Listening to specialists it’s in the ideas and research is looking at the issue.
Is it necessary to say that you – sorry ‘we’ – are partially faulty?
What’s the problem and what could happen?
We all let install security locks on our flat door, but we do not consider it on our computer and our connected objects.
The problem comes from our difficulty to evaluate the value of information and to manage it adequately. Because information is immaterial.
It’s our fault
Our passwords are far too weak.
We frequently use the same for all accesses.
We do not change our passwords often enough.
I’ve heard from a specialist during an awareness session to teenagers: “you should change then as you change underwear.”
We do not remember our passwords and we write them down on a Post It, stick it under the keyboard or on the screen.
I even know someone who gathers all his passwords in a notebook that always lies around and that he always takes with him.
Passwords became a weak and illusory protection.
The attacks
Some play around and search files on our computers where passwords are gathered and frequently encrypted, and try to crack them.
These who know us – we are too talkative on social networks and emails – easily guess our passwords.
The others try some tricks (I can tell you they are very creative). They also use dictionaries of our language.
If they can’t get through it directly, they install a spy application in our computer (with an email or while we visit an Internet site) that monitors our actions and our connections. This tool allow them to listen and memorize the passwords when we use them and whatfor.
It allows them to control our computer and act ‘in our name’ because they, now, know both our identifier and our authenticator.
A bit of theory…
Our name, our email address, our mobile phone number, our user name (frequently highly structured at work) allows to identify us. We call that an identifier.
In the virtual world where face-to-face is no more possible (or necessary) we need a means to be sure we talk to the right person. We use an authenticator, something that authenticates your.
There are three types of authenticators:
- something we know: a password, a pin code, etc.
- something we have: a physical key, a badge, a picture, a mobile phone with a SIM card, etc.
- something we are: biometric markers (finger prints or DNA), our signature (and, for the most sophisticated, its dynamic), our voice and its modulations.
We use the combination identifier + authenticator to be sure it’s us and nobody else.
The solutions
If the password is weak, or when the asset manager thinks it’s not strong enough for the value of the asset, he’ll use one of the other types or, even better, a combination of two of them (the most paranoid use a combination of the tree types).
For example:
- to withdraw cash from an ATM our bank requires a bank card and a pin code
- to open our safe in the bank, we need an access card, our key and a code
- …in spy films, we already saw many of them.
In Belgium – and I suppose in other countries also – we use an electronic Identity card (eID) that contains, on a chip, a unique cryptographic key registered on a server. We can connect to our personal retirement file or fill in our tax return, and to sign these actions with this key.
We can find in dedicated shops
- USB-keys with a finger print reader
- Applications that recognize our face (using the webcam)
- Computer with voice control.
We will very fast come to a moment when all Internet actors will require at least two authenticators. In the mean time, some already ask a second connection using another chanel to be sure.
I come back on this very soon…
Did I scare you? Do you have questions or proposals? Some bright ideas nobody else has had? They can help a lot.
So soon, safer with your information
Jean-Luc Allard
Google+