Oct 07, 2014

    'Best practice' doesn't cut it for online security

    JPMORGAN Chase disclosed last week that the accounts of 83 million households and businesses were compromised this summer in a cyber attack.

    It was one of the biggest data breaches in history.

    Nine other financial institutions were also infiltrated by the same group of hackers.

    This follows news last month that account information for 56 million cardholders was stolen from American retailer Home Depot by hackers.

    Unfortunately, there are many risks inherent in online banking and debit cards.

    Computer systems are inadequately secure, and people are always susceptible to being careless about what they click on. The extent of banking vulnerabilities has once again been demonstrated by the attacks on JPMorgan and others.

    Credit cards are somewhat less risky to the customer than debit cards, although they can also be compromised.

    In a credit-card breach, the financial losses are primarily covered by the merchant, but that's not always the case with debit cards.

    Identity theft, which can result from stolen information from credit and debit cards, can be very burdensome for the customer.

    Eventually, the United States is going to see EMV cards (chip-and-PIN has been popular in Europe, and chip cards verified by a signature have been popular elsewhere), which will reduce some of the risks, but they can still be compromised.

    The truth is there is no perfect security, especially when people are unaware of the risks, as much of the American public is.

    Every computer system can be compromised via external attacks and, of course, through frequently ignored problems of insider misuse.

    There are vulnerabilities in many systems, as we saw this past month in the revelation that a bug called Shellshock had left a very serious flaw in the system of a widely used piece of software called Bash for 27 years, before it was discovered only five years ago.

    This is just the latest example of a potentially devastating vulnerability. One of the most serious is an increased reliance on storing data in the cloud.

    What is most important is the realisation that the problem is not just limited to financial systems, but extends to all the critical national infrastructure (through computerised control systems) that directly or indirectly affect almost every aspect of our lives.

    The bottom line is that anything on the Internet - or any system that has connected to the Internet at some point or can be accessed telephonically - is potentially vulnerable.

    While there are no secure computers in the commercial marketplace, security must become a top priority for all companies connected to the Internet, despite the cost of building beyond what we now consider "best practice".


    The writer is senior principal scientist at SRI International Computer Science Laboratory.