Lessons learnt from the LinkedIn security breach

Lessons learnt from the LinkedIn security breach

Summary: By now, every one would know that the biggest tech story last week, next to the continuing stock price woes of Facebook, is professional social network LinkedIn's security breach.For those uninformed, though, here's a recap.

SHARE:
TOPICS: Security
1

By now, every one would know that the biggest tech story last week, next to the continuing stock price woes of Facebook, is professional social network LinkedIn's security breach.

For those uninformed, though, here's a recap. Last week LinkedIn confirmed it suffered a data breach resulting in user passwords being stolen. The company, however, did not reveal how many passwords were stolen but the number was believed to be in the region of over 6 million accounts.

As of the time of this blog post, it has been reported in the media that LinkedIn has not fully gotten to the bottom of the causes of the breach and how it plans to move forward. It did, however, send out e-mail messages to affected users, warning them of the breach and that those affected would have their passwords disabled to prevent any further access by unauthorized parties.

Besides the obvious worry over what unauthorized people could do with these exposed passwords, other larger issues have surfaced that the industry and consumers alike need to ponder over and address sooner rather than later.

The first that comes to my mind is the fact that consumers like us need to be much more vigilant over the number of passwords we use as so much our lives is invested on the Internet.

From serious transactions such online banking to other forms of online databases, social network accounts, multiple e-mail accounts, as well as the many app-centric accounts like iTunes, Dropbox, Evernote, to name a few, all of us are now held mercy to our passwords should they be compromised like in the LinkedIn case.

Without being specific, I think all consumers need to thoroughly review how they manage their passwords and whether they're duplicating passwords for different accounts or services that they use.

Duplication in this case isn't a good idea anymore as having just one or two passwords to access all your online services means that should a compromise happen, you be up a creek without a paddle.

Second, some security experts have commented that the LinkedIn case suggests that the company isn't up to par when it comes to IT security. Reuters reported that some cyber security experts said LinkedIn did not have adequate protections in place and warned that the company could uncover further data losses over the coming days as it tries to figure out what happened.

Others noted that LinkedIn's data security practices were not as sophisticated as one would typically expect from a major Internet company.

Quoting Jeffrey Carr, chief executive of security firm Taia Global, the newswire noted: "There is going to be more to come. As long as they don't know what happened here, there is a good chance that it is more widespread than originally thought."

Whatever the case may be, companies providing service over the Net, or in enterprise parlance, software-as-a-service or cloud computing companies, would need to collectively figure out how to stay ahead in their security implementation.

Which leads me to my final point. This breach clearly shows that the industry will likely need to rethink how it will approach authentication in a macro perspective. Currently, all online services, save the most secure ones, are based on a one-step authentication consisting of a username and password.

The LinkedIn breach issue at the forefront raises a question: Is there a place for the implementation of a two-step or two-factor authentication for Internet services worldwide?

I'm no expert in this but what seems obvious to me is that more must be done to go beyond just having a username and password as the primary way of authenticating the myriads of digital online services that we own.

As technology surges ahead and as more of our lives become so intertwined with the Net, there needs to be a fundamental re-engineering of how we access services over the Net.

But like with most things in life, so much time is spent focusing on the big things that the small things get overlooked.

For a long time, companies like LinkedIn -- not forgetting Facebook, Google, Amazon, Microsoft, as well as smaller companies like Dropbox, Box, and the like -- have been selling us the dreams of their services and what they can bring to our lives.

Don't get me wrong; yes, while these services have simplified and empowered our lives, the stark reality is that we have also become so dependent on them that the ones providing such services must also focus on the basics--that of protecting our data and information while re-thinking about how we access our data through their services in the most secure way possible.

Simply accessing these complex services via simple usernames and passwords can't be the way forward.

Because only when we can do so safely will the power of these services make effectual sense to us all.

Topic: Security

Edwin Yapp

About Edwin Yapp

An engineer by training, Edwin first cut his teeth as a cellular radio frequency optimization engineer in one of Malaysia's largest telcos.
After more than five years, he hung up his radio engineering boots to try his hand at technology reporting at The Star, Malaysia's leading English daily, where he won several awards for Best Online Technology reporting.
He left to start his own editorial consultancy and is now a freelance journalist for several publications, including ZDNet Asia.
A self-confessed gadget geek, Edwin hopes his blog contributions will stir up deeper discussions within the Malaysian technology scene.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • I think your question "Is there a place for the implementation of a two-step or two-factor authentication for Internet services worldwide?" needs to be answered by these large sites. The obvious answer is YES!!! When you hear that password were stolen a million articles about password strength and password managers are flying around? Stop talking about strong password start talking about other steps like the need to implement some form of 2FA (two-factor authentication) were you can telesign into your account to protect you if your password were to be stolen. The strength of your password or having it locked-up in Fort Knox does not mean anything when it is stolen from the source. 2FA will protect you because if these thieves were to try to use your
    Branden_B