Your data, your responsibility. And everything online is hackable. While any online service provider can vouch for data security, you can never be sure of their disgruntled employees. With countless e-commerce startups popping up across India that are merely counting losses, do you really think they even consider customer data privacy and security?
All the talks happen only after a breach. Of course, the regular press releases like "We regret the inconvenience caused to you" and “others can learn from our cybersecurity mistake” follow. Thankfully, this Zomato data breach should ideally not cost users anything.
Considering the recent Zomato database reveal, the company used MD5 algorithm to "hash" passwords. In other words to simply hide it. "We hash passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password. This means your password cannot be easily converted back to plain text," said Zomato in an official blog post.
Other details that were revealed by the database leak are Name, UserIDs, Usernames and Email IDs Of course, in plain text.
This might seem fine to most users. However, the post recommends you to reset the account password immediately. Why so? Because a simple Wiki search will reveal that “MD5 is neither encryption nor encoding. It can be cracked by brute-force attack and suffers from extensive vulnerabilities.” And then Zomato takes pride in saying, "We take cyber security very seriously - if you’ve been a regular at Zomato for years, you’d agree."
Jokes apart, data breaches has happened always. LinkedIn, Yahoo, Gaana, Ola, McDonalds, the list continues. Considering that the next popular online service that you use could meet a similar fate, here are five important lessons to learn proactively.
1) Fake it: It is difficult but it is totally worth it if you can do it properly and provide false information while filling in unimportant online forms. Also, having a couple of random social media profiles and email IDs do not hurt either. Ola or Uber, Facebook or others will continue to serve you the same whether your name is Puja instead of Preeti or your age is 27 in place of 23 or your DOB is in January and not June.
You can create a sample 'fake' form for all your online services and make a profile with a less important mobile number, email ID or social media account. Of course, the contact information should not be the same that you have shared with your bank or other important services.
You have no choice with the location or home address. The idea over here is to provide just the minimum true data to get the service.
2) Use Mobile wallets: The debate still continues whether it is safe to use Netbanking or credit/debit cards for online payments, especially after one-time passwords (OTPs) were also proven to be vulnerable. For end users, the debate trickles down to availability and comfort. Mobile wallets can come handy for making online payments and can be seen a safer option offering more control to the user.
If the bank account database is compromised then the users stand to be highly vulnerable. But with mobile wallets, users can only lose the mobile wallet details and balance.
End users should also assess the risks and measure beforehand as to how much they stand to lose if any service gets breached in future.
3) Login with Facebook or Twitter:Using social media accounts like Facebook and Twitter or Google to login to services is way simpler and safe instead of creating individual accounts with email ID. At least, the startups don’t get access to these passwords. So, unless Facebook, Google or Twitter is compromised, your account and password details are safe.
4) Different passwords for different services: Remember a time Mark Zuckerberg faced a major embarrassment when his Facebook and Twitter accounts got hacked? It turned out that the infamous LinkedIn database leak had Zuckerberg’s details. While LinkedIn protected the account, Zuckerberg’s Facebook and Twitter IDs got compromised because he used the same login credentials. It is the worst practice to have a single email ID and password for all online services. It is high time you use different passwords.
5) Change passwords at a regular interval: The usual disclaimers apply. Change passwords of important accounts including email IDs, Facebook, Twitter and ATM pins at least once every three months. And create strong password as well.
If you are not serious with your passwords how can you expect firms to take responsibility for the same when everything online is hackable?