by Charles Miller

Last week's column about the huge data breach of customers' confidential data at UnitedHealth Group prompted a response from one of my proofreaders who said "Why should I care? It has no effect on me." Au contraire, I replied. Even if your information was not a part of some specific data breach, your online experience will still be more difficult as a result of it.

UnitedHealth Group has not released any numbers and only says "a substantial proportion of people in America" had their Personally Identifiable Information (PII) stolen. If the population of the U.S. is about 335 million and UnitedHealth lost the PII of "a substantial proportion of people in America"… well, you do the math.

Whether you are logging onto Facebook or to your bank, you need to authenticate online. For the most part this authentication is done using something you know and/or something you have. The "something you know" is usually a username plus a password. Because that is something you know, the huge data breach at UnitedHealth plus hundreds of other such breaches is a serious problem because of the huge volume of personal data about you is now in the hands of every cybercrook on the dark web. This is a problem for you because security-conscious web sites, such as your bank, are now forced to require that their customers to change the "something you know" because all the crooks now know too much of that. I will let John Doe explain. (Full disclosure: John Doe is an amalgamation of several Johns but all the following are actual experiences.)

When John logged onto his investment broker's web site he was greeted by a notice explaining that he was required to change his password before he could enter. John was annoyed, but tried to comply. He entered his favorite password "JohnD6139" and was told by the web site that he could not use any password he had ever used before… used anywhere before.

I suggested he could flip the name and numbers, so he tried "6139JohnD" but he was told he could not use a password composed of the same elements found in any password he had ever used before. After being told the password had to be at least 12 characters he tried padding it out to "06171939JohnDoe" but this time he was told the since his birthday was June 17, 1939 he could not use the number 06171939 or 19390617, and using his name, his wife's name, his mother's maiden name, or his pet's name as any part of the password was not allowed any longer.

After some gnashing of teeth John came up with an acceptable password then it was on to entering new answers to new secret questions. One of those was: "What is the name of a college you applied to but didn't attend?" I was very impressed with the ingenuity of that question because the answer to that is one John was likely to remember but it was an answer that cybercrooks would probably never be able to find anywhere in all the tranche of stolen personal data hacked from UnitedHealth.

Clearly, the tech support staff for the investment broker was doing an exhaustive job of tightening security of their web site. They are correctly aware that all of the personal information lost by UnitedHealth and others is available on the dark web; so they had modified their password and other security requirements to effectively block their customers using most of the answers that were easily available to cybercrooks.

The fact that cybercrooks can so easily find out literally all there is to know about their victims has made it more difficult to use online authentication that relies entirely on "something you know" because the crooks could know it too. This fact has moved more and more web sites to incorporate another authentication method known as "something you have" and that is a subject I plan to address here next week.

**************

Charles Miller is a freelance computer consultant with decades of IT experience and a Texan with a lifetime love for Mexico. The opinions expressed are his own. He may be contacted at 415-101-8528 or email FAQ8 (at) SMAguru.com.

Discover Lokkal:
Watch the two-minute video below.
Then, just below that, scroll down SMA's Community Wall.
Mission

Visit SMA's Social Network

Contact / Contactar