Online data - never safe?
September 4, 2014
Techheads and gadget fiends the world over are eagerly awaiting next Tuesday - the day US technology firm Apple is expected to unveil a payment feature with its new iPhone 6.
The company says you will be able to use your mobile phone just like a credit card.
Rumor suggests - and when it comes to Apple, rumors are an acknowledged fine art - Apple has made agreements with leading credit card financial services.
Using near field communication for contactless data transactions, smart phones could soon replace the plastic in your wallet.
But the question is: how secure is that?
Will it become another piece of technology that we rely on, but which is easily hacked?
Cyber security researcher Dr. Sandro Gaycken of the Freie Universität Berlin tells DW, it will be a problem if we all start paying by phone.
"It will make [hacking] even more interesting," says Gaycken, "and the more interesting it is the more criminals will be attracted to it."
Stealing nude photos
That's in addition to the security holes that are already common in existing, mainstream technology.
You may think you would never be so stupid as to click on a link sent to you in a "phishing" email - an email that looks like it's from your bank, for instance, asking you to update your details.
And yet plenty of people do - and they get hacked.
But criminal hackers don't always require such active support from their victims.
This past Monday a gang of hackers released nude photos of celebrities, which they had allegedly spent years harvesting from iCloud accounts, and trading elsewhere online.
It appears the hackers were able to gain access to individual accounts simply by figuring out the passwords and answers to security questions.
Apple says their systems have not been compromised - they say this was a targeted attack on certain celebrity accounts.
As IT expert and cyber security researcher Jonathan Zdziarski writes in his blog, the hackers used a commercial forensics software to "scrape each victim's iCloud backup and other data from their accounts."
To be able to do this, the hackers took advantage of a weakness in Apple's system, Zdziarski says: a hacking software was able to try out unlimited numbers of passwords without the accounts freezing automatically, after three incorrect attempts - as is the case on other platforms.
Managing your cloud
But "this isn't the only security problem in a cloud," says Gaycken.
The cloud is a way of storing your photos, documents and other data on remote servers.
It "is often more secure than other storage," says Rich Mogull, CEO of security research and advisory firm Securosis, in comments to the press agency AP, adding that companies invest a lot to ensure that your private information stays private.
But Sandro Gaycken disagrees.
Cloud-based storage means transferring your data to a remote location - it is not on your computer - and you effectively give control over your data to the company running the service.
"They call it a service, but in fact they only want to get their hands on the users' data," says Gaycken.
Gaycken warns you should never store sensitive data in a cloud. "Better keep your nude photos at home on your [own] hard drive."
Sharing data by default
But why would anyone store nude pictures in a cloud?
The answer is that many people - including some of the celebrities caught up in the leak - might not have known they were - or indeed are - doing just that.
If you take a picture with your iPhone, Apple backs it up to your iCloud account. That's unless you switch the function off.
Zdziarski says such "features are enabled by default, without any user notification that their data will be copied off the device to remote storage."
Which means at least some of the victims of the nude photos leak may have been unaware their content had been backed up in this way.
Our advice is check your phone's settings and choose what works best for you!
A new gold rush
Many mobile apps work this way, says Gaycken. When you install a new app, you're asked to agree to a license. And it's here that you will often agree to share your data.
"Every app that's free collects personal data," Gaycken says, "because data are the new gold."
If you don't want to share your data, read the license agreement thoroughly. And if you're in any doubt, don't install the app.
Two-factor authentication
Apple has publicly encouraged users to enable two-factor authentication (2FA) to protect their accounts.
Most major cloud services, including Apple's iCloud, Google Drive and Dropbox, offer this kind of protection.
Two-factor authentication adds a second level of authentication to an account log-in. It's a bit like using two padlocks on your bike, rather than just one. It's not impossible to crack, but an added level of security
So, instead of just typing in a username and password, you may additionally need a fob, a fingerprint, or a smartphone to which the service operator can send a SMS.
If someone hacks your password, they would still have trouble logging in - unless, of course, they steal your phone or your fob as well.
"For normal users this offers totally sufficient security," Gaycken says.
However, says Gaycken, even two-factor authentication can be breached if the target is worth the effort - like Apple's iCloud.
Most important: take good care of your passwords
And there is something that everybody can do: put a little more effort into the passwords you choose.
Gaycken advises it is best not to use names or birth dates as passwords or as part of passwords - "and no dog names either."
It is best not to use words out of a dictionary but instead mix up numbers, letters and additional characters to creatively make up artificial, non-existing words.
And yes, it is a lot of work. But try to come up with a new password for every new account you create.
Do not use the same password for Twitter, Facebook, your Online Banking, ebay and your email account.
"Do not write your passwords down. And change them every few weeks," Gaycken adds.
But he admits it's a lot to ask. Even he doesn't follow all the rules.