All apps carry risk, says cyber-security expert

How was it someone was able to buy food in Montreal using a Halifax resident's McDonald's app?

It could have happened any number of ways, according to Ron McLeod, a cyber-security instructor at the Nova Scotia Community College in Halifax. He has worked in the cyber-security field for 30 years.

"The first thing you have to understand is that there is no geography in the internet," McLeod said.

"The fabric of the internet wraps around the globe and passes through geographical boundaries as if they weren't there. So there is no correlation, no one-to-one correlation, between your location and where the data is moving or where it's being used."

In other words, everyone sits in the same room in the digital world.

Over the weekend, CBC News reported on a story about  two people in the Halifax area whose McDonald's apps were used to purchase food in Quebec.

McLeod said he couldn't comment specifically on McDonald's app technology or what happened to those app users, but when he read the story he said there was nothing overly unusual about it.

"So just generally speaking, people have to take a certain degree of care when they're working in the online world," he said.

"We see them as apps that can get us food, but in actual fact they are connections into our life and they are connections that can be open to anybody if they're not used properly."

McLeod said any app carries a risk. He said it doesn't just have to be banking information, it can be just information about the customer.

He said there are ways people can do to better protect themselves.

Multi-factor authentication is a must

McLeod said those wanting to protect their banking information shouldn't have it linked to an app if the app doesn't offer a multi-factor authentication process.

That authentication requires an extra step to log into an account after someone types in their username and password.

The extra step could be a code sent as a text message to a phone that comes with a time limit to enter it in.

"Don't use a consumer app that is going to put your financial information at risk," he said. "Your personal data is at risk if it doesn't offer a multi-factor authentication."

Companies like Google and Apple are already using the technology. McLeod says he anticipates most companies will be using it within a year.

Create really long passwords

When it comes to creating a password, McLeod recommends taking advice from the U.S.'s National Institute of Standards and Technology and pick a long one.

"So I would typically use like a 22-character password because the further you go up in length of the passwords the harder it gets to guess," McLeod said.

He said not to use a word or phrase that could be looked up in a dictionary.

He suggests choosing a favourite phrase and taking the first letter from each word in the phrase and using that to create part of the password.

"You're never going to forget the phrase," he said. "And as long as you repeat it to yourself and you just type in the first letter of each word, you can have a very, very long password and it's very easy to remember and almost impossible to guess."

Other tips from the National Institute of Standards and Technology include making sure passwords don't have repetitive or sequential characters.

Keep passwords private, especially in public Wi-Fi zones

McLeod said people need to exercise personal responsibility when it comes to protecting passwords.

He said to keep them confidential — but it goes beyond simply keeping a password a secret from friends or not writing out passwords in an email.

If someone is using a public Wi-Fi hot spot, McLeod said there's a chance someone else could see what they're doing — all it would take is someone sitting nearby with the "right piece of hardware."