I just saw in the news the other day that cloud based note and document storage service Evernote was recently hacked into and potentially as many as 50 million user’s account details compromised. While Evernote has since responded that no sensitive password or financial information was taken it did decide that the potential problem was large enough to force all users of the service to reset their passwords, (I reset mine yesterday). It also joins a growing high profile list of companies that have had their security compromised in the several weeks and months including, Microsoft, Apple, The New York Times, Facebook & Twitter. So what the heck is going on here?
Well in several of these high profile hacks over the last few months the companies involved have claimed that Chinese bases hackers with connections to the military have been targeting their networks for the purposes of attempting to suppress investigative reports into alleged financial dealings by family members of Chinese Prime Minister Wen Jiabao. (Original report here)
While stories of possible cyber espionage like those alleged to have taken place against the New York Times are extremely troubling because of the potential chilling effect on free speech when dealing with issues surrounding China, more immediate threat for web developer in the commercial space comes from organized crime. There are several pieces of information that hackers to a commercial website will attempt to lay their hands on, the first and most lucrative are customer’s credit card details. The next stop on the priorities list are personal account details such as user names, passwords email addresses & any other personally identifiable information. This information is often then packaged up and sold onto others that will use the personal information they obtain to apply for fake identification, apply for credit (posing as the victim).
So while all of this might seem a bit on the gloom and doom side of things (reaching for the tin foil hats) I want to end on a positive note, so what can we as developers do to lessen the chances of client data being compromised? Well remember that the type of security your clients will need will greatly depend on the information being stored. For myself I prioritize client data as follows: Highest, financial information, very high account accesses (usernames & passwords), pretty high, personal information such as names, emails date of birth etc. While it may not be possible to defend against every conceivable type of threat out there in the wilds of the internet a properly designed hierarchy to security can prevent an annoyance for users like needing a password to be reset from turning into a disaster; getting a phone call from your bank saying you have no money.