Wednesday, September 3, 2014

Think Your Phone is Hacker-Proof? Think Again


    by John C. Abell
    The iCloud debacle that exposed celebrities private images to the world via some clever hackers should be no surprise to anyone- after all, tech-savvy consultants have been warning people about the potential for years.

    Once and for all, nothing has ever been private. Predatory glam photographers pre-date the internet (just ask Vanessa Williams). Vindictive/opportunistic boyfriends (just ask Vanessa Hudgens) are as old as time. Trust no one (even if your name is not Vanessa). That includes your mother, who will bring out baby pictures at your Sweet 16. That said, let's not judge people who take intimate photos of themselves, or allow them. This is perilously close to blaming the victim. But do everything assuming there’s a chance it will be seen by unintended eyes.

    So: it's a given that at least some things you think should be private won't be. Sometimes this is your fault (Just ask Anthony Weiner), but — see above — usually it's not. This particular security breach only affects Apple's iCloud service, but (no consolation to Apple) it might just have well been anyone's. In the same way Microsoft Windows is especially prone to virus makers, iPhones are especially prone to dastardly hackers looking for celebrity dirt. It’s like the old bank robber motto: Why rob banks? Because that’s where the money is. Every celeb seems to have one. Even those who pitch non-iPhones (just ask Ellen DeGeneres).

    Anyone in tech knows that there is a pretty simple solution to this sort of thing: Eliminate passwords. More accurately, impose a protocol under which passwords expire quickly. As in seconds. Two-step authentication is a form of this approach. Both Apple and Google make it available for their services. Apple sends you a text with a short shelf life. Google gives you an app that syncs with a server, so you don't even have to be in a data coverage area to obtain the unlock key. The idea is that adding a time-sensitive element to a password you pick (and only you should know) dramatically increases the security of the credential.

    Enterprise e-mail users have been doing this for decades. That RSA SecureID token carried by cubicle dwellers everywhere, which generated a new key code every couple of minutes, were quite literally a badge of honor in the old days.

    Killing passwords might be simple, but it's not easy — and that's the reason fobs and multi-step solutions will remain exotic. Too many steps for too many people. Heck — we can't even get people to get behind e-wallets, which are extremely secure and mean you can leave all your unsecure credit cards in your freezer back home. Apple is (rumor has it) about to adopt the Near Field Communication (NFC) mobile payments standard, which may break the dam. But as Wired's Marcus Wolhsen wrote when Square Wallet died: "[S]o far, for both customers and merchants, the old way is just good enough that too few are willing to take the risk of jumping into something new."
    Replace "risk" with "chore" (grammarians, lighten up) and you get the idea why analog passwords aren't dying anytime soon.

    But, OK, so what? You're not a celebrity whose private photos are gold for creeps. Your password — "password" — is working just fine, right? Here's the problem. Your comfort level for the Pinterest account is one thing, but for your bank or Amazon — whole 'nother level. If merchants and the global money distribution system can't convince the normals that online buying and banking is safe, they'll opt out. If doing sensitive business online is a pain, they'll opt out. Part of the answer will be bringing the normals along slowly. This, however, feels like a huge leap that can't be broken up into baby steps.

    Are you already doing the online two-step? Good for you. How about your father-in-law? How are you going to bring him up to speed?

    And that brings us to the last point: The good news is that breaches like this make the password dilemma front-page news. It gets the normals asking questions. Still, I wonder what it will take for individuals to stop being so indifferent and resistant to change. Even investors are yawning: Apple, on this unhelpful news, is trading at historical highs. Other password breaches have left only a few dents.

    It’s pretty clear that the normals will simply still rely on the good fortune (spoiler alert!) which kept Jennifer Lawrence alive in The Hunger Games: "May the odds be ever in your favor."
    Photo: Frazer Harrison/Getty Images Entertainment

    No comments: