Password breaches: End-user carnage is unspoken heartache

Password breaches torture end-users more so than the hacked company, merchant or service.
Written by John Fontana, Contributor
Password breaches End-user carnage is unspoken heartache

Hear the chorus: Digital life must evolve beyond passwords.

See the reality: eBay, Spotify, Avast, Adobe, Yahoo, Target, Twitter, ZapposGawkerSony, Apple (twice), Fox, CBS, Warner Bros., rootkit.com, LinkedIn, eHarmonyLast.fm, Neiman Marcus Group Ltd., and Michaels Stores Inc.

All hacked.

I know I've missed many, but there likely will be more to add in a few weeks or even days.

From a corporate perspective, the reputation backlash and financial hit from a password or data breach has become so stifling that Spotify reacted this week to the theft of a single user’s data by asking nearly 40 million other customers to change their passwords.

Target’s breach bill could eventually top $1 billion — 2.8 percent of its market cap. The CIO and the CEO have resigned. The company’s year-over-year 2013 fourth-quarter profits were down 46 percent.

"Would you rather call a 1-800 number to end the carnage or change a password on each of the 25-30 sites where it was re-used and then wait for the next stealth attack or breach?"

The end-user carnage? Unknown because losing your personal data can easily turn into 20-miles of uncharted broken glass. Password breaches torture end-users more so than the company, merchant or service. Stolen passwords are sold on the black market and new hacks come at users from unexpected and unusual angles, and with the original hacked company too obscured by the trail of tears to be tagged with liability.

Wait until your biometric data is hijacked. Try changing your fingerprint, or iris scan – or undergoing a nose job, chin lift, or eye-lid reconstruction — to update your biometric passcodes.

Passwords are off the rails. Access control in tatters. And many companies are proving they’re not secure or savvy enough to protect personal data – or don’t have a care to do so.

Last year, Deloitte Canada’s research organization said 90 percent of user-generated passwords would be relevant for mere seconds under pressure from hackers.

What’s a big next step toward repair?

Consumers must finally see the value of their personal data and demand protections when it's shared with providers. The argument is the same for IT and enterprise user populations let loose in a world where cloud apps and services are as much a part of the network as a Cisco router.

A recent Ponemon Institute report says 110 million American adults had their personal data exposed by hackers in the past 12 months alone, which totals some 432 million accounts. And that number can grow exponentially if the passwords to those millions of accounts were re-used on other accounts.

Corporations are first buddying up to protect themselves.

This week, the Retail Industry Leaders Association and major retailers debuted the Retail Cyber Intelligence Sharing Center (RCISC) to identify and prevent cyber attacks.

It’s a noble cause, but the profile of these hacks, including Target and eBay, show the damage was done well before the hacks were even discovered.  So sharing would happen post breach. With that track record, the best RCISC will get is a sacrificial lamb whose experience may help other members. With attack vectors constantly changing, that’s a losing game to play.

RCISC's board of directors includes senior executives from Target, American Eagle Outfitters, Gap, JC Penney, Lowe's, Nike, and Walgreens Co.

Government agencies include the U.S. Department of Homeland Security, U.S. Secret Service and Federal Bureau of Investigation.

If these corporate alliances include in their mission protecting customer data than where is an agency like the FTC’s Consumer Protection Bureau in the equation? The FTC is not ignoring digital life. They are advocating for more protection so consumers can control their personal information.

It is disingenuous when a hacked company announces that financial information was not breached. It implies financial data is more valuable than personal data.

But it is common knowledge that consumers are not liable for unauthorized credit card transactions. Visa, MasterCard, Discover, and American Express all offer $0 liability guarantees.

Would you rather call a 1-800 number to end the carnage or change a password on each of the 25-30 sites where it was re-used and then wait for the next stealth attack or breach?

Retailers and service providers need to get out of the password game, it is not their core competency and they eventually hurt their customers, their reputations and their bottom line.

In a new and emerging architecture, identity providers (IdPs) will take on responsibility — and more important liability — for authentication, personal data and other identifying attributes.  It will be contractual. That’s called skin in the game.

The OAuth 2.0 protocol gaining favor among IdPs such as Google, Yahoo and IT software  vendors provides the pro-active ability to revoke user access tokens in case of a breach. Instead of asking end-users to change passwords they are asked to re-authenticate to get a new token.

And there are other on-going efforts including multi-factor authentication, federated SSO, and on-board mobile access controls.

Perhaps something like a sky-high hike in insurance liability policies for those companies issuing and storing user passwords might convince corporate executives that passwords are no longer a gamble worth taking.

When you build your business in a flood plain, you pay extra to insure against disaster. And passwords are in the saturated throes of a 100-year event.

Even the inventor of the password, 87-year-old Fernando Corbató, said last week, “unfortunately, it’s become kind of a nightmare.”

Yes, it is a nightmare. For end-users, especially. They trust their stored personal data will be protected via current standards; they suffer when their data is stolen, and they can’t write the consequences off on their balance sheets.

What additional steps do you think are needed to address or limit the password problem?

Related coverage:

Editorial standards