How we help the hackers
The streets may be safer than ever, but the password-protected corners of the information superhighway are the new focus of organised criminals. Cyber-fraud is now a bigger deal than the illegal drugs market, in terms of annual financial losses, and although that's largely due to a combination of cheap graphics cards and automated hacker tools, it's our weak six-character passwords that leave online transactions and bank accounts open to attack.
Nearly 70 per cent of people in Hong Kong use the same password across multiple accounts, according to a recent PayPal-commissioned survey by City University of more than 1,200 internet users. Six out of 10 never update online passwords for the seven (on average) websites that hold their personal information. Three quarters make online payments at least once a month, but 78 per cent are discouraged from doing so more regularly because of security worries.
'Despite rising fears of hacking and online attacks, most people do not act in response to change their risky online habits,' says Dr Daniel Tse Woon-kwan from CityU's information systems department. 'Risky behaviour runs unexpectedly high across respondents of all levels of education and income levels.'
Charles Mok, Internet Society Hong Kong's founding chairman, agrees more awareness is needed: 'There's an apparent disconnect between Hong Kong people's high interest in using online and mobile payment methods with their low awareness and readiness to protect themselves against the potential risks.'
In short, we're burying our heads in the sand, though we seem to be more cautious when using our smartphones to make payments. More than two-thirds of respondents enjoy the convenience and efficiency of making transactions from a smartphone, but just one-fifth of people think that using a mobile phone to make payments is secure. What's more, only one in eight is willing to spend more than HK$500 using mobile payment.
What can save us from the hassle of remembering - and remembering to change - so many passwords? Technology is creeping into online banking; some banks have sent out card readers to customers that use existing chip-and-PIN information, while most of us will have received text messages and automated phone calls to authorise an online banking transaction.
'Most individual validation is based on something you have, something you know, and something you are,' says Robert Mackenzie, a partner in Business Technology and Consulting at accountancy firm Scott-Moncrieff. 'The first two are tried and tested ... but new solutions need to be cheap, more robust and more reliable.'
Shouldn't we be using fingerprint scanners, breath analysers, visual passwords or even face recognition technology on our computers and smartphones by now? The technology exists, but a lack of trust and a lack of standards is the reason we're not.
'Everyone has an inherent trust of fingerprints, from the past 50 years of crime movies,' says Mackenzie. 'But there is no easy way of guaranteeing the origin of the device or the software being used to check the fingerprints on the home device and linking this back to the bank's own security metrics.' In short, the software behind scanners can be hacked to reveal an individual's fingerprint, so the technology has never been commercially released.
Breath analysis is technically difficult and expensive, and the possibility of guessing visual passwords (you would touch various points on a picture of loved ones' face, for example) puts that idea out of the picture for financial institutions. Face recognition, however, could be on the cards. 'It seems to have the potential to be made more reliable, and there is good standardisation over cameras, picture and video imaging in the IT and telecoms industry,' says Mackenzie.
For now, however, we'll have to rely on passwords. Sorry, but they do need to be changed regularly - some say every 30 days, others six months - and should be different for each major website and account (prioritise your e-mail, banking and social media passwords, and make sure each is unique). Avoid obvious words or anything at all that could be guessed from your other data, such as Facebook page or e-mail sign off, and review the privacy settings on your social media pages so you know exactly who may access your personal contact information.
Surname and birth year? About 12 seconds to crack. The name of your pet? Even less. Try an eight-digit password with lots of numbers, symbols, upper and lowercase letters, as anything else takes just seconds for a hacking tool to work out.
How you pay online can also help. For all online purchases use a credit card that insures you against online fraud, a debit card tied to an account with limited funds in it, or PayPal. All protected by rock-like, ever-changing passwords, of course. Write them down and secure them if you have to.