The hack that created millions of morally challenged voyeurs -- and, depending upon which celebrity they downloaded, child sex offenders -- also provided us with a teachable moment. It exposed the use of security questions in online authentication as a quaint artifact of an antiquated Internet culture.
We talk a lot about personally identifiable information (PII) in the data security business, but rarely do people realize exactly what that can include, and how much of that information is readily accessible online -- not to mention how much PII they may be unwittingly putting out there in the overheated look-at-me world of social networking. For celebrities who are profiled and interviewed all the time, PII is everywhere.
As the smoke clears from this latest attack on privacy and our collective sense of decency, it's becoming more and more likely that a deft use of personally identifiable information was used to unlock the nude celebrity photo troves that flooded the Internet with requests for all those ill-gotten images and videos.
Specifically, it appears the hacker (or hackers) targeted their victims in a mechanical way. The specifics are still unknown, but a good guess would be that whoever was behind the attack started with an email address and drilled down into specific iCloud photo folders using PII gleaned from material readily available online to answer security questions.
Even if it turns out that this was not the way it happened here, it's time for a little moral jiu-jitsu to neutralize the threat of PII-based attacks. But before I say another word, it's imperative you bear in mind that there is no fix here. Identity theft and data-related crimes are the third certainty in life. They vie for primacy with death itself. You are going to get got, and you may even get got taking my advice -- but you owe it to yourself to make yourself as safe as you can. The wolves of cybercrime pick off the weakest among us first. Regularly monitoring your credit scores, credit reports and financial accounts can help you catch an identity thief quickly (you can check your credit scores for free every month on Credit.com), and smart account security can make you a less-attractive target for hackers.
So what should you do? Lie. You heard me -- lie through your teeth. Fabricate, prevaricate, dissemble and say things that resemble nothing that might be construed as being even the slightest bit truthful regarding the particulars of your life. Lie like you were in a nose-growing contest with Pinocchio.
Mark Twain once famously said, "If you tell the truth, you don't have to remember anything." Wise advice, but he didn't know anything about hackers, PII or online security questions. If the flood of hacked celebrity nude photos of late taught us anything, it's that security questions must always be answered with lies. When creating answers to your security questions, it's all about consistency -- not veracity.
The fact of the matter is that any site containing anything of value that belongs to you -- whether photos or finances -- should safeguard that data on encrypted servers protected by multi-factor authentication. It's definitely time to get rid of the challenge-answer formulas, and knowing the "right" secret image won't protect you forever because a patient thief can guess as many single-try logins as are needed until they find the right answer. Lies can at least get you past "what you know" to something more like "what you created," and for now that may be your best bet.
Of course it would be ideal if all the places we go online used better authentication protocols (and that's where things are headed), but in the meantime -- whether you sext or not -- consider the lie. Have some fun with where you were born, or who your favorite guitarist is, all the while keeping the wolves at bay -- or at least out of your personal files.