Our online security is increasingly at risk. Ben Creet, policy manager at InternetNZ, explains what’s happening and what we can do to protect our security.
Cybersecurity is so hot right now. Here in early 2019 there’s already been a major hacking and theft in the news (police are still investigating). This comes at the end of a turbulent 2018 for cybersecurity. So what happened in 2018, and what can we learn from looking back at a year’s worth of crime and hacking?
I think we learnt three main things (or had three lessons reinforced). One, keeping data safe is hard AND important. Two, tricking us into giving away our passwords works. And third, we need politicians worldwide to better understand and protect encryption or this is all going to get even harder.
1. Keeping data safe is important and hard
The Internet is complex, our organisations are complex, the IT systems we use are complex and unfortunately, complexity is the enemy of information security. Organisations will continue to lose data to either hacks or carelessness. In the first half of 2018 some 4.5 billion sets of credentials and/or personal information were lost by service providers worldwide. Here in New Zealand, there was a 67% increase in unauthorised access to people’s accounts in the last quarter CERTNZ reported on.
Given the complexity, we cannot rely solely on our online providers to keep our personal information safe or our passwords secret. You need to be aware that nothing is 100% when you sign up with them, so think about what else you can do to protect your personal information. We usually think about it as someone sneaking through your backdoor. But sometimes the backdoor is at your friend’s house where you’re stashing your kit – and they just forgot to lock the door (or close a window).
2. Tricking people works and isn’t going away
It’s not just cracking locked doors and coming in through windows you have to worry about, sometimes it’s a (metaphorical) knock on the front door.
Last year, some 53% of the incidents reported to CERTNZ were phishing (when someone tries to trick you into clicking on a link, opening or downloading a malicious file) or credential harvesting attacks (tricking you into entering your username and password into a fake page imitating your bank, webmail or other log-in page). Whether it be the “sextortion” scam which hit New Zealand in July or cyber criminals using your business email to trick employees to carry out fraud, ordinary people get duped every day.
Not only is tricking people like this still working, it’s getting better and more sophisticated. Real talk: so long as you continue to rely on the same one or two passwords you reuse everywhere then it’s probably just a matter of time until you’re tired, distracted or unlucky enough to fall victim to this stuff.
3. Encryption is part of the solution, not the problem
One of the most powerful tools we have for security online is encryption. Encryption lets us keep sensitive information private, it gives us confidence that only authorised people can access and change certain information and more. If you want to know more about encryption, you can read about it here.
Why understanding a little about encryption matters is because 2018 saw an increase in governments around the world worrying about encryption. In particular they are worried about secure communication tools like WhatsApp and Signal being used by organised criminal groups, including terrorists. Governments from the UK, USA, Australia, Canada and New Zealand (the Five Eyes) agreed to a series of principles for considering encryption policy.
These principles led to the Australian government ramming through the Telecommunications (Access and Assistance) Bill, which forces businesses to break encryption for law enforcement purposes. To catch terrorist, a lot of people will think this is okay. But, as with so many things, there is a catch or two.
Like a chain, every time a link is broken, the whole chain weakens. Every time encryption is broken, it allows people to have a peak in. You may not care so much about your WhatsApp messages or where you ate brunch last week, but you’ll likely care a lot about your bank details or your health records. Effectively, the Australian bill may unintentionally break the encryption that allows the Internet work. So that chain on your backdoor becomes easier for anyone to break.
The Australian Telecommunications (Access and Assistance) Bill is a symptom of a wider move from many government’s to try and exercise control through the Internet. However, the bill lacks an understanding of the wider implications. It’s left some people concerned that Australia may damage phone security across the world.
What can I do?
2019 can be the year we all get our individual and collective cybersecurity in order. Or at least make it a bit better.
Keep your eyes peeled for anti-encryption regulation in New Zealand
All the noises we’ve heard from the New Zealand government is that there are no moves afoot here to follow Australia’s lead. But with a new cybersecurity strategy to be announced in 2019 let’s all keep our eyes peeled for new legislative changes. If we do change the law here, let’s do it after widespread, meaningful, evidence-based discussion with our government, technologists, businesses and civil society. Not just rammed through law with a handwave and muttering of “national security requirements”.
Be sensible with your passwords (one size does not fit all)
You can’t really operate online without accounts, usernames and passwords. To make data breaches not matter, you need to use strong, unique passwords. Don’t reuse your password with your bank, or Facebook, or TVNZ on Demand, or Netflix and so on. Yes, you’ll end up with a LOT of passwords to remember. So, don’t remember them. Use a password manager like 1Password or LastPass or go old school and write them down making sure you keep them in a safe place.
I’ve used both password managers (don’t @ me with your reckons on others) and they’re good and help whittle down the passwords you have to hold in your head. The trick here is to just download a password manager and sign up with it, then slowly build up the passwords you save into it over a month. Think of it like couch to 5k, but for your passwords (hat tip/credit to @Sereeena for that analogy).
Start using two-factor
Level up your account security with two-factor authentication. Relying on your username (who you are) and your password (something you know) isn’t good enough anymore. We need to be using two-factor to make it harder for someone to impersonate you. Using Authy or Google Authenticator should be the goal, or if an account is really important and holds lots of important things (like your nudes, money or intellectual property) then using a security key like a Yubikey is the best bet.
Two-factor is what will save you when (not if) you have that small lapse in attention, judgement or wisdom and accidentally fall for a phishing attempt.
Demand two-factor from NZ organisations.
But it isn’t just on us as individuals and customers to use two-factor. We also need to bully and pester New Zealand organisations to implement good two-factor authentication. The only major org in New Zealand that I can think of that does two-factor well is Xero (which you should turn on if you use it).
No bank in New Zealand lets customers use modern two-factor options. Your Kiwisaver provider probably doesn’t. Nor does IRD or any other significant organisation. We need better support for two-factor and password managers and we need to demand them from the businesses who support us.
This content was created in paid partnership with InternetNZ. Learn more about our partnerships here.
The Bulletin is The Spinoff’s acclaimed daily digest of New Zealand’s most important stories, delivered directly to your inbox each morning.