Quick question: How many passwords do you have for your various online accounts?
If you’re like me, you’re probably overwhelmed by the sheer number of passwords that you have to remember. And you’re supposed to alter them for your email, bank, cable company, retailers… heck, even the Wall Street Daily website if you’re a subscriber to our paid content.
It’s become so difficult to remember each password that some people simply use the same one for everything. Or worse… they write them down!
Talk about a security breach waiting to happen.
But if it’s any consolation, even big companies are struggling to keep track.
The main difference? If these firms forget their login data, they put countless people at risk.
And you won’t believe who just dropped the ball…
Yesterday morning, news broke that mobile photo-sharing app, Instagram, had “forgotten” its own password.
Instagram users trying to access the website from their web browsers found a nasty surprise – browsers refused to connect to the site because Instagram had allowed its “certificate” to expire.
What’s a certificate? It’s kind of a secure password for websites. On the internet, a certificate is a website’s way of telling browsers that it’s a real site, not an imposter.
Without getting too technical, a website registers itself with a certificate-issuing authority such as Digicert. So when you go to a website, your browser reads the site’s certificate and compares it to the certificate on file with the authority.
If there’s a match, you’re in! If not, it’s possible that someone could be trying to spoof the website – perhaps to get users’ private information, to harm the company behind the website, or simply as a prank.
Remarkably, Instagram – now owned by Facebook (FB), of course – had allowed its certificate to expire. So on Thursday morning, when people tried to go to the site, their browsers were led to believe that something was amiss.
Here’s what they saw…
Now, Instagram quickly fixed the problem. Indeed, the certificate was renewed between the time I noticed the problem and when I completed this article.
But the company’s little “whoops” here is symptomatic of a bigger problem that will certainly have bigger consequences…
Big Tech’s Collective Amnesia
The reality is, the World Wide Web is becoming so vast and so complex that it’s becoming impossible for even big, sophisticated companies like Facebook to track everything necessary to run a website. Facebook isn’t alone, either.
- Last year, Google (GOOGL) allowed one of its certificates to expire – a particularly embarrassing situation, as it controlled a lot of people’s email accounts.
- Microsoft (MSFT) also let one of its certificates lapse. In that case, it was related to the company’s web development tools, which affected everyone who was trying to build a website at that time.
As problematic as these cases were, there’s an even bigger blunder – allowing a domain name to expire.
You see, when you register a website’s name, you pay a company like GoDaddy.com (GDDY) to keep the registration active. The fee isn’t much, but if you let it expire, a 30-day grace period begins. After that, someone could “cybersquat” – i.e., buy the name and open his or her own website with the name you were using just a month prior!
In fact, this happened just last month to the Obamacare “exchange” for Washington, D.C.!
Fortunately, the oversight was spotted and fixed long before someone could have spoofed the site. But if the government and big technology firms are letting obvious errors happen with their domain names and security certificates, how are they dealing with other issues related to their websites?
I mean, if a health exchange can’t even remember to keep its domain registered, how can you be confident that it’s taking the necessary steps to protect your personal data?
If Google can’t keep its certificates up to date, how can the company be sure that all the tracking data it has of you (and it has plenty) is secure?
If a company can’t prevent big, embarrassing, public errors, chances are, it’s probably not great at preventing smaller errors, either. And that could mean unscrupulous characters gaining unauthorized access to your private information.
Call the Auditors
Eventually, the solution will have to be independent audits.
Public companies are legally required to present financial statements that are audited by an independent accounting firm. And in the wake of Sarbanes-Oxley and other financial reforms in the past decade, those same firms must have their own internal controls audited, too.
While such auditing doesn’t prevent errors or fraud, it does reduce the chances of it happening. And it gives investors comfort that someone besides the company is looking at the numbers, and how those numbers are compiled in order to verify their accuracy.
Internet firms that collect our data should be exactly doing the same.
When Google or Apple (AAPL) or even the government wants to collect data, you should be able to see that a recognized data security company has audited these firms to ensure that the thousands of things that need to be done to secure the data have been done.
But for now, we merely have to rely on a company’s word when it says it knows what it’s doing. Yesterday’s Instagram error is a timely reminder that companies often don’t.
To living and investing in the future,