Source: xkcd.com

Just a few of the issues include uncontrolled access to personal information, reactivation of a prosecuted group of hackers, their relative ease of gaining access to the information, the probability that members whose credentials were stolen probably use identical credentials for other online accounts, and pure creepiness factor that there are people who sit around and hack other peoples’ identity authentication credentials “for the fun of it.”

Alphanumeric passwords are frighteningly vulnerable to identity theft – in the online environment, at ATMs, POS systems, building security, and virtually everywhere they’re used. The fact is, it isn’t hard for someone with less than honorable intentions to steal valuable identity authentication and misuse it. Picture passwords, like those used in Tricerion’s patented system, go far beyond both the security and memorability (thus, usability) of alphanumerics. Add to that our data triangulation that segregates data transmissions, and suddenly our system runs circles around alphanumeric passwords.

The problem isn’t just that hackers were able to get the information – it’s that there are people who do this for entertainment, and for much more malicious purposes. As long as there are people and groups out there who make it their goal to outsmart the systems in place, our systems must continue to evolve ahead of the hackers. What once kept us safe online now seems like a dinosaur that hasn’t realized the ice age has already begun.

A data viz tool is available for download as a Firefox add-on that seeks out passwords stored in your cookies and maps them based on how many sites they’re connected to. In the image below the green dots represent passwords, and the blue dots are the sites those passwords are used for. In a perfect world each blue dot would have its very own green dot partner, looking like a bunch of little barbells. But as you can see, the dandelion effect shows just how predictable we tend to be.

Paul Sawaya, the developer we can thank for this tool, also has a password age visualizer and color-coded “hash” to help you type your password correctly. Until more companies make the transition to picture passwords, tools like this will be a great help to consumers looking for ways to protect their identity online.

Part of the problem is that every account requires passwords, and each system has different requirements. Let’s look at a few common consumer and business guidelines for passwords:
1. Must be at least 6 (or 8, or more) characters
2. Must contain at least one number and/or one special symbol
3. Must not contain your username, sometimes, may not contain more than 3 consecutive characters from your username
4. Must contain at least one capital letter
5. Should not contain your birthdate, pet’s name, or any similar distinguishing factors
6. Should be changed regularly
7. Must not be a word found in the dictionary
8. Must not contain your name
9. Must be fewer than 12 characters
10. Must be memorable without being written down
11. Should not be identical to passwords kept for other accounts

Ouch! It would be hard to come up with 2-3 passwords that fit the bill, much less dozens (for the dozens of accounts we each have), with the ability to change it regularly. And unfortunately, as the technology landscape continues to evolve and adapt to the needs and whims of culture, passwords need to be equally easy to enter on a mobile device with its tiny screen and truncated keyboard. Hm. Now that adds to the problem. Password1 doesn’t seem like such a bad idea, from a usability standpoint. And let’s face it. For the consumer, and even for the business user, convenience often trumps security.

Enter picture passwords. Perfect for touch screens. Easier to remember than alphanumeric text. More convenient to tap on a few pictures than enter a 6-12 character gobbledegook. Now, randomly arrange a set of pictures on the screen and our simple picture password becomes even more secure, without interfering with usability or convenience. Password problem solved.

From @jjmartucci: I bet 99% of the stolen Zappos passwords were “shoes”. // Fact: most passwords are frighteningly easy to guess. We bet that those passwords aren’t “shoes” at all, but rather “password”, “abc123″ and others from the list of too-often-used passwords. Alphanumeric passwords just aren’t as safe as we think they are.

From @dombenoit: receive @zappos email asking to change password after hack, can’t change password because i’m outside the US… good thinking guys.// Fact: American may be in the center of some poorly conceived maps, but it is not the center of the universe. Corporations, don’t forget that the majority of the world lives outside of the US, and they need customer service too.

From @kimfouroffive: In order to change my Zappos password I would have to remember my Zappos password and that’s not going to happen. // Fact: Tons of consumers rely on the “cookies” on their computer to remember their passwords. There’s no need to delve into all the reasons that’s poor practice. But let’s face it – many users either don’t remember their passwords, or they have them written on a post-it in their desk.

From @Kevbo1111: Wait, you’re telling me a company whose office looks like this, has lax security? #Zappos http://pic.twitter.com/pr9SrfCF // Fact: If we could see inside the workings of all the places that hold our ‘secure data’ we wouldn’t feel so secure.

From @Tuna999: Im confused, is that zappos security email real? // Fact: This is actually a very smart question, that many wouldn’t think to ask (or research before clicking through). A phishing attempt can look much the same, and confuse consumers into handing over their credentials to fraudulent sites.

From @justAK: Had someone try to acces my bank info a few times. Could this be cause of the #zappos #hacking ? I hope not. #worried // Fact: Too many users have the same password for all online accounts. It’s not hard to believe that hackers would use information from one site to try to access others.

From @andishehnouraee: Zappos hacked, “sensitive” customer info stolen. Before I’m outed, I’ll confess here: I’m a size 12. // Fact: sensitive information is a lot more sensitive than shoe size. That said, great sense of humor!

From @Tontiella: Zappos why are your accounts being hacked into?? Who is not doing their job to prevent this?  // Fact: Strong security measures are fabled to be more expensive than responding to data breaches. Time will tell how this affects Zappos in the long term, but let’s just say that resetting passwords doesn’t instill a sense of trust. (And, for the record, strong mutual authentication is well worth the investment)

Some facts that the typical ecommerce consumer should be aware of:

1. Too many users have a single set of login credentials (username and password) for all their online accounts. That means, when someone gets their info from Zappos, they can use it to access Facebook, Amazon, online magazine subscriptions, PayPal, email, gaming sites, online banking, and more.
2. “Fixing” an alphanumeric password breach with new alphanumeric passwords doesn’t actually “fix” anything. If I know the guy trying to break into my house is a locksmith, I don’t just cut a new key – I install security measures that a locksmith isn’t an expert in.
3. Zappos has chosen the path of least resistance – deploying consumers themselves to fix the breach. Zappos users have to follow instructions given in an email (which may have gone into spam folders), change their passwords, and email Zappos with any questions or concerns. Anyone with an email address they don’t regularly check, an overactive spam filter, or the ‘grandma’ syndrome (not computer savvy, and likely suspicious of ‘official’ email communication) may fall through the cracks.
4. Changing the Zappos password doesn’t change all the other similar or identical passwords the consumer uses on other accounts, leaving their customer base open to further attack elsewhere.

One of the key takeaways from this is that ecommerce systems should not be based on ‘security’ systems that rely on users’ unreliable alertness. Users expect the systems that hold their sensitive information to bear the burden of iron-clad security for their data. Strong, two-factor authentication systems aren’t just an option in today’s online environment – they are where the market is heading by default and by necessity. Zappos has shown us exactly how not to handle a data breach. Of course, if more systems used strong mutual authentication, we’d see decidedly fewer breaches like the one this weekend.

The new image- and gesture-based sign-on system to be incorporated into Windows 8 is nifty at best, but leaves much to be desired. The sensitivity of touch screens may prove too sensitive for users’ taste. Being off by a few pixels, or hesitating in the wrong place could end up in a failed authentication. To compensate for this type of confusion, there’s a traditional password system in place as a backup.

But what happens when we relegate an alphanumeric password to ‘backup’ status? It becomes superfluous in our minds – not worth the brain cells to remember. And easily forgotten passwords worse than no passwords. Next, allowing users who can’t authenticate with the image-gesture system to bypass the system with an alphanumeric password nullifies the actual security of the system against keyloggers and other malware sources.

Nifty? Yes. Secure? Unfortunately not. While we’d all like to live in a world where security concerns are secondary to user experience, as my grandpa used to say, that’s just not in the cards.  Need we mention that Tricerion’s strong mutual authentication system could run circles around Windows’ new “nifty” toy? Check it out for yourself, and you’ll see why.

Those in the business know that December is a notoriously risk-ridden time for identity theft, as hackers take advantage of escalating ecommerce around the holidays. How are merchants and business owners to safeguard identity when customers like Joe Consumer make identity theft child’s play? One of the keys in identity protection is anticipating the evolution of technology. Responding reactively to current and past attacks only leaves users highly vulnerable.

A recent two-pronged RSA security breach hows just how deep hackers will go, uniting efforts across nations to attack secure data. Tokens are out of reach for many, with their high cost of maintenance. SMS authentication is cumbersome at best, and the most user-friendly solutions require nothing other than the user himself. That said, biometrics are excessively expensive.

Strong mutual authentication systems, like that of Tricerion, offer secure protection against assault while maintaining accessible affordability in comparison with biometric or token-based systems.  Picture-passwords have been found more memorable and harder to crack than alpha numeric passwords in multiple studies . Details on our authentication systems can be found on our website.

In brief:

• Complaints received:  336,655
• Total loss:  $559.7 million
• Increase from 2008 by 22.3 percent
• Median dollar loss of $575
• Average dollar loss: $1,633

Top five categories of offenses:

1. Non-delivered merchandise and/or payment – 19.9%
2. Identity theft – 14.1%
3. Credit card fraud – 10.4%
4. Auction fraud – 10.3%
5. Computer fraud – 7.9%

Find lots more data and demographic information by reading the full report at IC3.

The university scientists found that they could deduce tiny pieces of a private key by injecting slight fluctuations in a device’s power supply as it was processing encrypted messages. In a little more than 100 hours, they fed the device enough “transient faults” that they were able to assemble the entirety of its 1024-bit key.

“The RSA algorithm gives security under the assumption that as long as the private key is private, you can’t break in unless you guess it. We’ve shown that that’s not true,” said Valeria Bertacco, an associate professor in the Department of Electrical Engineering and Computer Science.

Read the full statement here.