Has digital security progress halted?

The big digital security news recently was the attack on AshleyMadison.com, a website that boasts that married men and women could have discreet affairs. The site, which claims to have 37 million anonymous users, was hacked by a group calling itself the Impact Team.

But amidst the juicy news about a hacked cheating-focused website, there were other businesses attacked. PNI Digital Media, a service that handles Rite Aid, Costco, CVS, Walmart Canada, and Britain’s Tesco photo center websites, announced that credit card information may have been illegally accessed through a third-party vendor, and Google and Mozilla announced that they would disable Adobe’s Flash plug-in due to hackers using a security bug to take over users’ computers.

With the rash of business security breaches, people are asking if their digital security is up to the task. Encryption isn’t the only solution though, says Lou Shipley, a lecturer at the Martin Trust Center for MIT Entrepreneurship and president and CEO of Black Duck Software, since it only solves part of the problem. He advocates teamwork between traditional rivals as well as open-source methods for developing new systems.

“It’s better to develop as a community, in the open, because given enough eyeballs, all bugs are shallow and fewer bugs means better security,” he wrote in a TechCrunch article. Shipley admits that some company privacy and secrecy will need to be sacrificed, but he believes that winning the “digital security arms race” requires openness and collaboration.

Hong Kong is attempting something different. Instead of focusing on passwords, the city is shifting toward biometrics, specifically face recognition technology. The Legislative Council announced that it would spend HK$2.9 million (£240,000) to add even more technology to its smart biometric ID cards, with high resolution facial images to be added to new versions of the ID card. The new cards will have more storage capacity so that later iris images and fingerprint data can be added.

But using biometrics by itself presents another concern: If hackers can duplicate the biometric data, it effectively gives them the password to several accounts. In 2014, hacker Jan Krissler demonstrated just how easily it could be done when he recreated the fingerprints of German Defense Minister Ursula von der Leyen with nothing but high-resolution photos of her hands.

That means strong passwords will still be the key to security, says John Girard, vice-president at analyst firm Gartner. "An eight-digit numeric password will require hours to recover, and that will discourage casual hackers with toolkits," he told the South China Morning Post, noting that even a six-character lower-case alphanumeric password can have billions of values and keep hackers guessing. He thinks that biometrics, combined with passwords, will be the best bet to keep data secure.

But Seb Reeve, director of product management at Nuance, a pioneer in voice biometrics, thinks that passwords are the weakest part of the security process. "Passwords are an increasingly weak authentication process, easily infiltrated by bugs and viruses and vulnerable to confidence tricks and simple, easy-to-guess phrases," he told the Morning Post. He advocates a three-pronged approach of voice verification, a phrase or question, and a location to verify identity (known as contextual authentication).

Whether people will be willing to give all this personal data to a company is questionable, even to protect their digital security. But Ron Kalifa, deputy chairman of payment processing company Worldpay, thinks it possible if companies can build trust. “We know that people are still cynical towards biometrics, so it's important companies do everything they can to reassure them that the data is safe and secure."

About the Author

Lee Ying has over 10 years experience in the tech and security industry.

Follow me on Twitter @LeeYing101