Tuesday, February 26, 2019

What a morning at the BMV teaches about cybersecurity


I spent way too much of my Saturday morning at the local Bureau of Motor Vehicles (aka the Walmart of government agencies). "Why," you ask? Because my plates were on the verge of expiring, and I had forgotten to take advantage of the much preferable online registration process.

So there I found myself at 10 a.m. Saturday morning, waiting in line. To be fair, it was the "express" line, designated for license renewals only. My experience, however, was less than express, thanks to the patron two spots ahead of me in line.

When it was her turn at the desk, she was asked to present information that was stored in some account on her phone (insurance info, I'm guessing). She proceeded to take out her phone, only to realize that she did not remember the password to access the necessary account. What followed was an exercise in futility, as she further removed an inch-thick flipbook of post-it notes, each containing a login and password to a different account. I watched her rifle through the stack until she located the correct one. 10 minutes of my life that I will never regain, with my frustration mirrored on the faces of everyone else in line.

Motherboard recently released its 3rd annual Guide to Not Getting Hacked. It is treasure-trove of digital safety information for anyone who spends any time online (which is pretty much everyone).

One of its top cybersecurity tips is to maintain proper password security. I've covered this topic in detail two years ago, in Make Password Security a Priority for Your Employees in 2017. The information is as true in 2019 (and almost certainly 2020, and 2021…) as it was in 2017. Require complex and passwords with a differing types of characters. Prohibit varieties of the most common passwords (like "Pa$Sw0rD"). Mandate that any default passwords that come with devices be changed immediately. Set a schedule (e.g., annually, or even more frequently) per which employees must change their password (although Motherboard's Guide does not find this overly effective, as research shows that most people "use weak, near identical passwords when forced to switch often.").

Four password-related issues warrant some additional discussion.

First, DO NOT reuse the same passwords across multiple accounts.

Why? Because if one account is hacked, you've exposed every other account for which you've used the same password. This is known as a "credential stuffing attack."

Indeed, last week Intuit disclosed that its TurboTax product had suffered just such an attack. The criminal accessed TurboTax user accounts by taking usernames and passwords it had stolen "from a non-Intuit source" to attempt TurboTax logins. For those with which it was successful (i.e., the TurboTax user used the same login and password info from the other, hacked site), the criminal was able to obtain information contained in a prior year's tax return or the current tax return in progress, including names, Social Security numbers, address(es), birthdates, driver's license numbers, financial data such as salaries and deductions, and information belonging to other individuals included in the victim's tax return.

Do you want to know if one or more of your online accounts has been compromised? I recommend typing your email into the search bar at Have I Been Pwned. The results should be eye-opening.

So, if you are not going to reuse the same password across multiple accounts, how will you generate and remember different and complex passwords for your hundreds of online accounts?

The answer to this question brings us to point number two. Use a password manager.

A password manager is an online service that stores all of your passwords (encrypted on their end) for you. All you need to do to unlock the password for any given account is to recall the lone master password you have chosen for your password manager of choice. Passwords are then synced across all devices from which one logs in to the password manager.

The top competitors (LastPass, 1password, and Dashlane) all offer the same basic service. Compare and contrast pricing, and what each offers, and pick one. The money you spend on an annual subscription pales exponentially to what you will spend undoing the damage caused by an account compromised by a weak password.

The question I am most often asked about password managers? "Aren't you relying on their security, and if they are hacked aren't all of your passwords at risk?" Technically yes, but LastPass (my password manager of choice) has been hacked twice without the exposure of even a single user password. Why? Because all of its stored data is highly encrypted. Thus, hacked data is useless. If you are comparing the security of reusing passwords, or using different password but storing them in a notebook or sticky-note flipbook (like my BMV line-mate), versus a password manager, the security choice is glaringly clear.

Thirdly, check your URLs, and only input account into on sites that use HTTS web encryption.


HTTPS provides an encrypted online session between you and whichever site you are visiting. With a non-HTTPS site, everything you send via that site is visible to anyone on the same network. Even safer, use a Virtual Private Network (VPN) to create a secure channel between your computer and the internet.

Finally, use two-factor authentication for any account that offers it.

Two-factor authentication (or 2FA) requires a user to input a unique code sent to a device of choice (usually by text message) any time one logs-in to an account from a new device. 2FA is not foolproof. For example, it does not take much skill for even a low-level cybercriminal to steal a phone number and intercept the text message-based security codes. More complexly, criminals can use social engineering to ape one's identity and trick a customer service from a mobile company to send a new SIM card to the attacker, thus diverting all 2FA text messages to the criminal's mobile device. Thus, while one should not rely on 2FA as the only method to secure one's account (see above), it's added layer of security certainly can't hurt.

No one is immune from being hacked. However, taking a few simple (albeit mildly inconvenient) steps to secure your passwords and accounts will go a long way to mitigating against this very serious and costly risk.

* Photo by Paulius Dragunas on Unsplash
** Photo by Fabio Lanari [CC BY-SA 4.0], via Wikimedia Commons