In light of eBay security breach, why do passwords persist?
Passwords have proved futile protection against the scourge of cyberattacks that have left eBay, Target, and others scrambling to patch major holes in customer data security. Where did the password come from, and why do we still use it?
The past 12 months have not been kind to the Internet's default security mechanism: the password.
First it was the Adobe hack last October that affected more than 150 million customers. Then the Target breach compromised the information of more than 70 million consumers. The news of data breaches just kept coming: Sears, Neiman Marcus, Michaels, and the ominous Heartbleed flaw that left passwords vulnerable to hackers for more than two years. The most recent hit was eBay, which says more than 145 million customers must change passwords to prevent further vulnerability.
Why is this form of protection, which has proved itself susceptible to increasingly savvy hackers out for this exact information, still the way that we keep our online lives safe? The long and short of it: users don’t practice safe Internet techniques, and privacy breaches don’t necessarily affect profits.
The password came about with the inception of computers. Researchers at the Massachusetts Institute of Technology (MIT) first invented it in the early 1960s, and even back then, passwords proved to be an easily circumvented security method. In one instance, a bug revealed the list of everyone’s password to whoever logged onto the machine. In another instance, a researcher who wanted more time on a computer printed a list of all the passwords and continually logged in as different users. Another researcher got a hold of the passwords and left “taunting messages” behind for a lab director.
Most researchers from the time admit that a knowledge-based authentication system would have been much smarter – something along the lines of asking a father’s middle name or the birthday of a sibling. But Fred Schneider, a computer science professor at Cornell University, told Wired that “would have required storing a fair bit of information about a person, and nobody wanted to devote many machine resources to this authentication stuff.”
The rest is computer infrastructure history.
"It's the only piece of technology from 50 years ago we're still using today," says Brett McDowell, a senior Internet security adviser at eBay's PayPal unit to the Wall Street Journal.
It appears Internet users’ attitudes toward passwords are also largely out of date. After media outlets, computer security researchers, and even the federal government urged Internet users to change their passwords following Heartbleed, which may have left more than two-thirds of the Internet susceptible to undetectable password breaches, only 39 percent of Internet users said they had cancelled accounts or changed their passwords. Despite all the hacking news of the last few years, SplashData’s annual survey of passwords found that the two most common passwords on the Internet remain “123456” and “password,” despite many cyber security experts pointing out that these passwords are weak, easily guessable, and very common.
All right, fine. Internet users can’t be trusted to protect their own data, but at least we can rely on the private sector to heed the ever-growing threat of cyberattacks, right? After all, having millions of customers’ data compromised must be really bad for business.
Well, not necessarily.
Take the eBay hack. How do you think that is affecting business? Terribly, right?
“While security experts, the news media, and actual eBay users may have all been alarmed, the stock investors weren’t,” writes Bloomberg Businessweek’s Eric Chemi in a recent column. “EBay’s stock finished trading virtually unchanged that day, dropping all of 8 pennies to $51.88. That’s been the trend among companies that have suffered cyber attacks—the stock market practically ignores them. Consider Target and its own well-publicized data breach that happened back in December. Target’s stock didn’t really move at all.”
Mr. Chemi found this phenomenon isn’t confined to popular companies that were hacked such as eBay and Target. The same thing happened to T.J. Maxx, Adobe, and JP Morgan after announcing that customer data had been compromised.
“These numbers suggest that investors just don’t care much about data breaches, while hackers are incentivized to keep trying to steal data,” Chemi adds. “Maybe that’s why these events will keep happening. History repeats itself.”
That being said, a data breach can be costly and attacks are clearly growing. PricewaterhouseCoopers’s 2014 Global Economic Crime Survey found that over the last three years, 7 percent of US organizations lost more than $1 million each to cybercrimes, and 19 percent lost between $50,000 and $1 million.
With that in mind, a slew of companies have come together to form the FIDO Alliance, which is working to develop the next generation of successful authentication procedures and products. Members include Bank of America, BlackBerry, Google, Microsoft, Samsung, Netflix, and others.
Companies have tested authentication measures such as the fingerprint sensor on iPhones and new Galaxy devices. PayPal recently started accepting fingerprint swiping payment authentication as an option. There is also experimentation with local device authentication (where users insert a USB dongle as authentication) and iris scanners.
In terms of the eBay hack, aside from changing your password, the only thing to do to protect your data is keep an eye on bank accounts and beware of phone and e-mail scams. For protection against future password issues, Password Genie, LastPass, and Dashlane are all secure password storage websites where you can keep tricky-to-remember passwords for various sites.
And if you're still using "password" as your password? Seriously -- change it.