Outdated, poorly thought out and sometimes harmful: The Federal Commissioner for Data Protection gives worryingly bad advice on safe surfing.
That went really wrong: The Federal Data ProtectionCommissioner Ulrich Kelber points to a flyer on "safe surfing" on Twitter, which his authority published and apparently updated in December. The tweet was quickly followed by criticism, for example the computer science professor Sebastian Schinzel from the Münster University of Applied Sciences considers the information vague and sometimes simply wrong.
Don't enter passwords in "free" WLANs?
According to the brochure, unsecure WLANs are a major threat. A warning is given here about the insecure WEP standard, which is now so old that it is rarely encountered in the real world. The WPA2 standard, which is advertised as safe in the document, also has its problems, but this is only marginal.
Entering passwords in "free WLANs" should be avoided according to the brochure. This probably means unencrypted WLANs, but inexperienced readers are unlikely to see an unencrypted, but paid WLAN in the hotel as "free".
What the brochure completely ignores: In today's Internet, the risks of unencrypted WLANs are hardly relevant any more, as almost all websites use HTTPS and browsers now warn more than clearly when passwords are entered that are sent unencrypted. It is particularly dangerous to enter the passwords on the wrong website, but WLAN encryption does not protect against this.
Never heard of password stuffing?
Speaking of passwords: this is where the brochure becomes downright dangerous. Not only does it contain the mandatory advice, which most IT security experts consider counterproductive, to change passwords regularly, and also refers to the advice of the BSI, which is also very questionable. It also explicitly advises against storing passwords and other access data on devices. In plain language: The Federal Data Protection Officer advises against the use of password managers.
One of the biggest risks with passwords these days is password stuffing. Criminals use access data from data leaks and try to log into other services with them.
A very effective protection against password stuffing is to use one-time passwords. But nobody can remember passwords for hundreds of services, so it makes perfect sense and desirable if passwords are stored on devices, either in the browser or in a special password manager. Ideally, they should then be protected by a strong master password.
However, the brochure does not make any reference to Password Stuffing, nor does it give users absolutely basic advice to always use one-time passwords.
Document seems out of date
Even if the document has allegedly been updated - it seems overall out of date. The brochure lists phishing and spyware as threats - not without authorization - but there is no mention of phenomena that are very common today, such as password stuffing or ransomware.
Because data protection is more than IT security - but IT security is an integral part of data protection. If the authority of the Federal Data Protection Commissioner lacks the competence to do this, something is wrong.
0 Comments