Is Your Spouse Your Biggest Online Security Risk?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.forbes.com/sites/ruchikatulshyan/2013/08/23/is-your-spouse-your-biggest-online-security-risk/


If your partner asked for your Facebook FB +5.16% password, would you
give it to them? Chances are, you probably would. Better that than
risk all the “what are you trying to hide from me” drama that would
ensue, right?

Actually, an innocuous sharing of passwords – even with the person
closest to you – could lead to major security breaches. With recent
hacks on the New York Times and Washington Post Web Sites, you don’t
have to be in government or financial services to be at risk.

A third of organizations say employee negligence (a.k.a. the human
factor) was to blame for security breaches, according to this study.

“Breaches related to spouses are a growing risk that people don’t
realize,” says Hugh Thompson, senior vice president at global security
firm, Blue Coat. “The possibilities for attacks just increase with the
more data you share with your partner.”

Here are some common ways your spouse could pose a security risk:

1.)  You have different paranoia levels. People who work in security
or finance are trained to be paranoid about which devices (and even
which networks) they type passwords on. But that level of training is
not automatically passed on to spouses. It’s surprisingly common for
both partners to use the same passwords for work and personal use,
says Thompson. This could give hackers access to your work passwords,
if they can trick your spouse into revealing their password via a
phishing attempt. Also, on shared accounts like DropBox and Google
GOOG -0.47% Docs, your password security is entirely dependent on your
partner’s habits.

How do you counter this? “Just because you share some passwords with
your spouse, you don’t have to share all passwords with them,” says
Markus Jakobsson, Principal Scientist of Consumer Securityat PayPal.
The onus is on you to decide which passwords to share with your
spouse, and ensure you have different (and difficult to guess)
passwords for sensitive information.

2.)  Password reset questions could give you away. Not only are some
passwords easy to crack (“password” is still a common one), but
password reset questions are increasingly easy to find out, according
to Thompson. One reset question could be your spouse’s maiden name.
“Someone could get a 30-day free trial on ancestry.com and find that
out,” he says.

The risks posed by “meta passwords” or password resets through
security questions are significant, according to PayPal’s Jakobsson.
Take time to think over which security questions are easy to find out
– the city you were born in, for example, vs. information most likely
to be known only by you. Meta passwords are also rarely changed if a
couple splits up. “People will generally change shared passwords if
they break up, but they forget to change the security question,” he
says. PayPal is trying to counter this by researching whether posing
security questions based on preferences would be more effective.
“We’re finding most spouses will know if you love or hate something,
but will probably not know your subtle preferences, like if you prefer
pepperoni on your pizza,” he says.

3.) The rise of BYOD – or Bring Your Own Device to work. As more
people use their mobile phones and personal laptops at work, private
information could easily be shared if those same devices are used at
home. This is especially the case on weekends or vacation, where one
device is used by the whole family. The risks are so great, yet so
simple. For example, the picture you take on your iPhone of whiteboard
notes from a meeting at the office could be synced to your partner’s
iPad at home, in a matter of seconds. “The malware one person
downloads by accident could affect their spouse’s company in a
significant way,” Thompson adds.

The best way to avoid this is by not letting your spouse download Apps
or programs on your work devices, says PayPal’s Jakobsson. If a
download is absolutely necessary, he suggests doing it on an iPad or
Android device. “It’s not foolproof, but safer than downloading it on
a laptop or desktop.”

4.) Your partner may not be your partner online. It’s becoming
increasingly common for hackers to imitate spouses online – especially
on instant messaging platforms. If your spouse has online presence
through social media, blogs etc., their impersonator could easily
“sound like them” right down to phrases they frequently use. “Never
type out your social security numbers, credit card details,
prescription or medical details on an online chat, even if you think
it’s your partner on the other side. Spend 5 minutes on the phone to
relay this type of information,” Thompson says. “Also, be aware when
using technology – where does it back up? How long does it store
information for?” Many chat platforms back up the logs of your
conversation on two devices – yours, as well as your spouse’s, for
months. That’s twice the risk.

 5.) Thanks to social media, your information is out there for all to
see.  Social media makes it a breeze for anyone to figure out who
you’re dating or married to. “Your spouse’s security hygiene is just
as important as your own,” says Thompson. Company information is
becoming easier to decipher through a partner’s social media. “Say
your friend updates their Facebook status that they’re in Bentonville,
Arkansas and tag their husband or wife, it’s easy to figure out their
partner was doing business with Walmart. Even if the company employee
wouldn’t update their own status, their partner’s update could
compromise confidential company developments.”

The disparity between how each person thinks about security is a
growing threat. One partner could have a log in password or remote
wipe on their mobile phone, while another doesn’t. Your spouse could
be logging on to a shared computer – say, at a hotel –  to access your
joint bank accounts, while you wouldn’t even dream of using a shared
desktop. When it comes to your personal and corporate security, it’s a
team effort.

“People are the weakest link in this case,” adds Thompson.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.