Tweblog - Toby Getsch

Wow.  I used all caps in the subject.  Why?

From a geek’s perspective, the answer is DUH!

From the regular person’s perspective, maybe the commentary below will convince you.  There is No Free Lunch: Change your password NOW!  By Robert X. Cringely - - And, here’s the podcast/audio version, for those of you who don’t like to read.  Original audio source

“My mobile phone rang this week as I sat in the car rental bus at Baltimore-Washington International Airport. The Caller ID information read only “202.” I get a lot of calls that say “unknown” or “restricted,” but “202″ was a new one for me. Who could it be? Why the Department of Homeland Security, of course, wondering how I seemed to know so much more than they did about the exact number of illegal aliens in the U.S.? Now “Department of Homeland Security” doesn’t have the ring of, say, “FBI,” but it does make one watch one’s words. Surprisingly enough, I was actually able to help the guy.

My position on inquiries of this type, which I actually get a couple times per year, is that I don’t reveal sources unless the sources want to be revealed. In this case I went back to the sources of last week’s column, asked if they would mind speaking with the DHS, and to my surprise they were perfectly happy to do so. Usually I end up saying “no,” but this time was different.

I have written many times about how government is reactive when it comes to technology. We don’t make laws in anticipation of emerging technologies but to cope with problems supposedly raised by technologies that have recently appeared. Government is always behind this curve. On some level I find that reassuring. It tells me that despite the NSA listening in to everything I type or say, they’ll probably misuse it, or lose it, or chalk up my babblings to some other guy named Cringely or Bob. And this view can only be confirmed by my now knowing that the DHS — the folks who are supposed to know all about who is in or out of this country — have less data to work with than does the local credit bureau. The fact that the department has been in existence for six years and didn’t think until now to try this line of research, well that astounds me.

With this fact in mind, then, I’ll take another stab at improving the data security of all Americans. CHANGE YOUR DAMNED PASSWORDS!! Most people don’t do this — ever. They have one or two passwords they use for everything, often associated with one or two user names. If a system forces a password change they’ll move to password B in hopes that when the next move is forced they can move back to password A. If you have an eight-character password that mixes numbers, letters, and non-alphanumeric characters in various combinations of upper and lower case — in other words a REALLY GOOD password — I can pretty much guarantee you’ve been using that exact same password since 1998. People are lazy. People don’t want to learn arcane eight-character passwords on a regular basis.

But identity thieves aren’t so lazy, especially when they have technology to help them. They can start a sweepstakes website that requires only free registration to win that cruise of a lifetime to Bora Bora. And in doing so the thieves can know that a majority of registrants will use a username and password combination that they also use at a lot of other sites, like bank and brokerage accounts. Not only don’t they need to actually award the cruise, they don’t even have to break into your bank account in order to benefit from the username/password combo. They just sell that information to another crook.

That crook knows your name, address, and likely username and password. Forty percent of the people in your town use the same bank. Fifty percent of his stolen usernames and passwords are valid. Forty percent of bank customers use online banking. Add this all together and that crook has more than enough information to raid the bank accounts of enough folks to make his day and ruin theirs.

It doesn’t take just a fake website to accomplish this kind of phishing expedition. There are thousands — probably tens of thousands — of web operations that require user sign-ons but don’t do anything to protect the user database from being stolen by employees. “We’re not selling anything,” they tell themselves, “so it doesn’t matter.”

It matters.

Half my credit card accounts now require me to go through an elaborate e-mail validation scheme if I try logging in from a new IP address or from a computer lacking the proper cookie. Half don’t require this. The half that do were probably the targets of some huge and successful crime spree — a spree we never heard of because it was never made public. Billions of dollars are ripped off this way each year from banks and other financial institutions but we never hear about it because that might encourage more crime.

So CHANGE YOUR DAMNED PASSWORDS and put an end to this kind of scam. Perhaps remembering new character strings will help to stave off Alzheimer’s.”

[...]