Statement by the Executive Director of ENISA, Professor Udo Helmbrecht regarding the major theft of 16 Million e-identities and passwords announced by the German Federal Office for Information Security, BSI yesterday, which was widely reported about in media e.g here;
“The theft of the passwords demonstrates the importance of building better passwords. It also shows that the networks of hijacked computers -so called botnets- are key for serious criminal activities and fraud.
The human factor is still the weak link in IT security; it is not about technology. Mankind is the security issue here; so, companies have to become even better in educating and "patching” your staff. This is in particular true for Small and Medium-sized Enterprises, SMEs, which in fact constitute around 98% of Europe’s economy. The SMEs usually lack the skills, knowledge, people and funds to properly invest in IT-security.
Security by design
Banks, e-government services, and all service providers online should enforce stronger and long enough passwords; it should simply not be possible to construct a weak password to access private or public services. This is called “security by design”-and is a well-known concept in theory, but still many companies and public bodies do not always opt construct their systems this way; they do not select the best solution, but a cheaper solution instead. This should not go on.
The public authorities need to become better at teaching how passwords are built; with variations of letters, numbers, symbols, built in typos, shifting between capital and miniscule letters. This can be done through games, to test and learn how to step –by-step build your passwords in a safer way and we as citizens must all learn not to use the same password everywhere.
This shows how weak the access and identification systems presently are, and that industry and public bodies and companies as employers alike have to take a greater responsibility to enforce that people use smarter passwords.
ENISA has also underlined some of these emerging risks, threats and trends of identity hijacking, etc in its Annual Threat Landscape report for 2013, and yesterday launched a report regarding how banks and the financial sector should enforce more secure e-identities and e-payments. "