of them in some way, and consumers want reliability as well as convenience.
The GMX survey also found that 30% of respondents had at least 10 different online accounts, with a further 43% feeling overwhelmed by the number of passwords they had to remember. Alarmingly, 8% feel that remembering their passwords was more stressful than changing jobs or getting a divorce.
The fact that only 30% of UK consumers in the survey said they prefer to rely on passwords rather than biometrics shows that consumer confidence in biometrics is growing. The survey is a positive sign that consumers are ready to accept biometric authentication once their data privacy concerns have been met. So it is up to providers to meet those privacy demands by demonstrating that they are complying with all the relevant laws.
Another recent survey from MobileIron found that most organisations plan to adopt new authentication solutions within two years. Enabling mobile device authentication with biometric-based access is the best approach to eliminate passwords. They surveyed 150 IT and security managers and looked at a wave of technologies—including device authentication, software and hardware tokens, authentication keys, biometrics, behavioral analysis, certificates, and other approaches—that have emerged to provide alternatives to traditional password-based login processes.
The report revealed that companies are poised to enter a world powered by zero password access to business services. Below are a few key findings:
- More than 90% of respondents indicated their organization experienced a significant password policy violation in the last year.
- Mobile device authentication solutions were determined to be the easiest of all identity management technologies to deploy, while one-time passwords were indicated to be the most challenging.
- Half of respondents believe passwordless approaches to authentication were more secure than passwords.
- Enabling mobile device authentication with biometric-based access creates a “best of both worlds” scenario that ensures easy deployment, high security, and improved user productivity.