The online auction site eBay recently announced that it had discovered the compromise and theft of information from “a large number of accounts,” according to CNN Money, that provides an important reminder to server and network administrators that security is everyone’s responsibility.
In response to today’s information security threats, it’s clear that all users are responsible for the security of their online accounts. As we continue to shift more of our day-to-day tasks to online services and with a growing number of threat vectors that bad guys can utilize, we can’t solely depend on a strong password to keep data and accounts safe.
Three key lessons to managing online data security can be learned from the eBay event. These lessons should give greater importance to corporate security requirements and support the efforts of administrators in implementing better security practices within their corporate networks.
Lesson 1: Control Employee Access
According to eBay’s press release, “Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network.” We don’t know what access controls eBay has/had in place, so we won’t lecture them on what they should have done differently. This is about what we can learn for ourselves, remember?
Server administrators should ensure multiple levels of authentication in place for employee access, especially with employees who have access to sensitive customer data. Username/password is just the beginning, as long as no one’s password gets stolen.
Multi-factor authentication is better and offers additional layers of access restriction and enhanced data security. Multi-factor authentication is sometimes summarized as “something you know and something you have.” Without both parts of the puzzle, login is denied. Consequently, a stolen username/password is not sufficient to gain access to the system — it only meets the “something you know” requirement. There are several options for the “something you have” requirement, and organizations can implement as many of them as they want. A couple of these options to consider:
- Client certificates. If every employee in your organization is issued a client certificate for her computer, your server can check their login credentials against their client cert and make sure they match. If they match, the server knows that not only does the employee know her username and password, but the login is also coming from a computer that she has installed the certificate on — a trusted machine. Obviously, certificates are a major part of DigiCert’s area of expertise, and we are happy to answer any questions you have about implementing this solution — you can find multiple ways to contact us on our Contact page.
- One-time passwords. Every time an employee logs in, he has to enter not only his username and password, but also a time-sensitive “one-time password” (OTP) that is unique to that person and that moment in time. These one-time passwords can be generated using custom USB tokens, key fobs, smartphone apps, SMS, or email, but because they are unique to the user, the server knows that the person entering the username and password also has control of the OTP mechanism.
In addition to the “something you know and something you have,” it probably makes sense to implement IP address restrictions on logins to make sure that your systems can only be accessed by someone on your network.
Lesson 2: Segregate your Key Systems
One thing that eBay definitely got right, which really helped them in this instance, is the segregation of their key systems. Although eBay and PayPal are under the same umbrella company (PayPal being a subsidiary of eBay), PayPal’s systems were not affected by the breach at eBay because they are on separate systems.
There’s no way for an outsider to know if this was a conscious decision or just a natural result of the fact that PayPal was a fully formed company and system before eBay purchased it in 2002. But whether they did it on purpose or not, the lesson we can learn is that PayPal was protected because employees with access to eBay’s sensitive data did not also have access to PayPal’s. On a corporate level, it makes sense to follow that pattern of separation of duties and access to ensure that no single hack can grant access to your entire system.
Lesson 3: Manage Your Personal Passwords
Any time your password on one site is compromised, your risk extends to any other sites where you use the same login credentials. If hackers get your password on one site, one of the first things they do is try that username/password combo on important sites — usually sites that involve money.
If you use the same username and password for online banking that you do on eBay, you need to change your password in both places. Ideally, you should never use the same login credentials in multiple places — use a unique password for every site and service. Password managers offer an easy way to help users manage multiple credentials separating personal from corporate accounts improving the level of security.
Although this can seem daunting, technology makes it easy and possible. It reminds me of phone numbers. I grew up in a small town in Southern California, back when people had a house phone and that was all. Every phone number in town had the same prefix, and everyone had only one phone number, so you only had to remember four digits to be able to call someone. It was relatively easy to remember the phone numbers for all the important people in your life. These days, everyone has a cell phone, and many people still have landlines. So that’s at least two phone numbers for each person. In addition, you can’t count on everyone having the same prefix anymore, or even the same area code. So now, for every person, instead of remembering one four-digit number, you need to remember two ten-digit numbers. That is five times as many digits for each person, which really eats into your brain’s memory capacity.
Thanks to technology, though, we don’t give a second thought to lamenting the complexity of phone numbers. We just store them in our phones and move on. I know my mom’s home phone number and her cell phone number, but the number I actually call her on the most is her work number, and I have no idea what that number is. It’s in my phone, in the third spot on my Favorites list. I couldn’t tell you a single one of my neighbors’ phone numbers, but I can call them whenever I want to. My phone does all the “hard” work of remembering numbers.
Every user needs to think security
Security is everyone’s responsibility.
We need a fundamental shift in our mindset of password usage and how we manage account access. There are tools out there that will manage all of your passwords for you, which makes it easy for you to use unique passwords for every site. Tools like 1Password, LastPass, or dozens of others will generate random passwords for you and enter them for you with a simple keystroke. Just as I can call my mom at work by pushing the “Mom Work” button on my phone, you can login to your eBay account by essentially pressing the “eBay Login” button in your password manager.
You would never try to use “I forgot your phone number” as an excuse for not calling your mom — let’s stop using “I can’t remember unique passwords for every site” as an excuse for putting our identities at risk.
Leveraging available technology and improving account access along strong password policies, we can improve the state of online data security and reduce the negative effect of compromised accounts online.