Do you want people accessing and reading your email account whenever they choose? How about logging in to your bank and transferring all your money? The bad news is that your password for both could quite easily by discovered if you don’t understand how passwords and encryption works online, and I’m quite certain that 99% of people online have no real clue about what security online really means. What’s worse is that many people operating websites don’t have a clue either.
The two things you probably didn’t realise:
There are many many commercial sites that don’t use encryption for logins or registration, so if you’re using such sites over your coffee shop’s wifi connection your passwords can easily be picked up.
There are also many sites that store your password in plain text on their server. This means anyone at those companies can read your password, and since you’re like most people you probably use that password for everything online including your email account and your bank account. How much do you trust the hundreds of sites you’ve given your password to?
I’ve been online since 1994, and from 1996-2006 I ran an ecommerce retail business. During much of that time, when most people made their first online purchase the media would talk a lot about whether it’s safe to shop online using your credit card. This was always frustrating to me as a responsible etailer, because it has always been the case that if your credit card is used for a cardholder-not-present transaction without your knowledge you’re not liable and the retailer has to stand a chargeback. The debate was a distraction because the risk to the individual was always low, the person holding the real risk was the retailer.
Things have moved on and now the media and the public are worried about privacy, and get worked up about whether or not Facebook should show you ads based on your likes, or use your list of mobile numbers to suggest friends to connect with through their site. Yes, we all want our data to be private and we want to understand what companies are doing with it, but the far more important issue of security generally has still not been adequately addressed; people are complacent and clueless about the risks, and have no idea how to reduce that risk.
Encryption is good, right?
The vast majority of our internet browsing is done unencrypted, there is simply no need for it. But for things like internet banking, you should see the padlock symbol in your browser address bar indicating that your session is encrypted, and what this means is that – no matter what internet connection you are using – the data you are looking at on your screen is encrypted all the way back to the bank’s server at the other end. Your data could be travelling over the free and completely insecure wifi connection in your coffee shop, or a corporate network with super-duper firewalls, but it doesn’t matter, there is no risk to you because the encryption is end-to-end.
Encryption of logins and passwords only:
What about other less critical services where you probably don’t care if the entire session is not encrypted? It’s still highly desirable that the login process including transmission of your password is encrypted. Let me explain; many sites will use encryption for the login, so your username and password are transmitted securely. Once they have established who you are, then the encryption is turned off again, the padlock disappears and you proceed to use the rest of the site as normal. That’s fine because once your data is out on to the internet it’s split up into tiny fragments anyway and sent a hundred different ways to arrive at its destination, so while there is still a risk someone could intercept your data, the likelihood is very low. Such sites using this partial encryption, like Amazon and Linkedin turn it on again and get you to re-enter your password for any account changes, to verify it’s still you.
But as I said earlier, there are many many commercial sites that don’t use encryption for logins or registration, and many that store your password in plain text on their server.
How do you know a site is storing your password in plain text?
One likely indication is if the site emails you a record of your password after registration, or if you forget it and ask for it to be sent to you. It’s not a definite indicator, but as many as 30% of sites are thought to store passwords in the clear, and those that email you your password (which is bad practice), are more likely to store it badly too.
To test this now take your usual password and do a search in your email for that word…
ok, did you do it?
Unless you are using different randomly generated passwords for each site (clever you!) then you should see a list of many sites that are probably storing your password in plain text when you do that search. Is that the one you also use for your banking? Let’s be clear what this means, anyone who has access to those databases in those companies can read your password.
ok, here’s your chance to go and do that search if you didn’t already!
Now, most companies are honest and wouldn’t do anything with your password, but how about a disgruntled or dishonest employee, or a hacker steals their entire database? Or someone at that company takes a backup of their database home on a weekly basis, but on one occasion he goes out for a drink on his way home, and overnight his car is broken into and that CD ROM finds it’s way into the hands of some criminals?
Perhaps you think that’s far fetched or unlikely to happen? Possibly but I bet you’ve used a public wifi network without realising the risks.
The danger of public wifi networks
For example, your local coffee shop or favourite hotel lounge where you like to go for a couple of hours in the day for some meetings and some peace out of the office. These public wifi connections are nearly always unencrypted, and unlike when you are using the internet normally from your own connection – when your data goes straight from your computer out on to the internet, where it’s then jumbled up with everyone else’s data – in a coffee shop, if someone there at the same time is “sniffing” the connection they can see everything you are doing (if it’s not encrypted) before it goes out on to the internet. This applies whether it’s your local cafe sharing a domestic internet connection, or one of the massive international wifi networks operated by a telecoms company.
So here’s what any hacker might be able to see in a typical session:
- logging in to your email
- downloading your email
- replying to email
- logging in to Facebook
- commenting on Facebook
- uploading a photo
- visiting your bank’s home page
- selecting the page to login for internet banking,
viewing your bank balance
paying that overdue bill
- browsing the bank’s general pages for info on overdraft fees
- visiting Amazon
- browsing for a book
- adding that to your cart
checking out and entering credit card details
- visiting Google, doing a search
- clicking on the link
- visiting that new site, which is a private forum for bike lovers
- registering and typing in your password for the site
- logging on with that username and password
- browsing the site
Don’t worry, the parts crossed out are encrypted and safe, but – when it really mattered – did you remember to check for the padlock, to confirm they were actually encrypted?
A good example of where being padlock-aware matters is when I was recently sent a link by a company to pay one of their invoices online, but the linking page on their website which points to the payment screen didn’t use https at the start. So while the following page said “welcome to our secure encrypted payment page” it was quite happy to load in the clear with no encryption! I pointed it out to the company and guess what, a month later and they’ve still not fixed this pretty simple error.
How sites compare:
Often sites that are not using best practices are doing so because the site owners are not clued up themselves on security issues, and sometimes it’s just simply an unintended screwup. But sometimes a deliberate decision has been made by a company that encryption is not required. e.g. Ning, the massive provider of private social networks. This company is well funded by top VCs and is generating revenue and profits as well but neither registration, login or browsing is encrypted. WordPress uses an encrypted registration page but then gets you to login over a regular connection, which kinda defeats the purpose of the secure connection for the first part.
What you can do to stay safe online:
- Use a VPN when using a public wifi connection, so your traffic cannot be intercepted by someone sniffing the network. A VPN service is inexpensive, costing as little as $7 a month. Browse a range of VPN providers here. Failing that, just don’t use public wifi, a 3G dongle is safer.
- Always check for the padlock when registering, logging in, paying for stuff and for anything else that matters to you and which you want to remain private. Don’t assume a site is secure when it might not be, so get in the habit of looking for the padlock.
- Be smart with your passwords. Use services like my1login or Lastpass to generate and then store unique long passwords for each site you visit. You have no idea which sites securely store your password and which don’t, so the only way round this is to use a different password on every site. Only use password software to store passwords and not word documents, email accounts or anything else, as these offer no protection or encryption.
- Turn on encryption where possible. Some sites, such as Facebook now give you the option to enable secure browsing for your entire session. (Click on Account Settings and then Security to enable this). This at least reduces the likelihood of casual hijacking of your account if you’re too lazy to use a VPN over wifi networks.
- Use two-factor authentication when offered: Big companies have used this for years to allow employees secure access to corporate networks, but it’s now more widely available with some banks and even Google offers it to users of its Apps for Business service. It works by you having to enter a randomly generated code along with your usual login credentials. The code is generated by a dongle, or through an app on your mobile phone. Without access to that device neither you, or anyone else can logon, even if they know your login and password.
- Make sure encryption is enabled on your home/office wifi connection. It’s highly unlikely that you’ve switched this off, as all routers now come preconfigured with this on, but you might want to double check just in case. WPA2 is what should be turned on.
I hope you feel somewhat enlightened after reading this, and are more careful about your own personal data security more, and if you do operate a site, better understand how you store and protect users’ data and work out if you need to improve it.
For the dedicated reader, here’s a bonus rant:
What Governments could do:
Governments as a whole don’t understand technology or how to regulate it, and a great example of this is that the European Union has directed all member states to implement a ridiculous new law on Cookies this year. This will severely effect users enjoyment of, and owners smooth operation of websites, while protecting no one from any real danger online. [It seems designed to restrict personalised advertising online. Advertising is what makes a lot of websites pay for themselves, and so if we're going to get advertised at, at least make those ads relevant?]
Instead of wasting their time, our money, the resources of web site operators and pissing off users, they could perhaps have looked at creating some legislation to force website operators to come up to a minimum standard of security for protecting peoples data and passwords. Like PCI DSS but not just for payment data, but for user data and passwords. That would deliver a much greater benefit to the general public by keeping the data that really matters to them, safe. It would also reduce the number of embarrassing data breaches (hello, Sony!) and raise the level of awareness both in the industry as well as with consumers.
[If the giant Sony Corporation so royally screwed things up with the hack in to their PS3 database, how crap do you think a lot of much smaller companies are at managing data securely?]
I don’t know why Governments haven’t looked at this? Possibly because it’s a lot easier to find sites that are non-compliant on the very stupid cookie directive than it is to work out if sites are storing passwords sensibly or correctly encrypting pages that should be secure, but just because something is hard to police doesn’t mean they shouldn’t take any action.
Would love your comments, reactions or advice below, thanks!