Forty two percent of IT professionals believe that the average kid could crack most end-user’s passwords using social networking tools. That’s the findings of a survey released today which was conducted by SecurEnvoy amongst 300 IT professionals who found that the average kids can now use social networking tools so proficiently that adults simply don’t stand a chance. Perhaps an even greater concern is that, with social networking sites a virtual Aladdin’s cave of personal information is now available. The security industry concur that just relying on a security question – such as mother’s maiden name, first school or pet is woefully inadequate to fend against hackers – both those already practicing their craft and the far superior younger generation about to enter the workplace!
Andy Kemshall, co-founder and CTO for SecurEnvoy said, “You just have to look at the various status updates, and veritable goldmine of information, on social networking sites – such as LinkedIn and Facebook, to see how freely personal information is given away – and in fact is actively encouraged. For example, on Facebook, by labelling relatives, it wouldn’t take a genius to work out that Mrs Jane Brooks’ daughter Susan, whose uncle is Peter Jones, probably has a maiden name of Jones. Susan’s LinkedIn account will then tell us where she works, and probably includes her email address. While many won’t be able to do any more with this information, someone wanting to attack Susan’s employer could log in, answer the ‘secret’ question and reset her password to potentially get control of her credentials.”
The study found that only 16% of security professionals believe using just a ‘secret question’ for securing passwords was enough protection. Given this figure, then, what is concerning is that 21% confessed this was the practice within their organisation to reset passwords. That translates to five percent who know it’s a risk but do it anyway, and the other 16% are just naively playing with fire.
Andy continues, “The IT professionals spoken to obviously have very real security concerns. But if we’ve got a problem today then what’s going to happen tomorrow when our technology proficient kids also join in the games and enter the workforce? We need to start getting serious about security today. To do that there are two things that need to happen – firstly, we need to educate everyone to make sure they realise exactly how much their online social habits are exposing. Secondly, organisations need to wake up to very real threat of inadequate security protection – such as password resets. Just like ‘chip & pin’ has helped prevent in person credit card fraud, apps and soft tokens as part of a two factor authentication process is a very effective security measure. If we don’t wake up to the risks and start taking security seriously, rather than being shocked that some organisation or other has been breached it will become the norm and accepted as part of every day life. I don’t think I’m happy for that to happen and certainly don’t think the rest of the population should be either.”
What is two factor authentication?
Two factor authentication (2FA) is a way of verifying a person is who they say they are. It requires the combination of two out of three possible factors – something you know – so a username, password or PIN; something you have – a credit card or token, and something you are – fingerprint. The combination of a username and password does not constitute 2FA as it is two types of the same factor.
Authentication tokens, first used over 30 years ago, generate a one time passcode (OTP) which can be entered as part of a 2FA process. They are different to PIN numbers, which are static, as they change every time and will expire within a set time. However, unlike the original physical tokens of the 80s, today OTPs can be generated by apps on a smartphone or sent via SMS making their use not only easy, but also practical. An everyday example of and OTP in use is GetCash, a service launched by the Royal Bank of Scotland and NatWest last month. The system works by sending a six-digit code to the user’s phone, which can then be entered into an ATM to retrieve the money. It can only be used once and expires after three hours.