I recently attended a major information security conference here in L.A. where leading industry professionals talked about the current state of Internet security, mostly from the perspective of developers, managers, and network folks. But, from their talks I also gathered some insight into what regular consumers can do to protect themselves from begin hacked on the Internet.
Overall, you could say the state of Internet security is pretty grim, considering the major hacks we’ve seen in the past few years (Sony, Home Depot, Target, Anthem Blue Cross, etc.) The truth is, pretty much anything and anyone can be hacked given enough determination by the hackers.
You’ve already heard what you’re supposed to do to protect yourself, mainly: use long, cryptic, hard-to-remember passwords, don’t store them anywhere, use a different password for each site, and change them every other day or whatever. Unless you really enjoy dealing with passwords as your full-time job, these countermeasures are pretty impractical (unless you use a password service, see below).
So, I’ve tried to distill the top things you can to do protect yourself from being hacked without jumping through an insane number of hoops. The point its to make yourself an unappealing target compared to the next guy. So, here are my top suggestions to safeguard yourself against being hacked online:
1. Enable Two-Factor Authentication Everywhere
Two-factor authentication (also called multifactor authentication) was one of the major themes of the security conference I attended. As soon as I got home, I enabled it in all services and websites that offer it. Veteran (ethical) hackers talked about how easy it was to get into peoples’ accounts… until they encountered two-factor authentication. That stopped them cold (at least for the moment). It blew me away how effective in stopping these hackers it was.
What is two-factor authentication? It is an additional step that you go through when you log into a website where the site sends you a code to your cell phone by text message (or app). You then enter this code into the site to finish logging in. When enabled, no one can log in unless they have your phone.
Many major sites offer two-factor authentication including Facebook, Dropbox, Google, banks, and so forth. Here is a complete list of sites that offer two-factor authentication. Unfortunately, almost every site calls it something different and has a different process to enable it, so it can be tricky to figure out how to do it. And yes, it can be a pain to have to look at your phone every time you want to log in. But, my advice is to enable it wherever you can.
If you need more convincing, read about how this editor of Wired magazine got his online life ruined and his Macbook erased in a couple of hours by hackers. It could have been prevented by two-factor authentication. Another example: Lastpass recently got hacked. They advised their users to change their passwords… except those who had two-factor authentication, who were protected.
Basically, if hackers steal your password, they won’t be able to get into your account (without jumping through a lot more hoops) when you have two-factor enabled. It really works.
But what if you lose your phone? You won’t be able to log in, so Google, Facebook, and some of the other services give you a security code to use if that happens. Print out the codes and keep them in a safe place. (This is different from a password because it can only be used once). Other services should provide an alternate method to get in, perhaps involving calling them up (once you get your phone back). But yeah, don’t lose your phone.
Also, you might have to re-authenticate your phone apps and email accounts with a special code. Kind of a pain, but you only need to do it once.
2. Be Vigilant Against Social Engineering Scams
Social engineering is still one of the top ways to hack into peoples’ accounts. It’s when the bad guys send you a fake email, or call you pretending to be a credit card company or Microsoft, or trick you into clicking a malicious link on a website… stuff like that.
I’ve gotten several calls in the past from scammers posing as my credit card company or Microsoft warning of some dire emergency and asking for my private info. These a-holes have been calling my elderly parents lately. Be vigilant and don’t give out private information, no matter who the person at the other end claims to be. Microsoft will NOT call you about a problem with your computer. Your bank will not ask for your login unless you call them.
Be suspicious of emails and try not to click on links in them (sometimes you have to, like when you verify a new email address though). Use caution when browsing.
3. Keep Your Software Updated
This is super important but often neglected. Security holes are being discovered in software on an almost daily basis. Keep the software on your computer and phone updated.
Needless to say, you should keep your antivirus updated as well.
Part of the problem with updating, however, is that malicious code can masquerade as a software update, so we’re scared to click on anything that looks like it’s messing with our computer. That is the case with my parents. I don’t have a great answer to this other than to use your best judgment when you those software update windows pop up.
If you’re still running Windows XP, time to upgrade your OS or get a new computer.
Something you might not think about is keeping your browser plugins and extensions updated. Malicious websites sometimes depend on the fact that people are running an old browser extension, like an old version of Flash, to compromise a computer.
4. Mind Your Passwords
I know I talked about how much of a pain it is to have good unique passwords and changing them every two hours or whatever, but I should mention it. So many people still have lousy passwords like “123456” and “password”. These are the top two. Here is the full list of common passwords. At the very least, avoid these. If your passwords resemble any on that list, change them now.
Having the exact same password everywhere is also bad because when one site gets hacked, the hackers can then log into all of your other sites. Some people have a core password and slightly change it for different sites so the passwords are somewhat unique but easy to remember.
If your WordPress blog login name is “admin”, I guarantee that a Chinese bot is trying to log in as we speak.
No surprise, the security experts said that saving your passwords in your browser is not secure.
Instead, some people swear by password services like 1Password or Lastpass, which store all of your passwords for you. This might seem scary and a security risk in itself, as Lastpass was just hacked in fact! But, they use strong encryption so that even if the passwords are stolen, they can’t be used (without great effort). And, if you have two-factor authentication on top of that, most hackers will move on to easier prey unless you are a high-value target. I believe that these services do improve security on balance if you let them pick your passwords for you.
5. Deactivate Services that You Don’t Use… Like Java and Flash
The more sites and services that have your password, credit card info, and other personal info, the more vulnerable you are. It’s best to minimize your online footprint. Similarly, the more software you have installed on your computer, the more vulnerable you are. Here are my tips:
- Uninstall Java from your computer right now. (That was another theme of the conference – Java is a security joke).
- Disable Flash, which seems to be on its death bed now. Don’t worry, you can still watch YouTube videos. Most modern sites provide newer alternatives to Flash.
- Remove Quicktime on Windows. It’s got known vulnerabilities and is no longer supported by Apple.
- Uninstall other software and apps that you don’t use anymore.
- Deactivate old email accounts. (Are you still using that Yahoo or Hotmail address? If not, it’s probably sending out spam as we speak)
- Close accounts on shopping sites that you don’t use anymore
- Delete your credit card info from shopping sites that you do use
- If you have a card in Google Wallet, remove it right now before you forget – having Google auto-fill your credit card info on website forms is bad
- Cancel old credit cards (I had a credit card that I hadn’t used in years that got hacked).
- Delete browser plugins that you don’t use.
Until it was exposed in 2012, it was possible to get into anyone’s Amazon.com account with just their name, email address, and home address (it is not hard to get these). Here’s how it was done:
- Call Amazon and tell them you want to add a credit card
- Supply them the name, email, and home address
- Give them a new (bogus) credit card number
- Hang up
- Call again and say you’re locked out of your account
- Give them the credit card number you gave them before.
- Voila! You’re in!
Crazy, isn’t it?? Close accounts that you don’t use, and remove credit card info from those that you do use.
6. Back Up Your Stuff
Even with all of these precautions, you can’t be 100% secure, so back up your data.
You might have heard of the virus that was going on that would encrypt the data on your computer making it inaccessible, then demand payment to get your data back. Most people paid the ransom. Other hackers will just wipe your computer without warning.
Even if hackers didn’t exist, your hard drive will fail someday, so you should back it up anyway.
What This Will Protect You Against
If you follow this advice, you should be pretty well protected against bots and other automated random attacks that are not targeted specifically at you personally.
If you are in a “high value target” group, you definitely want to take the steps in this article and you probably want to go even further.
The steps in this article are not sufficient to protect you against a determined hacker targeting you. If that is the case, you need to take even more extreme security steps which are beyond the scope of this article, possibly including hiring a professional.
I hope you find these tips helpful and that they protect you against being hacked! Just remember that nothing online is completely secure, but you can make hackers move on to easier prey if your accounts are more trouble to crack than they are worth.
Let me know about your ideas to stop hackers, or about your experiences being hacked! – Brian