In one form or other, we all use cloud-based identity where we rely on the cloud service provider for keeping our identity and data secure. Some of the cloud service providers are obvious (like iCloud from Apple), while others (such as Amazon, Google, and Microsoft) are not as obvious. In both cases, these services may offer you email accounts, storing pictures, documents, and sometime even online backup of your systems for free and/or at minimal cost to you. The chances are that you have a number of accounts for these cloud-based services (such as Amazon, Apple, Gmail, etc.) that represent your digital identity on the internet.
Most of your accounts are “daisy chained” together and hackers getting into one could allow them access and control of all of your accounts. Once hackers gain access to your digital identity, it can be exploited for financial gains, ruin your reputation or just erase your digital identity. None of these outcomes are desirable for you but the threat of this happening is very real.
Certainly, using the same weak password for these cloud-based services makes it easy to steal your digital identity; however, even different and strong passwords do not secure your digital identity. The simple reason for this lack of security is the authentication systems used for resetting your password by the cloud service providers. These authentication systems rely on your email and billing address, phone number, last four digits of your credit card number on file, Social Security number, etc. The problem is that these are identifiers and not authenticators. Some of that information is publicly available on the web – such as email, physical addresses and phone numbers. The last four digits of a credit card may be insignificant for one service provider, while others use it as authenticator. For example, Amazon treats the last four digits of your credit card number as insignificant, while Apple uses the same number as proof of identity. It should also be noted that the last four digits of your credit card number commonly appear on the numerous receipts that most people collect in a day and simply discard.
Hackers do not need to guess your password or obtain it by other means; they simply exploit the different authentication systems of the service providers to gain control of your online identity. It recently happened to a tech writer, Wired employee, Mat Honan. Just as the cloud accounts are daisy chained, the hackers used this daisy chain to gain access to the Mat’s digital identity by:
- Collecting the name of the target, an associated e-mail address, and the billing address for Amazon;
- Calling Amazon customer service with this information and add a new credit card number to the account;
- Calling back Amazon customer service and tell them that you no longer have access to the email address on file;
- With the name, billing address, and the new credit card number from step two, Amazon will change the email address on file to your “new” email address given to them;
- Requesting password reset online for the Amazon account that will be sent to the email specified in step four;
- Login to the Amazon account and view the last four digits of the credit card numbers on file;
- Calling AppleCare and request a password reset for the “@me.com” email account;
- AppleCare will require to provide name, address, the last four digit of the credit card number from step six, and resets the password over the phone;
- Use the web based Gmail password reset that is sent to the “@me.com” email address;
- Accessing any other cloud services, such as Twitter, that relies on Google identity;
- Once done with the stolen digital identity, erasing digital identity. Deleting Amazon/Google accounts and using “Find My iPhone, iPad, MacBook” to remotely erase these devices
While most people believe that their data is secure with cloud-based services that is not the case, as the current event underline that point. Erasing the digital ID of an individual has consequences; however, erasing the digital ID of a business would be catastrophic for the business. And that could happen to businesses that use the “free” cloud services, such as WordPress that hosts your business website and your business email address ends with “@gmail.com”, “@aol.com”, “@hotmail.com”, etc. And when it does, your business disappears from the web and your customers cannot reach you by email. If you use iPhone for your business, and possibly Android and Windows-based smartphones as well, your customers will not be able reach you by phone either.
The cloud service providers will certainly make changes to their authentication system for disabling the “daisy chain” type hacking of digital identity. That will force hackers to change their method of stealing digital identity which, in return, will trigger additional changes in the authentication systems. Regardless how the authentication systems are changed, it is the owner of the digital identity who needs to protect their digital identity, especially for the businesses.
In addition to backing up business data “offline”, the business should ensure that it does not use:
- Free email services, such as Gmail, Hotmail, AOL, etc., to conduct business;
- Free web hosting services for web presence;
- Same credit card number for all cloud service providers;
- “Find my device and erase it” type of services
Most businesses already have a domain name, such as “mybusiness.com”. If yours doesn’t have one, create one. Have your domain hosted by web hosting service that provide email services and use the “@mybusiness.com” email address to conduct business. The additional benefit is that your business email address of “@mybusiness.com” looks more professional to potential customers than “@gmail.com”. Free services are certainly beneficial for the bottom line of the business; however, stolen digital identity is one of the prices that the business may need to pay for in the near future. Due to technological advances, domains hosted by web hosting services are no longer prohibitively expensive, even for small businesses.
You should not wait to secure your business until it is too late. You need to do it now, with the information that we currently have and constantly update your technological security plan as the online environment evolves.