Now that the ‘OPIE’ leak has your attention
As the crisis surrounding ” OPIE leak” grows, it is important for those whose information has been exposed through the Office of Personnel Management and other breaches to think through what they should be doing immediately and long term to strengthen their online security protocols. This is especially true for people who depend upon online interactions for their personal and professional business dealings.
Some actions are steps which can be taken by individuals; others are steps to be taken by industry and the government. Moreover, we need to recognize that a general mobilization at the national level is required to combat the growing dangers of cyber crime and cyber espionage.
With the history of hacked defense contractors, banks, government departments at the federal, state and local levels, and with the most precious of our personal information now in the hands of who knows, it is time to recognize that we will have to take steps backwards as we strive to move forward.
Central to this effort will be personal commitment to stop doing everything for convenience and to put forth the effort to protect oneself.
Reinvigorating your self protection
In the old west, when the cavalry or sheriff was not around, people had to depend upon themselves and their family and friends to defend lives and property. The cyber world is not much different. If you abdicate your responsibility to take measures to protect yourself, and hope the sheriff or the cavalry will come in time to save you, you are in for a rude awakening.
While the suggestions in this article can help to protect you, you should be aware that a thief that has your information may still be able to overcome your online account security. While there is no surefire way to escape the reach of hackers, you can engage measures that will provide greater protection and, perhaps allow the cavalry to arrive in the nick of time.
The simplest way to protect yourself is to change your online user ID and password on a regular basis and to use both IDs and passwords that do not contain data about your current or past addresses, names of family and pets, and other such techniques that are logically connected to your identity. But that does not necessarily cover all of the online data that is used to protect your account integrity.
The single most used element in security protocols is “mother’s maiden name.” In addition, answers to security questions for all accounts are user defined. It is time to stop using simple everyday information and to start using randomly generated information to answer the questions. Such user defined and randomly generated security question responses can provide more protection that is not based in the information or data provided to the government or others. This method is more difficult, but it is more secure. The question is “How secure do you want to be in your online accounts?”
Online user IDs and passwords for the serious
Strengthening your user ID and password is a first step to protecting ones accounts and finances, but it still gets too little thought. For instance, I recall a poster that says “Oh no, someone stole my password…now I will have to change my dog’s name.” Makes you smile, but the practice is real. Everyone wants to have a user ID and password that is easy to remember. But using bits of information from your life history, including names of children, mothers, fathers, along with a couple of numbers and special characters is a loose form of security that is pretty easily overcome.
In addition, the same user ID and password for multiple online accounts is an open invitation to criminal hackers and foreign agents to gain access to your accounts and information. It is critically important to disassociate the information from one account to another so that even if one account is compromised, the information in other accounts is protected.
The classic ways to do this is to assure your security questions are different on each account and that responses are randomly generated terms versus things that most likely come straight from your closest and fondest memories which are easily identified by your social media exploits.
So, take Bob’s email account. He uses “bobman” as his user ID and “Coco 12!@” as his password. Of course Coco is his pet, shown on his social media account in multiple cute pictures and seen in notes from the vet about treatment needed. If Bob changes his user ID to “X3iT4%n” and the password to “AdF32)(hyw9*” it would be much harder to hack his email or other online account. And if each different account has randomly generated user ID and password, it would make his online accounts a much harder target.
Serious hardening of account security questions
Another difficult area to master is security questions. In most accounts, the security challenge questions are common, pre-selected questions like “What was the model of your first car?” and “What was the first elementary school you attended?” Of course, most will answer from their life history and experiences. All of this information is now vulnerable if only because of the digitization of public records. Using these questions is one approach to security, but the responses need to be clearly disassociated and, if possible, randomly generated strings of letters, numbers, and special characters.
For instance the model of my first car was Mustang (I wish). My first elementary school was “Washington Elementary.” What if rather than “Mustang” I answer “v7#lZ1R9.” Of course it is not a car model on this planet, but it will work and be almost impossible to compromise. And let’s say rather than “Washington Elementary” I use W1jKk6$gH.” Not a school name, but if the system takes that answer, I am much safer. So look for ways to harden your responses to questions and use information that has no relation to you or anyone you know.
We need to address one security item that virtually all online accounts use and that would be the “mother’s maiden name” security item. I tried this on an account recently and it worked. Theoretically my mother’s maiden name might be Smith. If I replace “Smith” with a randomly generated sequence like “Bf3tN8z!” I have made the task of knowing or hacking my mother’s maiden name online exponentially harder for others. Of course some accounts will only allow alpha characters and that is where industry needs to make a change immediately for the sake of consumers. Such a schema can provide a layer of protection that most people do not consider when responding to security questions. This step is one effective alternative for those who are concerned right now.
Social Security numbers, which are part of many online accounts, such as bank accounts, represent a bigger challenge. Industry will have to immediately find a way for people to use a personal identity number (or alpha numeric identifier) instead in online accounts. If not, the government will have to allow those exposed to the recent hack at OPM to change their Social Security number. Which do you think can happen faster? So this one is hard.
Taking a step back to move forward with online security
This is where the step back happens. You need to make sure you have pen and paper when you make these changes, do not use the same random terms for any two accounts, and write down the information on paper and store it in a secure place.
The old-fashioned spiral notebook approach actually can work very well and one can format how they will record the online account company, and all other information so that it can be recorded consistently. You can also create the shell pages on your computer, print, fill out, and put an “As of” date in the upper right corner. No, you should not create this on your computer or mobile device and/or store it there lest a hacker gather that information from your device.
Also, take the time and effort to change the password and security question answers every six months. This is called “hardening the target” so that trying to attack you electronically is harder than attacking someone else. If you use very strong user ID and password methods, store the information securely and change your password and security questions / responses every six months, it will be the best you can do to protect yourself from identity theft.
The need to advance emerging technologies more rapidly
There are emerging technologies available that can lock down all accounts with one step on a mobile device and unlock them. These require actual communication with the service provider and rely on security protocols that will prevent an imposter from responding and getting the unlock. These techniques need to evolve more rapidly; they aren’t as convenient, but they are far more secure. In the reality show of our online lives, this is a measure that must be implemented.
There is also a newly patented and available chip for computers that makes exfiltration virtually impossible. For companies large and small, this technology is well worth the price. In addition, a newly emerging cyber company has technologies that give one the ability to encrypt the operating systems and perform other safeguards that will automatically reset the computer (known as self healing technology). These are only a sample of the best of breed technologies available today and awaiting the public’s realization that we are in a cyber war. These new new technologies show great potential.
One of the major stumbling blocks to these technologies is a lack of reasonable capital investment to make the companies viable. The time may have come for the government to create a National Alliance for Technology Evolution that can create incubators along with states and accept donations (tax deductible) to help fund the advancement of new technologies with a reasonable rate of return that must be plowed back into the fund to sustain the innovation over the long term. Such a program could be self-funding within three to five years.
So guard yourself well. Whether you choose the easier and less complex methods or the very strong and complex methods, take action today to make changes to your online data that disconnects it from your life and makes it harder for cybercriminals to guess.
Richard A. Russell is a former senior national intelligence service executive who served in progressively responsible national security positions for more than 36 years before retiring in January 2015.
______________________________________________________________