Preventative articles about hacking often lead on the corny old line about not clicking links in suspicious emails. The reality is, of course, that no one ever would. People click hackers’ links because they don’t appear suspicious. But what if we could stop those dodgy emails from reaching us in the first place?…
DON’T BE DISTRACTED FROM THE WIDER ISSUES
One of the red herrings which I think has taken many people’s eyes of the real ball of security in recent times has been two-factor authentication. That’s the process where you receive a code by text to your phone each time you want to log in. Not only is this unnecessary, it’s also inconvenient, and it may place you at serious risk of losing account access altogether.
You don’t in truth know who’s doing what with your phone data, but you do know, from the disproportionate fuss cyber giants make about collecting your number, that someone is doing something. Worse still, if there’s ever a sitewide hack, the hackers get, and potentially abuse, your phone data as well as your login.
But most significantly of all, two-factor auth is not secure. Renowned hacker Kevin Mitnick showed that by luring a user to a rogue login page, triggering the real 2FA process and then getting the account holder to enter their code on the rogue site, he could make a fake login cookie and gain account access – WITHOUT EVEN ENTERING A PASSWORD. Evidently, some two-factor login processes are not even two-factor. They just transfer the critical security hinge from the strength of the password, to the possession of a texted code – which can be tricked out of a user, just like the password itself.
When I’ve worked with business IT systems, set up by highly professional data management specialists, the central server logins have not used mobile-dependent two-factor auth. Protection has come courtesy of a very, very strong password, and most importantly of all, rigorous vetting and security education of the people authorised to access the system.
So, the fundamental core of staying secure online…
Set strong, long passwords. If your passwords are strong enough, and you can avoid being baited by hackers into simply giving your passwords away (perhaps via a rogue site login), it will be extremely difficult for anyone to hack your accounts on security-conscious sites.
HOW HACKERS TRY TO GAIN ACCESS
If a hacker can’t guess your password, they’ll normally either need to use a machine to repeatedly enter different combinations of characters, or in some way trick, or perhaps blackmail you into giving the password up.
They may alternatively, or additionally, use a process called social engineering, which targets human weakness rather than weakness in the computerised mechanism. Social engineering may focus on tricking the web service provider rather than the account holder. A classic example is that in which a hacker calls a website’s offices by phone, posing as an employee, and blags the agent into handing over confidential data, which can then be used to gain account access.
The process depends on the business having poorly trained staff, and often a sense that the data being requested would not be sufficient to threaten security. Per se, the requested data may NOT threaten security, but when a multiplicity of these phishing missions are assembled together, the hacker has enough info to convincingly pose as the account holder and ultimately gain account access.
Of course, a web service provider would be liable for any such personal data breach, and, especially under the new GDPR regulations, could face a vast fine for handing out confidential info without proper dilligence. So going forward, social engineering is likely to become a lot more difficult for hackers. Not that it’s ever been easy.
BRUTE FORCE HACKS
‘Brute force’ hacks utilise software to batter away at a login with rapid-fire, intensive trial and error. They keep trying different passwords at very high speed until they ultimately hit the right one.
But no website that takes account security seriously will allow hundreds of incorrect login attempts, let alone thousands. So what ‘brute force’ hackers do, is target your least sensitive account with the trial and error method. An account on a trivial site, which does not collect sensitive information or payment details, and which doesn’t offer hackers any obvious gain. Those sites don’t see any need to set up login lockouts which kick in after a given number of attempts. So hackers can use rapid, mass trial and error in a bid to crack the password. If they get in, they then simply hope you’ve used the same password across the board. Or at least for your primary email account. If you have, you’re in deep, DEEP trouble. But that scheme can be shut down with the following protection…
USE A DIFFERENT PASSWORD FOR EVERY SITE YOU LOG INTO. A lot of people don’t realise the importance of this, but for the reason cited above, along with the danger of Yahoo-style sitewide hacks, it can be the difference between staying safe and losing everything.
Take the recording of your passwords seriously, and designate a safe place to keep them written down, on paper. Once you’re logged in on a browser, most sites will let you opt to remain logged in for future sessions. So you should only need to refer to your password list once in a while.
But do use a system of recording your passwords on paper, and rigorously updating the list as necessary. Don’t attempt to set passwords according to whether or not you can remember them. If you can easily remember your passwords, they’re not strong enough. If you’re allowed, use random characters as well as letters and numbers. ; or ^ or / for example. All sites should allow these random characters, because they increase the number of potential passwords, and thus make brute force attacks massively more difficult. If a site is asking for your mobile number for two-step auth, but has always limited password strength to letters and numbers only, it’s obvious the site’s real interest is in collecting your phone data – not in maximising your security.
Another important piece of advice is not to publish your email address(es) on the open Internet. Use a contact form (like the one provided for free by WordPress.com) if you want to grant email access to strangers. It does not expose your email address to the messager unless you decide to reply, and crucially, it restricts the format of incoming communication. Not only does this system drastically cut down on the incidence of phishing – because your email address cannot be scraped and passed/sold on – the strict format also stops a hacker from faking official emails, purporting to have come from a source you trust. If a hacker can’t contact you by direct email, phone or mail, and they can’t use trial and error to crack your password, how are they going to hack you? The difficulty increases almost infinitely.
It’s critrical that you NEVER USE A WEAK PASSWORD FOR YOUR EMAIL ACCOUNTS. Access to your email potentially allows a hacker to quickly reset the login of EVERY online account associated with it. Also, don’t associate your online accounts with email addresses that are public or potentially recyclable. And NEVER GO MORE THAN A WEEK WITHOUT LOGGING INTO YOUR WEBMAIL ACCOUNTS.
Web-based email services such as Yahoo Mail can close your account if it becomes inactive, and then make the email address(es) available to anyone who wants it/them. If this happens while your eye is off the ball, you can lose all your associated online logins to a hacker who slips in to take the recycled email address(es).
The period of inactivity required for account closure is obviously much longer than a week, but logging in frequently allows you to spot any issues as they happen. If your email provider has disabled your account for any other reason, you want to get your associated logins changed before the email address(es) is/are redistributed. The key scenario to avoid is linking important online accounts with email services you never use and don’t log into.
The next protective measure you should take is to check the password reset systems of all the sites you use. Some of them will part-display your email address and/or phone number. By default, Twitter’s password reset process is a case in point. You can stop Twitter from part-displaying your private info by selecting “Require personal information to reset your password” in the Security panel of your settings.
One’s mind boggles at the fact that a site which is constantly begging for your phone number because it cares so passionately about your security, defaults to a setting that then makes part of that number public, along with part of your email. If a hacker manages to piece together your email address or phone number from a range of these partial displays on different sites, perhaps aided by guesswork, and then contacts you with a convincing ruse to extract your full login, you’re at very high risk of being hacked. But the cyber giants don’t care about that as long as they’re making money out of your phone data.
Here are some more important hack-protection measures…
When you log into a site, do it via your usual browser bookmark. A favourite trick of hackers is to email you a login link (which may appear in an email attachment – like a PDF file – if not in the email itself), with a pretext prompting you to access a trusted site. The link commonly leads to a fake version of the site, controlled by the hacker. Their rogue page simply collects the login info you enter, the hacker steals your login, and you’re hacked. It’s almost impossible for hackers to do this via a contact form, because you can plainly see the real origin of the email. But you should still avoid logging into a site ‘on demand’ via an email link, and go via a trusted bookmark you’ve used before. If an email is recommending that you change settings, you know where the settings page is. Find it yourself. Don’t let an unsolicited email tell you where to go.
Don’t log into your private accounts on devices owned by other people. That includes at work, or during recruitment processes. Never be persuaded that just because someone has a legitimate, respectable business, they take data protection and system security seriously, or even understand data security properly. Whilst the business managements are likely to be well versed in security, the ground level staff may be clueless. One of the most common issues in recruitment environments is a failure to properly isolate computer users from prying eyes. And don’t forget that you can make errors when using third parties’ computers. You may intend to log yourself out, but we’re all fallible. Use your work logins at work. Keep your private logins restricted to private devices.
I know not everyone feels able to do this, but if possible, don’t use your real identity on the Internet, and DON’T USE FACEBOOK. It’s much harder for people to pose as you if they don’t know who you really are, or have any information about you. Resources such as Facebook entice you into making available a huge amount of personal info, and may allow hackers to determine your email address, or even impersonate you.
People commonly use their real name, middle initial(s) and/or year of birth in their email addresses, so statistically, knowing your full name and date of birth will give a hacker a good chance of guessing your email address. Social media sites love letting users find their friends by their email addresses (not least because it allows the providers to collect and associate more data), so a hacker can often use social media email searches to guess away until they get a hit. When you sign up to any site as a member, the first thing you should do is head for the Privacy Settings and make sure you’re not searchable by your email address.
There are many more measures you can take to minimise your chances of being hacked. But the above should get you thinking along the right lines. Don’t confuse cyber giants’ pretexts to get hold of your personal data with actual online safety, and always think about how hackers operate when considering the best ways to stay secure. The less of your personal data cyber powers have, the safer you are. Keep your passwords random and strong, store them on paper, and keep your email addresses to yourself. That, in my view, is a much safer system than handing your phone data to companies who profit from sharing your private information.