A Billion here, a billion there …

It has been reported in the NY Times, among other places, that a Russian crime gang has amassed 1.2 BILLION userid/password combinations, along with 500 million email addresses.  Even to me, that is a large number.

The passwords represent data stolen from 420,000 web sites, including both large and small companies.

The bad news is that they are not disclosing the names of the sites that have been compromised, in part because many of them are still vulnerable.  What this means is that you as a user have no idea where to look.

Ultimately, this tells us that the security processes and mechanisms that we are using have failed and cannot be fixed, but rather must be changed.

The challenge is that people don’t like change and will, for the most part, resist it  — which is why we are still using userids and passwords.

Apparently, this particular gang is currently only using this data to spam people, but that does not mean that it will only be used for that or that the gang won’t morph into a different business model.  If they do change into a financial crime model, it could get pretty ugly.

For now, all you can do is be vigilant, and that is hard to do for more than a short period of time.  Do pay special attention to important sites like online banking and bill pay, credit cards and e-commerce sites.

Even though it is inconvenient, I avoid allowing web sites to store my credit card and bank account information.  This is especially true for the smaller sites.  Remember that if your userid and password have been compromised and the site has your credit card information, your credit information is also compromised.  So, while you may not care if the hackers know that you are buying jeans at Wal-mart, you probably care if those crooks can lift your credit card information from that site.

The better web sites do not allow you to see your credit card information after it has been entered (other than the last 4 digits) to make harvesting the card information harder.

Stay tuned … there will be more details I am sure.