…data theft

In the pub one evening a few months ago I overheard someone bragging in a rather loud voice about his new phone and how if he lost or destroyed it he could have a new phone within a few hours with all his social media contacts, photographs, e-mails, music collection etc etc on the new device and that this is what makes ‘the cloud’ so great.

Well, yes. It is very impressive. All our life’s little details stored on a hand-held computer and automatically backed up in a huge computer system somewhere out there.

Of course, that is only a minute fraction of what ‘the cloud’ can do but it is one aspect which many consumers are familiar with. We can take a unique picture and within a few moments it is safe in the cloud and cannot be lost if we have an accident with our device.

We do hear a few horror stories about celebrities taking pictures which they intended to keep private and which were obtained and published by some unscrupulous web site operator or another:

But that only happens to celebrities, right? I mean, who would bother to hack into my stuff? Loads of people, if you make it easy enough.

But surely all these hacks are against the service provider; it’s not me making it easy - it’s the provider? No, very rarely. Most of these ‘hacks’ are just password stealing or guessing or using your publicly available personal information to get the cloud storage operator to reset your password. Perhaps trying out lyrics from The Beatles’ various songs because you once mentioned ‘Hey Jude’ in something you wrote online. If the entire datastore behind a major service was hacked there would be a media storm against the provider. No, so far for the really big providers it’s just individual accounts being compromised through weak personal security. That said, a dating site was apparently recently hacked and the details of its 37 million subscribers were stolen.

So what’s easy? Your girlfriend’s date of birth? Dead easy: her name is on your social media contacts and her date of birth is on her CV on a job search site. The name of your first pet or boyfriend? Easy, especially if you’ve used it elsewhere. Substitute numbers or special characters for some letters? Easier than you think… There are immense dictionaries with nearly every imaginable word with number/special character substitutions. Patterns on the keyboard such as ‘Aq1Sw2’? Easy. The first characters of the words of the third verse of your favourite song when you first started dating? Better. As long as it’s not the bit in ‘Hey Jude’ which goes ‘Na na na nanana na’. Totally random 16-20 character letter/number/symbol passwords, different for each site? Good, but almost impossible to remember - but there are ways to manage this.

Keyboard Patterns

But we don’t hear about these attacks in the news. Unless you’re a celebrity the media will not be particularly interested. They’ll report it if it affects lots of people but otherwise the headline ‘Joe Bloggs’ password guessed by bad guys. Pictures of his girlfriend stolen.’ is not going to increase their circulation and advertising revenue. But the lack of a headline does not mean that your photos or other personal details have not been looked at or copied or maybe even published somewhere. Have you ever had to get your provider to reset your password to an online service without knowing quite how you could have forgotten it? You know, e-mail you a link so that you can click it and then set a new password. No? Good. Plenty of people have.

But why would they bother? I’m not anybody special. Maybe. Maybe the bad guys really will be disappointed if they crack into your information. Or maybe they’re actually more interested in your girlfriend’s brother’s richer friend and are just delighted to find out where and when they’re going on holiday this year. Or maybe they just like your pictures. £49.95 from your bank account would be welcome too - especially if they can also steal a similar amount month after month.

Surely it’s safer than you make out. Everyone’s using it. Good point. A good analogy might be one of those self-storage places you get on the edge of town. Full of stuff which people don’t have room for right now, but don’t want to throw away. If it’s burgled a few people lose some junk. A few lose some family heirlooms. Maybe someone loses something of real saleable value. But the country does not lose the Crown Jewels or its gold reserves because nobody’s dumb enough to store them in a self-storage site. The Jewel House of the Tower of London and Fort Knox are built and operated the way they are for a reason - they are not used to store spare furniture. If we’re more ‘important’ (you define it however you like) than Joe Bloggs now or we intend to be in the future, we should not store our stuff in the place provided for Joe Bloggs’ stuff - it’s really not secure enough for our stuff.

Then there are the celebrity victims who say: but I deleted those pictures a long time ago. Yes. Remember that bit about ‘cannot be lost’? If someone gets access to our cloud storage, they also get access to the past backups of our store.

We all know that some information is for sharing and some is most definitely not. We need to recognise and keep the different types apart in our minds and especially on our devices. If everything on a device is copied to the cloud then we probably should not put anything really private or that we might want deleted in future anywhere near it.

Specifically we should not do our online banking on devices with which we access social media; the banks restrict who can access what from their computers in their offices for good reasons. They don’t allow their staff to install SweetySmash or whatever game of the moment they fancy. They have whole teams of highly skilled people assessing what’s safe and required on their computers and what is not. So how do we make those decisions with our devices?

We need to use appropriate storage for our information depending on its value to us and to others. How important is it that we always have access to it and carry it around with us - or the keys to it online? Perhaps it’s only necessary that we should be able to get access to it at some time in the future? How important is it that nobody else should have access?

Think about it.

 

A little later Mr Cloud was instructing his date on how take control of her finances and pay her bills using online banking; ‘Look, I can even pay my credit card bills from here. Watch…’.

Oh what a wonderful idea: the ability to do online banking after we’ve had a drink or few.

Update 16 Mar 2016: News today that in the USA a man has been charged with ‘hacking the Apple iCloud and Gmail accounts of celebrities and stealing nude photos and videos from them’. Mmmm… it depends what you mean by ‘hacking’. Elsewhere in the article it mentions that this guy used ‘phishing’ to get the account owners to reveal their passwords. So, if you tell someone your password and they log in using it have they ‘hacked’ your iCloud account? No, iCloud was not hacked - you were.