Forty years ago, when Bob Kahn and I created the TCP/IP networking protocol for the Internet, we did not know that we were laying the tracks for what would become the digital superhighway that powers everything in society from modern business to interpersonal relationships.
By the same token, we also didn’t envision that people would intentionally take advantage of the network to commit theft and fraud.
Consider just a few recent statistics from Symantec:
- Malicious software, or malware, is a major issue for mobile devices, with the number of variants increasing by 54% in 2017 alone. We are just beginning to see the effects of malware in the IoT devices that are proliferating.
- Third party app stores hosted 99.9% of discovered malware.
- Cybercriminals stole an estimated 12B records in 2018 including names, addresses, social security numbers and other information.
Safety, security and privacy are shared responsibilities on the Internet. Software and hardware makers need to assure best practices for protecting users from bad actors and also from their own mistakes or weaknesses. Users need to adopt their own best practices for protecting themselves from harm. Legislators need to establish legal frameworks for identifying and prosecuting those who cause harm, especially when these actions are transnational in scope. Operators of networks and network-based services must adopt practices that enhance safety, security and privacy while acting cooperatively with each other and with law enforcement to achieve the desired outcomes.
When we think about user behaviors to enhance their own safety, security and privacy, we might think of a number of wise choices. First, users should seek support for two-factor authentication where it is available to avoid dependence solely on usernames and passwords. Second, given the known vulnerabilities of mobile smartphones, users should look for hardware-based second factor devices even though this can be annoying. I am a strong proponent of hardware security tokens and enjoy their use because they add to my sense of security. Third, users should be suspicious of look-alike domain names that may take an unsuspecting user to the wrong website where their credentials will be stolen and used to access existing or to create new accounts. Fourth, operators or creators of web sites should learn about registration mechanisms to force all users to use HTTPS (secure hypertext transport protocol) when accessing those websites. Some domain registrars can offer Hypertext Transport Protocol Strict Transport Security (HSTS) which means that a domain name and all subsidiary domains will require users to use HTTPS to reach the website, no exceptions.
Website operators will benefit from registering for the use of DNSSEC (domain name system security extensions) that assures that the Internet Protocol address associated with a domain name cannot be altered without detection, assuming the users’ software checks for validly signed responses to DNS domain name lookups.
These and other practices will help to reinforce safety and security in the online world but only if all parties cooperatively implement and enforce them.
For more information, please see my recent article in Quartz.