As the world becomes more connected, people are placing more and more information online. Gary Davis is the Chief Consumer Security Evangelist at Intel Security, and he spoke with the Cipher Brief about the biggest threats to your digital identity – and what you can do to protect yourself.
The Cipher Brief: Some of our readers may not be familiar with digital identities or authentication - can you briefly explain these two concepts?
Gary Davis: Digital identities are how we identity either ourselves or our organizations in an online, connected world. They can be as simple as a username and password for your social media account or as complex as name, social security number, medical history, credit card information, and insurance ID for your healthcare provider. Digital identities are tied to a specific individual much like your passport. Digital identities can also be expanded to your devices. For example, things like your phone, tablet, laptop, etc. have a specific identifier (called a MAC address) that lets your Wi-Fi access point know to let it connect to the network. That MAC address becomes part of the digital identity for that device, which is then connected to you when you use it.
Authentication is how we verify your identity when connecting to something. In relation to a digital identity, it is a way to say, "yes, I am who I say I am, and I have permission to do what I’m trying to do." The most common form of authentication we use is a combination of username and password. Authentication can also have a physical component. A PIN number is a way to authenticate when using an ATM card. Biometrics such as your fingerprint can be an authentication method for your phone or laptop.
TCB: What are the most pressing threats to individuals' digital identities? How have these threats changed over the last 10 years? How do you expect them to change moving forward?
GD: The most pressing threat to our digital identities is the potential for ongoing compromise. For example, last year over one billion identities were compromised, which opened them up to things like credit card fraud, identity theft, and several other cybercrimes. Over the past decade, we've moved more and more services online that require sensitive personal information. If you think back only 10 years, paying your utility bill, transferring money to a relative, or checking the test results from your doctor all online seemed farfetched. Yet now, we freely enter this sensitive information through a web browser and trust that the servers on the other side are secure and will keep our information safe. While it seems natural to say organized crime or nation-state bad actors are the biggest threats to our digital identities, lax security and information over-sharing really present a target rich environment for cybercriminals.
TCB: Why do bad actors want to compromise digital identities, and what can they do once they have access to that information? Is this primarily an issue of cyber-crime or are there larger security implications as well?
GD: When the digital identity is compromised, it offers up long term potential for a cybercriminal. If a credit card number is stolen, it has a short window during which it can be exploited for financial gain. However, if a digital identity is cracked, it can provide a tremendous amount of personally identifiable information (often referred to as PII) that can be used over and over again by a bad actor. The information gained can be used to open new bank accounts or credit cards. Unlike a stolen credit card number, identity theft can be extremely difficult to recover from. A compromised digital identity is also a window for cybercriminals to gain access to legitimate email accounts and use them for sending spam, with a potential for infecting even more systems and gaining access to more identity information. A person is much more likely to click on a link or open an attachment in an email from someone they know, which makes that compromised identity even more valuable to a cybercriminal.
A compromised digital identity can also be used for industrial espionage and cyber warfare. Most organizations have layers of security to prevent a bad actor from compromising their network, but those protections typically do not cover employees while at home. A sophisticated targeted attack against an organization will take the path of least resistance, and typically this is through an employee's private digital identity, not their professional one.
TCB: What can be done to improve digital identity protection?
GD: The problem with protecting digital identities is that there are multiple entities involved. You have the owner of the digital identity and you have the organization/service they interact with. From an individual perspective, awareness and compartmentalization are key. Individuals must be aware of how much personally identifiable information they are sharing, and how easy it would be to tie that information back to a live person. Once a digital identity is created, it is extremely important to make sure that information is protected with a complex and unique password. One of the top ways digital identities are compromised is due to a weak or reused password. By creating a unique password for each digital identity, you are compartmentalizing the potential damage. If one of your identities is compromised but uses a unique password, it can keep other identities from suffering the same fate.
The other side of the equation is the organization or service in which the digital identity is used. Organizations need to make sure they are doing the absolute most they can to protect their customers' digital identities. One way to improve protection is to implement two-factor authentication. Two-factor authentication combines a password with a one-time password (OTP) that changes after a short time. This OTP can be generated by an application on a user's laptop or phone, or it could be sent via text message when requested. This additional password dramatically increases the protection of a digital identity without a huge increase in complexity for the end user.
Digital identities must also be stored in an encrypted format to protect the information even in the event of a breach. Servers must be kept up to date with the latest operating system and application patches. There have been many breaches in the past that could have been prevented if the systems were kept up to date. Security also needs to become a boardroom discussion. In order to maintain a decent level of security, a budget needs to be allocated for security tools and intelligent people hired to utilize them.
Protecting the digital identity may seem like a daunting task, but it is within reach of those willing to put in the effort.