Here’s a real world online nightmare told in detail by the victim as a cautionary tale:
Absolutely nothing in here surprises me, unfortunately. Worse still is that the risks are only going to increase as we put more and more of our lives online and become dependent upon services provided by organizations we assume have already figured out all the hard technical stuff needed to keep it safe. Many of these services are free, yet we fail to think about the realities of the underlying business model and how that could ultimately affect us.
One of my favorite quotes along these lines is “if you’re not paying for it, you’re the product not the customer” and while we often like to say that “the customer is always right,” it’s pretty hard to make the case that the product is. You’re the product in that information about you is what they use to generate profits, typically through advertising. Nothing wrong with that as long as everyone remembers that products don’t typically get to call up and complain or renegotiate their terms of service.
Also, they don’t call this stuff “the cloud” for nothing. These remote services, like real clouds up in the sky, they can come and go as they please and you can’t really tell what’s in them from the outside.
Nevertheless, there are some things that we can do. This is why I sound like a broken record when it comes to the importance of backups. When Murphy’s Law kicks in, a good backup is your best friend. Also, you can help keep Murphy at bay (to at least some extent) by not using the same password for all your accounts. Single sign-on tools can automate that process so you don’t have to keep up with all of them.
The long term move here is ultimately toward stronger means of authenticating users through biometrics, cell phones or special security devices to make sure it’s really you on the other end of that browser. Unfortunately, none of these options are perfect as they add cost and complexity while reducing convenience. Still, it may be the only option in the end. “Secret” knowledge that isn’t (e.g. last 4 digits of your credit card, social security number, mother’s maiden name, high school mascot, etc.) is definitely not the answer.