To think we should stop pretending that Internet Security is a thing?

[HelenHen]

Looking at all the hacks on major companies, banks and government departments recently, e.g. Santander, Ticketmaster, local councils. At what point do we just accept that the system is broken?

I don't understand why schools and GPs are so insistent on going down the online route, when all this super sensitive information will just inevitably be hacked?

My child's online school information is all contained in one place. This includes, his DOB, health history, exam results, allergies, parental consents, emergency contacts, behaviour points and detention information, whether his homework was submitted on time, a photo of him, school trip information, etc. What are they thinking?

They are also expected to provide fingerprints to access their canteen account, which is of course held online. I queried this and was told 'oh he can just give a pin instead', which he is doing, and it works for him. So why ask for fingerprints if a pin is fine?

AIBU to expect more security for sensitive information?

When you have to type in your email address to verify your banking for example, that is behavioural biometrics. To be secure systems need 3 factors - something you have (eg phone), something you know (password or pin) and something you are (eg Touch ID, retina, fingerprint). So yeah to be secure you need all that shit. Multi factor authentication. But internet security is certainly indeed a thing and very possible.

This is going to be a tired set of arguments on here, because most replies will fail to acknowledge the one thing which drives all this behaviour -

Convenience.

If people refused to use these tools or adopt them because of the inherent risk that every so often, a server or a system will be hacked, then we would be happily in the 90s again.

However most people are willing to enjoy the convenience of online tools, and so happily concede their personal data and all the aggregated information in one place, on the basis of convenience.

You are dead wrong, of course security is possible on the internet. It’s not easy and there are always some risks. But sloppy practice by many organisations doesn’t mean it’s not possible to manage security.

I don't find online tools at all convenient though, and would happily go back to speaking to actual human beings who can help and understand my query.

The internet isn’t broken.
Hacks are widely publicised because companies are required to notify everyone whose data may be compromised.
In any one day, hundreds of millions of systems are not hacked.
Tens of millions will successfully foil a hack.

Yet up to 550 MILLION ticketmaster accounts were hacked.

Just don't do it on the cheap. It's very simple.

Almost all public companies view IT security as a nuisance and cost. Something to be bought down to £0 wherever possible.

I'd hate to have to go back to travelling into town to pay in a cheque, or taking insecure cash out of the bank to carry around with me risking losing it or having it stolen. I love that I can order things on my phone and have them arrive tomorrow, instead of writing them down on a list and having to travel somewhere when I get the opportunity, which probably won't be before the weekend at best.

No, Ticketmaster’s system was hacked, that is ONE hack.

As a result of the ONE hack on ONE system, the account info of up to 550million users was leaked.

They didn’t “hack” each account.

Once any information has left your possession, then it's best to consider it compromised and act accordingly. So don't reuse passwords, and make passwords as random as possible (see image).

Setup 2FA everywhere you possibly can. Ideally with an authenticator app.

Never divulge any details to anyone who calls you.

Trust your browsers little padlock for secure connections.

Don't use public WiFi without a VPN

That should put you into the top 20% of difficult to hack users. Unless you are phenomenally wealthy and worthy of a targeted attack. (And if you are then why aren't you paying for proper security you tightwad ?)

I work in higher education and earlier this year we ( the lecturers so not IT) are fairly sure there was a targeted attack. Over the course of 2 weeks the servers across 4 campuses all intermittendly went offline then came online over and over again. IT told us it was a system fault but the couple people I know outside the uni that work in IT said the only reason the severs were acting like that was because they were trying to block a hack.

We didn't get hacked and no info was leaked and if a Russel group uni did get hacked it would absolutly have made the papers so fairly sure it didn't happen.

Internet security is definetly needed and not what I think your referring to. You are referring to storage of data.
So what's the alternative? Paper files? Surely if a thief wanted that information they could break into a room and get it. Also all my vaccination record were destroyed in a fire in the building where they were held so I have no idea what childhood vaccines I had as my mum can't remember ( I was born in the 80s). This is a problem with the old school approach.

So here's the problem with security:

It's a constant battle between what is secure and what human beings will actually do.
And what is 'safest' is also always changing, in response to attacks like this and general development/upgrading of security in systems, which also makes it hard to handle the human side, as they then need to learn something new. And people complain and dig their heels in, they want to use services AND have them never go down or be vulnerable to attack AND cheap and easy to use.

We are also still in a 'transition' phase in technology - making stuff actual secure as standard still isn't in every single organisation, and there's a lot of legacy systems knocking around that there isn't the right alternative for yet, or would be very expensive to replace. Councils are a great examples of this - they will quite often be on legacy systems, run largely by people who know how to use the system but aren't IT experts, and they might not actually have a dedicated 'security' person or team. 'Security' and 'IT' intersect but aren't exactly the same, and quite often 'IT' are seen as 'can fix everything and know everything' when that's just not the case. It's an industry where things are constantly changing and you are constantly having to learn, and often organisations don't understand that. IT and Security aren't departments that 'make' money, they only save you hypothetical money (or not hypothetical as we are coming to learn) and people are loathe to spend the money they need to on it.

Thinking back to when I was a child in the 80s/90s, my mum was an accountant. There was no internet back then really, or at least very limited home internet until the mid 90s. She used to literally cart out boxes of client files to her car, drive them home, and then they'd sit around our lounge so she could work on them in the evenings and weekends. That was proper analogue work, nothing was digitised. Now as far as I know, nothing ever went wrong with that system. But if our house had been burgled or the car stolen or she lost a box because she was shifting stuff around to fit the shopping into the boot, that would have been a lot of client data lost to god only knows where.

It's a constant battle between what is secure and what human beings will actually do

A really determined attacker will stop at noting. When car security started being serious, all the criminals did was up their game and take people hostage and force them to hand over the keys at gunpoint. Once you are protecting yourself at that level, then all bets are off.

Generally security is like the campers against a lion paradigm. You don't need to outrun the lion. You only need to outrun your companion.

This is true and data protection principles are not understood or promoted, again seen as irritating detail.

just because some people (and companies) are bad at it doesn't mean it's "not a thing".

It's a constant battle between what is secure and what human beings will actually do.

Exactly this. Good security gets in the way. Things that get in the way get complained about. You need a very strong and determined CTO who can nevertheless push through necessary changes to improve security in the face of a board who see it as an annoyance.

It's often only after a company gets hit that they start taking security seriously. But, inevitably, five years down the line people get complacent because, hey, they haven't been hit in years! Why bother?

Good for you. Not everybody does.

What are you talking about - of course internet security is "a thing".

There is just a lack of awareness on how to do it well.

Completely agree and I'm happy to take the risk in return for the fantastic convenience

No-one in regular commerce is using retina ID as a biometric. You probably mean iris recognition. Retinal scans are quite intrusive and would take much longer.

@Caffeineneedednow I work in university IT. I can think of at least half a dozen reasons off the top of my head why you may have intermittent access to a number of servers over a few weeks. Problems with authentication, time synchronisation, flaky DNS, routing issues, buggy software updates, over-enthusiastic antivirus systems... I've seen all of those cause problems that have taken time to track down and finally fix.

I'm not saying it wasn't an attack - universities are definitely a target - but it's not the kind of response I'd expect. When we had a suspected intrusion we went scorched earth; we shut all access down, rebuilt from known-good backups and required everyone to reset passwords etc.

I work in cyber security. The system isn’t broken - humans are the biggest factor in security failures.
There’s also a phenomenal lack of understanding across all sectors (including digital services) on what their obligations are, what best practice is, what resources are out there to help them. There are people out there trying to improve awareness and compliance but it’s a long bloody road. It’s also worth noting that government wasn’t prioritising cybersec in any way until about two years ago!

I said what I meant, thanks very much 🙂 (except where I wrote fingerprint and Touch ID - they are essentially one and the same of course, I meant Face ID but was too late to edit). I didn’t say anything about regular commerce. It was one example, iris recognition is obviously another example.

All of these systems use hashes of the data. You can't recreate a fingerprint or face from what is saved at the other end.

I can't speak for passwords (hence the advice about never repeating them), They may be stored in plaintext form. Amazingly there are no standards for user authentication to websites (hence the baffling different password rules outfits invent).