Evernote's massive password reset last week was the most recent demonstration of leaky security around consumer locks and keys. Dropbox, LinkedIn, Twitter and others preceded the Evernote action. These anxiety-producing consumer annoyances occur over a backdrop of increased cyber-attack news. Chinese hackers are spotlighted in many recent disruptions, substantiated by Akamai's report of originating-attack countries for Q3 2012, which shows China's percentage of worldwide cyber exploits doubling from the previous quarter.
Precautionary password resets, as in the Evernote case, are minor aggravations. But the larger danger of password insecurity and increased cyber-malice is the swift domino effect that can lead to identity theft of the Mat Honan variety. Absolute personal cyber-security is probably a mirage. But there is not enough public education from industry that might reduce millions of easy targets.
It is hard to pin down the scope of identity theft. A recently released roundup from the FTC's Consumer Sentinel division cites 369,000 reported instances in 2012 (PDF). More dramatically, Javelin Strategy & Research charts 12.6 million cases in 2012, representing nearly $21 billion in damages.
"Identity theft" is a scary phrase, and nobody wishes for it. But at the same time not many people in the general internet citizenry apply much effort to self-protection. One interesting online PSA asserts that the 18-24 demographic is particularly complacent and lax. The video's recommendations are important, if old-school: Check credit card statements and shred documents. Another grim PSA from the US Treasury Department advises caution when disclosing your Social Security number. Why yes.
One striking development within the cyber-theft universe is the dramatic rise of tax ID fraud, which, by the FTC's reckoning, accounted for 43 percent of ID theft in 2012. An enterprising PII (personally identifying information) hacker can harvest enough identifying coordinates to file an early tax return in the name of a victim, and swipe the refund. The cost of incorrectly paid refunds runs to the billions of dollars -- about $6.5 billion in 2011, though a Treasury inspector admitted to Congress that the IRS doesn't have confident fraud data.
Consumers often have a skewed idea of responsibility and institutional efficacy. In one survey, more than half of respondents asserted that the IRS was solely accountable for ensuring that fraudulent returns could not be successfully filed. Misplaced confidence might be a consequence of the financial services industry, which handles credit card hacking briskly and with little out-of-pocket cost to the consumer. In those cases, a centralized, powerful stakeholder (the credit card company) is motivated to get the compromised account off the street fast, and re-empower the account holder to get back on the street and shopping again.
A small but harrowing subset of PII burglary involves medical identity theft. While representing only 1 percent of the FTC's 2012 survey, the personal cost is multi-faceted and, like some diseases, the residual effect of a fraudulent invasion can last for many years. Victims report receiving insurance and provider bills for health services they never received. Perniciously, victimized medical records are altered, introducing risk that a patient could receive harmful medication, be denied insurance or wrongly fail an employee health test and lose a job.
The World Privacy Forum calls medical identity theft "the least studied and most poorly documented of the cluster of identity theft crimes. It is also the most difficult to fix after the fact." Correcting this particular fraud lies at the opposite end of the efficacy spectrum from credit card theft. Without a coordinating agency solving the problem for an unlimited number of providers (as credit card companies do with affected merchants), medical victims are stuck with convincing every doctor, clinic, hospital and insurance provider that a stranger is in the room.
Back to Evernote and other password-reset alarms. These increasingly frequent exercises are like faint wake-up calls pushing through the fog of sleep for a large population that registers for desktop and mobile apps. Authentication management is a hassle, with complexities that don't immediately come to the forethought when somebody signs up for Evernote, or takes Outlook email for a spin, or impulsively signs up with OpenTable to make a dinner reservation. My password list has more 150 logins, and that number is too small to brag about. Nobody walks around with 150 keys on their belt, but it is routine to carry that many online. Using Facebook and Twitter authentication wherever possible streamlines registration, while increasing the black-market value of those skeleton keys.
In Sunday night's TUAW Talkcast, Mike Rose rattled off a short list of rampant bad password and authentication habits: substitutions ($ub$titU1i0n$), using one password across multiple sites, using true answers to security questions, using dictionary words for passwords. If a majority of Engadget readers knows these are no-brainers, that majority is a minority in the bigger picture. There is widespread blindness to the connection between an Evernote login and an online bank account that uses the same password; or the answer to a security question ("What is your father's name?") that is revealed in Facebook family sharing.
In any remediation scenario, the opening strategy is to pick off the low-hanging fruit first. Reduce the problem in the short term; eliminate it in the long term. This is where consumer information needs to be amped. Identity theft is not a computer phenomenon, and it is not a technology issue. It is a public safety issue. The internet is a portable utility that an enormous populace carries around at every moment.
It might be possible (though it seems unlikely now) to devise smart legislation that governs how individuals safeguard themselves with password basics. Seat belts were an optional-use feature in cars starting in 1949, and were made compulsory in the US in 1984. I was around in 1984, and I remember the widespread resistance and rampant non-compliance. Our risk tolerance in dangerous situations lowers with our awareness of the danger and how effectively it can be lessened. Before seat-belt legislation, car safety features were not marketed; Detroit didn't want to scare people. Modern auto marketing is often entirely about safety benchmarks, and modern consumers are eager to moderate driving risk.
But assuming we never see safe-authentication laws for online registrations, there is still a lot of awareness to be raised. People with a high tolerance for risk make careless passwords in the same spirit that someone drives without a seat belt, assuming the odds are against an accident.
There is a powerful opportunity for a vigorous industry taskforce whose role would be to fund and produce information campaigns. The subject would be individual best practices for personal cyber-security. There has been an awareness gain around caution when divulging Social Security numbers. Probably more work is needed there, especially in trusting, older demographics, but we need a similar awareness gain around internet password and registration habits. With internet users of all ages accessing mobile and desktop services, a broad swath of login education is needed.
The cloud is insecure. Frequent break-ins have established that institutional protection is not as trustworthy as people instinctively think it is. Individuals need to remove themselves from low-hanging branches and reduce the "domino damage" of one stolen key opening many doors. Industrial stakeholders have an opportunity, and arguably a responsibility, to ally around education, raised awareness and lowered risk.
Brad Hill is a former Vice President at AOL, and the former Director and General Manager of Weblogs, Inc.