Every now and then, news of cybersecurity breaches are published on TechCity and other major tech platforms. The increasing popularity of cybercrime has created a major challenge for the tech communities not just globally, but also locally. While the targets vary, a common thread has been observed, one that could explain why individuals are often targeted across platforms – reusing passwords.
Speaking to TechCity last week in Lagos Nigeria, the Chief Security Officer (CSO) of Facebook, Alex Stamos, noted that the practice of reusing passwords poses the biggest threat to internet users across the world.
“The biggest security risk to individuals is the reuse of passwords, if we look at the statistics of the people who have actually been harmed online. Even when you look at the advanced attacks that get a lot of thought in the security industry, these usually start with phishing or reused passwords,” he said.
According to him, most people use the same passwords everywhere – for various email addresses, social media accounts and on several other platforms.
“When someone uses the same password on multiple sites, that means that when a website gets broken into, the other passwords to their digital identity can also get stolen,” he said.
What can be done?
Identifying the problem isn’t the same as solving it – especially when it comes to empowering people without much expertise on tech to be security conscious which is understandably why Stamos said the current focus in the cybersecurity space is on giving people options to keep their security and passwords safe.
“We have this thing called login approvals which is a feature that double checks when you login to make sure that it is you by having you enter a code along with your password; this is an example of what the security industry needs to be doing overall to build really easy authentication solutions for individuals that keep them secure and discourage them from reusing passwords across the entire web,” he said.
He encouraged individuals to ensure that they use all the security features provided to them.
“All the major tech companies provide second factor authentication and methods to see how your information is being used. It’s also a good idea to use devices that are less liable to malware, such as mobile phones and tablets.” he said.
He added that corporations need to take responsibility for keeping their users safe.
Cybersecurity is critical to internet’s continual success
Be it Google, Facebook, Twitter, Uber or any other major tech company, Stamos said he strongly believes that ensuring that the internet continues to be successful is largely dependent on the ability of all players to ensure that it remains secure. He said Facebook is striving towards this through various initiatives that actively brings on board other players geared towards enhancing and extending safety across board.
He said: “At Facebook, a couple of ways we are supporting the industry is we release a lot of software publicly that we have built to secure our systems and a good example of that is a tool called osquery which we use in our production and most of our corporate systems to monitor them for attack. It is now an open source product and hundreds of developers have contributed code back in. It is really something that does not belong to Facebook anymore, it now belongs to the entire community.”
He also spoke on Facebook-pioneered ThreatExchange which is a platform that has over 450 companies involved both big and small from around the world.
“It is a free platform where participating companies can share real time data about the attacks they are seeing. Those attacks range from spamming and common malware at the low end to the most advanced attacks online,” he said.
National security versus data privacy dilemma
Data privacy has become a very popular and controversial subject especially regarding the online landscape particularly the social media ecosystem with security operatives globally increasingly requesting for specific information from the tech companies on particular users even as the tech companies roll out new initiatives to convince their users of privacy – one of such is end-to-end encryption.
Although Facebook continues to be at the center of several privacy controversies – the latest being its attempt to share certain data from WhatsApp with Facebook, Stamos was affirmative on the subject of data privacy at Facebook.
“It is really important for people to understand that Facebook does not give unrestricted access to any government, Facebook does not build any backdoor to any government including the US government. All government requests around the world are reflected in our Government Requests Report, and the guidelines we give to law enforcement agencies are also publicly available online. All requests that come in need to be backed up by legal means – frequently through a warrant signed by a judge – and those numbers you can see publicly are accurate, and they represent a tiny fraction of the over one billion accounts on Facebook,” he said.
Ensuring user safety online
For individuals who are not tech savvy but still want to be safe online, Stamos said they need to look for some essential features on any platform they use or website they visit.
“I’ll look at whether they have a way I can recover my account in a secure fashion – the standard way to do account recovery is to get a link into your email – that’s if your email has not been taken over. If it has, then your entire online identity can be taken over by fraudsters. It is very difficult for an individual to judge the security of complex software on the other side of the internet, so what they can do is to look for the features and whether or not that company has built features that specifically addresses the kinds of problems people often see when they use passwords. The main things I’m looking for are: are they honest about security, do they have a security page that gives tips to people and is their security documentation just an advertisement or is it actually an accurate explanation of risks to individuals with tips on how they can address them.”