Giving Away Your Online Credentials
The irony couldn’t be greater.
Here we are, in the middle of a worldwide security storm. Thieves are deploying every technology imaginable to capture our data and steal our money. State and federal governments are passing new legislation. Agencies are publishing new guidelines. Credit unions and other companies spend billions of dollars each month to protect our information from the thieves.
Then we log onto Facebook or Ancestry.com where we enter most of the personal information those same thieves need to access our identities and our assets.
Does it matter that pundits and security authorities have warned? That headlines, security articles, presentations and even regulatory letters have alarmed? That thieves have been caught trolling social networks for user information? That spectacular break-ins have resulted from the careless entry of personal information on sites like these? Not enough.
Recent surveys show that nearly half of all public profiles on social networking sites expose the day, month and year of their births. More than half share the name of their high school. Dig a little deeper and you’ll find mother’s maiden name, street where you grew up, the name of your first dog or cat, you name it. It’s all out there, waiting to be gleaned.
How much more does a criminal need to open a new checking account, crack passwords or answer challenge questions on existing accounts?
Companies have also suffered the consequences of unthinking employees posting too many details online. Smart criminals use social networking for reconnaissance. They use details from Facebook and other social media sites to understand the organizational structure and roles of staff. Armed with this information, they customize attacks to specific roles (such as sending a malicious document titled “Benefits Summary” to HR staff rather than IT staff, for example).
The fact is that social engineering works very well. We want to share everything from our favorite recipe we just cooked to the Persian cat we just coiffed. Armed with these personal and revealing details, hackers don’t have to work overly hard to commit fraud.
Increased use of mobile technology also has fueled fraud. According to some security experts, smartphone owners are 33% more likely to be victims of ID fraud than non-owners. Driving the increase may be simple laziness. Nearly one third of smart-phone owners do not regularly update their phones' operating systems. Nearly two thirds of smart-phone users do not use passwords on their home screens, and nearly one third save login information on the device.
One effective method of thwarting cybercrime continues to be consumer education. Credit union staff and others faced with safety and soundness must continue to impress upon consumers the importance of basic security measures. Most of these measures have not changed appreciably from years ago, and are well within the control of the consumer:
- Limit the amount of personal information you post in social forums
- Use strong passwords and change them frequently
- Apply software updates as soon as they are released
- Beware of suspicious emails containing links and attachments – even those coming from known addresses
- When you work on your PC, use the administrative role only when making software changes. The rest of the time, sign in as a user with limited rights
More than the laws passed and the rules handed down, these basic measures can go a long way toward turning the tide on cyber attacks. If consumers would stop releasing personal information and secure their technology, we would be in a much better place.
Perhaps the credit union movement can continue to be the voice of reason for the public. Given the level of trust consumers place in their personal financial institutions, who better to drive home the importance of security?