The story told of twitter handle @N is pretty terrifying for anyone who walks around thinking that their internet life is safe. Strong passwords, different passwords, two factor authentication, clever security questions and more were providing them with some measure of online security. That, of course, is the assumption that the garrison of Kark des Chevaliers made right until a tricksy letter made them surrender all.
History proves again and again that time marches on, but nothing ever changes, and those who fail to study history won’t be able to whip out boring historical facts at the drop of a hat. Or learn from it, I guess.
The story referenced above is exactly what people bandy about as ‘social engineering’ which is another way of saying ‘your fancy passwords don’t mean anything if GoDaddy tech support lets someone call and reset your password to something they request.’ As you no doubt already know, that is exactly what happened to the owner of the @N twitter account. With the godaddy account – and therefore domains, websites, and hosted information – in the invaders possession, he bargained with the owner of @N to turn it over the twitter account willingly.
There’s been a frenzy of online discussion (rightfully so) over this story. In terms of security advice, where do we go from here? Everything that’s been typically given as advice would have been thoroughly useless in this case. What advice do we give out now?
It’s fascinating to me that the refrain that’s gone up in many circles is ‘don’t store your credit card online!’. Really? It’s 2014 and we have to start having arguments again about the basic safety of online transactions, period, the way we were back in 1994? That’s a pretty dismal state of affairs.
A dismal state of affairs that is perfectly rational as long as your perspective is ‘prevent my account online being compromised at all costs’. Unfortunately, that’s an immediately problematic perspective, since that’s not really possible. The minute you hand over your financial or personal data to another entity, you surrender a degree of security that you simply can’t reclaim. The kicker is that it doesn’t matter if this is entity is online or not, all that matters is that it’s not you.
The most you can do is take reasonable steps to secure yourself, that will increase the balance of probability (thank you, mycroft) in favor of your information remaining safe. The trick lies in defining ‘reasonable’ . I would suggest ‘that which does not render useless the service you are attempting to use’. In other words, the same rule of thumb applies as with all things technological: when you start tipping the scales to something being a nuisance rather than a benefit in your life, it probably needs to go.
So is manually entering credit card information each time such a huge nuisance? In some settings, no. In settings where you are making multiple orders per day as part of a business? Where you don’t want to risk service interruption and have an auto-payment configured? In a life where we now have multiple online accounts for which we pay for things – for some even most things – on a daily basis on our phones? Um, yes. Can you imagine entering your credit card number on your AppleTV each time? Click, click, click goes the remote. Crash, it goes, out the window.
So what are we to do? Throw away the AppleTV? Give up on our credit card being safe and not use it? Well, you could do either, I suppose. But let me ask you this: do you assume that everything in your is completely secure from fraud?
Credit card companies already answered this a long time ago, and the answer is…. no. Fraud happens every ding dong day, and one of the excellent reasons to use credit cards, actually, is the protection they provide the user in insulating them from the cost of fraud. In fact, the kind of social engineering that the fraudster used to get access to the GoDaddy accounts in the above mentioned story is no different than the kind of fraud that plays out on the streets, supermarkets, and houses of the world every hour on the hour. We don’t stop commerce as a result, and we are hopefully not so naive to assume that there is no risk on a daily basis. We find ways to mitigate and soldier on.
If it helps, consider this: the number of cases where someone gains access in an illegal manner to your account via being a smooth talking swindler is exponentially lower than the number of people who outright have their credit card stolen. We don’t stop using credit cards as a result, and I don’t think we should stop using them in online accounts.
In other words, the entire semi-hysterical response to this event has been by people who have spent their life figuring out ways to prevent themselves of being victims online, and suddenly realized that when you give another company all your stuff, they get to make decisions about that stuff without consulting you, promises notwithstanding. Welcome to the cloud, everybody, it’s awesome, you have no control, enjoy.
Which, I believe, illustrates what the real lesson needs to be here: these companies need to get on the same bandwagon that Visa, MasterCard, et al, all got on a long time ago and flat out accept that fraud happens, preventing it entirely is impossible, and you have to have measures in place to repair the damange after it is done.
The real head-scratcher here is that Twitter has no way of looking at their records to see if it matches the story being told by Naoki Hiroshima, do some investigative work with both he and the current account holder and then give the account back if everything checks out. If they don’t have way to do that, they should , as should every other major internet services provider. And we should be demanding that they let us know that these measures are in place.
The other thing one should really do is backup all your website data locally, by the way.