printer friendly version

You’re on your own

I had a strange experience recently. I have been a ‘member’ of an online site for some time, a few years actually, in order to receive a weekly email from them. This was not an important site in that it held critical or sensitive information about me; all it had was an email address and a password.

The password I used was one I have been using for years and that I use on multiple unimportant sites simply because it’s easier to remember. My thinking is that all someone hacking that site would get was my email address and a password which would grant them access to many other unimportant accounts. The worst that could happen was I get a bunch of unwanted newsletters and spam, which I do anyway.

I recently decided to create a full profile on the site, which now includes more sensitive information about me, not bank details or anything like that, but personal details I would choose not to have floating around all over the world. And while the site has been well designed and thought through in terms of usability, when I decided I needed to change my password to something less easily guessable and also unique to the site, I couldn’t.

There was no way to change your password. And this is a commercial site that takes credit card numbers etc., but doesn’t offer you the option to change your password. I sent an email to the site’s support and received a response almost immediately – very impressive. The support person suggested I send my new password through to her and she would change it.

After all the breaches and exploits we hear of on an almost daily basis, why do companies that rely on online commerce in one form or another have no clue about security?

This got me thinking about my policy of using the same password for unimportant sites. Many people choose this option. Those who actually think about security use complex and unique passwords for banking or other important sites. But is that a good idea?

In today’s connected world there are few, if any sites of lesser importance. The reason criminal syndicates collect so much data, much of it irrelevant, is because every little bit of data they collect from one site can be linked to a little snippet of data from another site. A simple email address from an innocuous newsletter can, for example, be linked to a social media profile with work details or more personal information that can be used to build a profile of you.

Eventually all the little bits of data create a full profile of you and with this in hand, the syndicates have access to more than you would believe possible. And it’s not only your lack of security that puts you at risk. Just last week a site asked for my identity number, an unsecured, unencrypted site. Not only won’t they be getting my ID number, they won’t be making any revenue off me. It is inexcusable to put your clients’ data at risk.

Perhaps it’s because South Africa is not as litigious as America that companies don’t pay any attention to their customers’ information. After all, who is going to come after them when they put thousands of people at risk? There are some very smart people in various police departments, but there are too few of them to have a major impact. And with the country lacking a proper cyber security strategy, you and I are on our own.

So basically, look after your own information because nobody else will. Even if you’re an editor with a bank balance in single figures, money launderers still want your life because the Internet allows them to do their crime in bulk, damage many people, and get away with it.

Andrew Seldon

Editor

Share this article:

Further reading: