Recently, the CNBC news website gave a quite controversial lesson on information security. The author of the article, indirectly related to the information security issue (it said about the confrontation between Apple and the FBI), decided to add a text box for the passwords strength check. Most likely, this form was included as a “salt” to attract more attention. The author of the publication didn’t aim to improve the computer literacy of the readers.
And it should be said the publication called more than enough attention, especially among the information security specialists. After all, this text box called the readers to violate the key information security rule. The password can be entered only in the text box of official authorization on the website for which it is intended.
The author, who added this text box to his article, made a small caption (probably to avoid possible lashing) saying that this tool was designed for educational purposes only and that the passwords entered in the text box are not saved.
— Adrienne Porter Felt (@__apf__) 29 марта 2016 г.
Struck with such illiteracy, several information security experts decided to take a closer look at the “educational” text box. And, as it turned out, the passwords were not only saved in unencrypted form in Google Docs but were also transmitted to the CNBC partner companies.
And then a scandal broke out. The representatives of the information security community required removing the text box from the website immediately.
However, the CNBC’s reaction was quite strange. They didn’t reply to the criticism and simply deleted the ill-fated article – together with the text box, of course.
The publication cleaned up all references to this article on Twitter and the personal page of the author of the article suddenly became private and closed. As you can see, neither the victims nor the online community will get any apologies from the CNBC administration.
We don’t know how many users fell victims to this provocation and entered their passwords in the text box. But if to consider the popularity of the CNBC website (more than 6 million visitors per month) there should be quite a lot of them. The information security specialists (real) recommend everyone who entered their passwords in this text box to change them quickly.
Despite this apparent failure, the CNBC’s “lesson” can teach us a lot. First of all, it gives a reason to remind once again: the data protection is the user’s matter. Even the most perfect data protection system cannot substitute simple caution and a certain amount of healthy skepticism.
In order not to find yourself in the situation of people who sent their passwords to the unknown direction, we should remember a few simple rules:
- Any account password should be entered only on the official website. Avoid the third-party resources and the links in the innocuous-looking letters. It doesn’t take much time to manually type the name of the website you need in the address bar or open a saved bookmark. But similar precautions can protect you from phishing. In general, you should not disclose your secret combination to outsiders – either orally or in a written form
- Even the most carefully crafted and anxiously stored passwords must be regularly changed (at least once in 1-2 months). If you have suspicions that the service was hacked, do it “out of turn”.
- Use 2-factor authentication on every resource supporting it (and all self-respecting websites should do it). Fortunately, modern two-factor authentication technologies simplify the process of generation and entering the one-time passwords. You can find more about the different types of OTP tokens and their pros and cons here.
Data protection is not so difficult. It is enough to avoid obvious mistakes and not to take everything written on the Internet as truth.