Tuesday, January 17, 2012

Check Your Inbox, You May Not Be As Safe As You Think You Are.....

Even if you aren't a Playstation junkie, you probably read something about Sony's network getting hacked last year. This exploitation of an international company with a massive user base made for headline grabbing news for several weeks. In fact, it took Sony months to harden its Playstation architecture and fully restore the all network functionality. As recently as October, 2011, Sony admitted its network was compromised again and it closed over 90,000 user accounts.

Why am I writing about this "old news" today? Because another major company database was recently compromised and if you didn't check your inbox carefully you may have missed it! Zappos, the very popular online shoe service which a little online retailer called Amazon acquired in 2009 for 1.2 Billion dollars sent this message out to its customers yesterday (January 16, 2012):

First, the bad news:
We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).
The database that stores your critical credit card and other payment data was NOT affected or accessed.
For your protection and to prevent unauthorized access, we have expired and reset your password so you can create a new password. Please follow the instructions below to create a new password.
We also recommend that you change your password on any other web site where you use the same or a similar password. As always, please remember that Zappos.com will never ask you for personal or account information in an e-mail. Please exercise caution if you receive any emails or phone calls that ask for personal information or direct you to a web site where you are asked to provide personal information.
We have expired and reset your password so you can create a new password. Please create a new password by visiting Zappos.com and clicking on the "Create a New Password" link in the upper right corner of the web site and follow the steps from there.
We sincerely apologize for any inconvenience this may cause. If you have any additional questions about this process, please email us at passwordchange@zappos.com

If companies the size of Sony and Amazon are vulnerable to these intrusions, imagine what companies with fewer engineering resources, or less ethics, may be experiencing. Resetting a single password isn't overly time consuming and I am thankful that Zappos proactively took the step of forcing a reset. 

How many of you still use the same, or very similar, passwords across your digital universe!? I bet there are more of you raising your hand in the privacy of your home than not! My father who was a brilliant attorney and wise in so many ways, struggled with authentication issues at work and home. Part of his "solution" was to keep passwords "simple" and I mean this literally! I warned him of the folly of this approach, but it fell on deaf ears. He passed away amazed at how pervasive computers and the internet had become in his life. (Less than twenty years ago, he stated that he would finish his law career using the same two fingered typing style which worked during his time at Harvard Law School. He thought he would practice law without having to personally interact with computers on a consistent basis! By the time he left us, he had multiple computers in his personal office-- and rightly considered the law firm's complex telephone system, which was tied to billing, a "computer" in its own right. Pop had a computer at home with data he considered so critical that he (again literally) ran into a burning house to rescue "the brains" as he called it which contained his Quicken file with over a decade of transactions. (Yes, until the house burned he also ignored my admonitions for both on site and OFF SITE backups!)

Pop's "simple" password unlocked the door to all of these systems and were he to receive the notice from Zappos, it would be critical that he change all of his passwords immediately!!! (If you relate to my father's approach to computer security, you may want to stop reading and start changing all of your passwords starting with your bank account(s).) Of course the problem for my father, and myself, and most likely the vast majority of my readers, is secure passwords are by definition, all but impossible to keep track of and remember! 

Periodically, you will see an article attempting to simplify the creation of complex passwords (or better,  passphrases!!!) but I don't find any of these solutions to work for me. One idea is to shift your fingers on the keyboard one row and/or key while typing a common word. So, "simple" could become, "WIJ0O3." or another nonsensical term. This is too hard for me and it still doesn't prevent you from replicating this new password/passphrase across multiple sites which is half the danger!

The only solution I have found is to use Roboform (or Roboform Everywhere; $9.95/year) or Last Pass (free). But don't just use these to help you remember passwords and fill in forms (which are wonderful time savers in and of themeselves) but use the programs' password generator feature! That is the real beauty of these programs, you aren't remembering the actual passwords, so who cares if your bank password is "bf6s71tD" ? In fact, you should care because it is unique, totally random, and not based on any term found in a dictionary (which is important if you want to foil some hacking attempts).

Unless your computing environment supports biometric authentication you will still have to remember one master password and it probably shouldn't be "simple" (sorry Pop), but creating one master password to unlock and protect your online world is a very  small price to pay! If you aren't using one of these programs and its password generating feature, why not?

One more thing, once you have all of your authentication securely updated using Roboform or Last Pass, be sure to either save a digital version of your password file and master password (or even print it out if you must) and place it in your safe deposit box or pass it along to your attorney,  Executor, or trusted family member. If something happens to you, accessing your account information will be critically important to those left behind. 

Buying shoes, and everything else, online is wonderful! It isn't easy to drag me out to a store for any reason these days (just ask my daughter, step-Mother, or girlfriend). Just be sure that the hacker reading the Zappos database doesn't learn anything more about you than your  shoe size!

I currently particpate in the Amazon Associates Program and certain item links included within this post may tie to this affiliate program.

I hold a long position in  $AMZN

Companies:  Amazon, Last Pass, Roboform, Zappos

This commentary is not meant as an endorsement of any company or to provide financial advice.  If the author has any financial interest in any company mentioned at the time of this article’s posting, it will be explicitly noted. I welcome feedback and comments. 

All rights reserved @2012, Music Row Tech (MRT). Any reproduction without the author's consent is prohibited.

No comments:

Post a Comment

Thank you for sharing your thoughts with other Music Row Tech readers and subscribers.