Fraudsters and hackers may try to obtain your confidential or personal information through phone calls, text messages or emails that look genuine, here are a few tips for staying protected when browsing websites online.
Strong passwords are vital to secure your accounts online, and it is important never to reuse passwords. Passwords which are reused on different logins pose a terrible risk because in the event of a data breach of one site means that all other services that use the same password are also compromised. Typically hackers will have a dictionary lookup which means that a particular hash or encrypted value equals a given password. They can then try login on to different sites with the email address (which most people use for multiple sites) along with the password in the hopes that the password is also reused.
For example, a data breach may reveal that a user has a hashed password of "5f4dcc3b5aa765d61d8327deb882cf99" (Not secure I know, but serves as an example). Hackers then look up this value in a table of known common passwords, encrypted and hashed version and come to the real password. No brute force is needed.
In addition to using a strong password, it is recommend to use two factor authentication (aka 2FA or two way authentication) where possible. In some instances the website or service will send you an SMS or email with a confirmation code.
What a strong password varies from person to person. Generally, though they are 8 characters or more in length and include a mixture of uppercase, lowercase, numbers and symbols. Strong passwords should not contain names or words as they are easy to hack, nor should you use number substitution (e.g. p@ssw0rd instead of password). These patterns are too common and are present in all the major password dumps. Instead try a passphrase, taking the first letter of each word and substituting a few numbers in, for example for the sentence "The quick brown fox jumped over the lazy dog", the password might be "
Tqbfj0t!d". The sentence is easy to remember but the resulting password is difficult to guess and is unlikely to be on a password dump. Just create your own sentence you can remember.
Even better security can be had by using a password manager, such as 1Password, to store all your passwords and account details. 1Password is a password manager, digital vault, random password generator, form filler and secure digital wallet. It can store all you website logins securely in the cloud and makes them available to any device you can use. The advantage of this is that you only have to remember one password - the master password - and you have no idea what the logins are for websites and other online accounts as they can all be different and totally random. The password generator creates passwords such as "K6VNiefrH2&rt#ERw2!%C#Z_". Very difficult to remember, but also very difficult for hackers to crack.
My mother's maiden name is "JmDQAF"
Most websites, especially online banking, have a password recovery system that lets you recover your password if you've forgotten it. Usually, these systems make you answer some "security questions" before you can reset your password. The answers to these questions need to be just as secret as your password otherwise an attacker can guess the answers and gain access to your account.
Randomness can be a problem, since the security questions that sites often use are also things people tend to know about you, like your birthplace, your birthday, or your relatives' names, or that can be gleaned from sources such as social media. The good news is that the website doesn't care whether the answer is real or not - you can lie! But lie productively - give answers to the security questions that are long and random, like your passwords.
A note on Biometrics. Smartphones have had fingerprint sensors for a while now, but only recently are they being used to secure more than the lock screen. Many banks are pushing Touch-ID and Face recognition as a secure way of protecting your account, but I very strongly disagree with this. Fingerprint and face recognition is in my view very insecure as it is easily fooled and it does not require consciousness. Somebody could be rendered unconscious by a number of means and the phone can be unlocked, banking app unlocked and funds transferred out the account. Just food for thought.
Safe Browsing Habits
Keep your browser software up-to-date. This is crucial, as new patches are often released to fix existing vulnerabilities in browser software. This recommendation doesn't apply solely to browser software - it is critical to keep operating system software and any other software you have up-to-date for the same reason.
Use HTTPS: The "s" in "https" stands for secure, meaning that the website is employing SSL encryption. Check for an "https:" or a padlock icon in your browser's URL bar to verify that a site is secure before entering any personal information.
Never enter login information, passwords or payment information on insecure pages.
Avoid clicking links in an email, Instant Message or on your social network unless you are sure the message is from someone you know. Cybercriminals have been known to hack into your friends' email accounts and social networks to send emails or post messages claiming they are in trouble and asking you to transfer them money. Don't believe it if it sounds suspicious or offers something unrealistic.
Sites running on HTTPS and TSL only protect the information being transmitted to and from the server through encryption. HTTPS and TLS do not verify the owner of the site, nor the intentions of the website once it has your data. You still need to be careful on what data you submit and only log in to sites you can verify.
Internet of Things
In the new age of the Internet of Things, there are all kinds of intricate ways in which hackers and other exploitative programs can deceive and infiltrate our personal data. We must be acutely aware of these things in order to prevent a total collapse privacy and intrusion. Smart TV's, Smart Thermostats, Smart Locks, Smart Bulbs, Smart Fridges (notice a trend here?) can all leave your home or office open to hackers. Most attacks fall into one of two scenarios.
- You haven't changed the default passwords and usernames - this is the first thing hackers will check because up to 80% of people will not do this.
- Attackers will try and garner information from you in order to defeat security in a process known as social engineering.
Once an attacker has control over your smart devices they can cause considerable physical damage and expense to you. Imagine if you were on holiday and someone was able to turn your NEST thermostat to maximum 24/7 or turn your fridge/freezer off? Or worse yet, open your front door remotely.
Keep your IoT firmware up to date with the latest security patches and firmware updates.
Always keep backups of all your data on the cloud, USB sticks, DVD, CD-ROM, or another backup device. This isn't just for protection against virus threats, but also hardware failure, theft and ransomware. Imagine losing all your emails, documents, pictures etc... I'd be lost without mine, so I back them up regularly and store them away from the computer. Have a regular backup schedule and stick to it, even if you copy important files ones per month, its better than not at all.
Be wary of any USB thumb drives, or any USB device, which seems to have been lost or left behind. USB devices can install viruses and malware as soon as they are plugged into a computer so if in doubt, don't plug anything in. Hacked firmware can also give USB devices new, covert capabilities such as logging keystrokes or entering commands into the computer.
Never download software or let anyone remotely log onto your computer or devices during or after a cold call. Scams like this work by informing you that your computer has a virus or other problem which needs to be fixed for a fee. They will ask you to download software which will give them access to your computer and files, after which they will install all kinds of virus, malware, and trojans. Then they will charge you to fix a problem which they have created for you, and often won't actually fix it. If you get a cold call for computer support or repair company, just hang up.
There are many, many open (unsecured) public wifi hotspots around. These are very, very bad. When you connect to one of these any data you transmit and receive is unencrypted and can be intercepted by a third party with ease. If you see an open unsecured network please do not join it. Just because the network name is "Starbucks wifi" doesn't mean it is an official WiFi point.
Only connect to password protected networks and obtain the password from a member of staff. Sometimes it is written around the bar or counter. This way you know that it is an official network and not some hacker baiting you.
Before connecting to any public wifi, turn off airdrop and file sharing tools and do not access any confidential information such as bank accounts, mobile banking or even Facebook.
Unless you absolutely trust the network provider it is often best to avoid using WiFi, instead use 4G and tether to your laptop.
Always install the latest security updates from Microsoft, Apple or Google on your devices. The manufacturers usually find security vulnerabilities before hackers, release an update and announce the problem to the world. Hackers are then quick to infect those who are lax in applying updates. The longer you take, the more at risk you are. Updates contain important changes to improve the performance, stability and security of the applications that run on your computer. Installing them ensures that your software continues to run safely and efficiently.
Anti-Virus, Spyware & Malware Scanners
Anti-Virus software is vital for any computer connected to the Internet. Viruses are rife on the Internet, spreading like a plague. In the past, a virus could only infect your computer if you run an infected program, but in today's hi-tech web your computer can be infected simply by visiting a website. I have never experienced this form of infection myself, but it can be avoided by using up-to-date anti-virus software.
Spyware programs monitor your Internet usage or copy your private data and passwords. Spyware is also notorious for slowing down computers. The anti-spyware software will remove these programs, and in some cases stop it from being installed. Most commonly this happens when you install software downloaded from the 'net, some untrustworthy programs will install spyware as well as the program you want, without your knowledge.
Social Media Privacy Settings
These days, there are a lot of opportunities to share our personal information online. Just be cautious about what you share, particularly when it comes to your identity information. This can potentially be used to impersonate you or guess your passwords and logins. Take some time to adjust what gets shared and to whom. Social media is a goldmine for identity thieves. Remember and abide by these simple rules.
- Have a strong password
- Be careful with your status updates. You can use an audience-selector dropdown menu on Facebook to choose certain groups to see your status updates.
- Don't reveal your location
- Avoid posting specific travel plans. Never post when, where, or how long you'll be gone.
- Wait until you are home to post pictures
- Use highest privacy control. Only let certain groups, like a family group, view your photos.
- Avoid posting information including travel plans, address, birthdate, children's' names, school, and birthdates or your daily schedule
Remember, what goes on the Internet, stays on the Internet.
Cybercriminals have become quite savvy in their attempts to lure people in and get you to click on a link or open an attachment. These malicious emails can look just they come from your bank, an online shopping site, even a government agency. Typically they will notify you that your account has been compromised and that you should act quickly or else services may be terminated. Another common scam is an overdue invoice threatening legal action if you don't act quickly. In either case, there will be a link or an attachment which, once opened, will infect your computer with a virus. These are typically phishing attacks.
If you are unsure whether an email request is legitimate, try to verify it with these steps:
- Contact the company directly - using information provided on an account statement, on the company's official website or on the back of a credit card.
- Search for the company online - but not with information provided in the email.
Another form of phishing attack is the spear phishing. Instead of casting a large net and seeing who they catch, spear phishing is highly targeted at an individual or company and will mention you by name and appear to have come from your actual bank. They can do this because somebody has found out information about you and your online browsing habits, either through email or social networks. Ever vent about poor customer service at your bank on Twitter?
Ransomware is a type of malware that accesses a victim's files, locks and encrypts them and then demands the victim to pay a ransom to get them back. Cybercriminals use these attacks to try to get users to click on attachments or links that appear legitimate but actually contain malicious code. Once clicked on there are several things the malware might do once it's taken over the computer, the most common action is to encrypt some or all of the user's files rendering the computer useless or preventing access to important files.
Ransomware can be highly sophisticated and you can find your computer held to ransom in a matter of seconds. Even large companies and organisations can fall victim to ransomware attacks.
Key Things to Remember
- Requests for information - genuine companies never email you asking for usernames, passwords, date of birth or credit card details.
- Social Media - Do not click on links in social media posts, tweets or direct messages if anything seems out of the ordinary, or too good to be true.
- Use Strong Passwords - create unique passwords that can't easily be guessed. Avoid common words or people's names and remember to change your passwords regularly. Do not use the same password across multiple websites.
- Top Tip! Make sure your passwords are at least 8 characters long, a mixture of upper and lower case letters and include some numbers too.
- Data Compromises - If you have ever had data compromised with another organisation and you use the same password elsewhere, change both passwords and do not use the same password across multiple websites.
- Keep security software current - Having the latest security software, web browser and operating system is the best defence against viruses, malware and other online threats.
- Plug & scan - USB drives and other external devices can be infected by viruses and malware. Use your security software to scan them.
- Enable filters on your email programs - Most internet service providers and email providers offer spam filters; however, depending on the level you set, you may end up blocking emails you want. It's a good idea to occasionally check your junk folder to ensure the filters are working properly.
- Think before you act - Be wary of communications that implores you to act immediately, offers something that sounds too good to be true or asks for personal information.
- Lock down your login - Fortify your online accounts by enabling the strongest authentication tools available, such as biometrics, two-factor authentication, security keys or a unique one-time codes.
- Lock down your login - Install software updates as soon as they are available. Whether you're updating the operating system or an application, they typically contain fixes for critical security vulnerabilities.
If you think you have been a victim of fraud report it to Action Fraud, the UK's national fraud reporting centre by calling 0300 123 20 40 or by visiting www.actionfraud.police.uk