Training

SIMPLE WAYS TO SECURE YOUR ONLINE ACCOUNTS

TLDR Version:

  • Use long passwords (16 characters +)

  • Turn on 2FA (2-factor authentication)

  • Use different passwords for social network accounts than your banking/other important accounts

  • Limit the amount of information you share publicly on any site

  • Limit the amount of sites you utilize SSO (single-sign on). Read the permissions these sites require carefully

  • Lock your phone or computer if left unattended

  • Don't save passwords in your browser. Instead use a password vault

  • Don't share your credentials with anyone

  • Don't conduct any sensitive business (banking, shopping, etc) on public wifi

  • Don't click links in emails that want to take you to a login


The Wordy Version

With our daily lives being played out online more and more, it's important to keep our online accounts safe. Think of your computer/phone as your virtual vehicle and your online accounts as little houses that you own that you want to keep safe. As you drive along to visit all of your houses, are you keeping yourself and your homes secure? Think about it. You wouldn't install a cardboard door with a paper lock on your house, would you? If you have a simple, short, easy to guess password on your banking account, that's exactly what you're doing. If you lived on the busiest street in your city, would you leave the windows open when you left the house? You are if you leave your computer or phone unlocked while you leave it unattended. It's easy to get complacent and think, "I'm not that important. Why would hackers want to hack me?"


Most 'hackers' aren't really hackers at all. They're social engineers or opportunists (and a lot of times, both). They're the unassuming guy sitting on the park bench across the street from your house reading the newspaper. Until he notices that you left the door open. Then he cleans out the house after you're gone.


​The goal is to not make yourself an easy target online and there are some simple steps you can take to make a would-be thief throw their hands up in frustration and move on to their next target. Let's have a look.


Use long passwords

Password dictionaries are one of the hottest methods of 'cracking' passwords. These dictionaries are collections of known password hashes. The longer your password, the less likely the password hash has been collected in any known dictionary. I recommend choosing a password of 16 characters or more. It doesn't have to be complex (with special characters) but it doesn't hurt. I recommend using a favorite quote or song lyric or maybe a sentence from your favorite book. Something that's not easy for somebody to guess or ascertain about you (more on that in a bit) but easy enough for you to remember. Most sites even allow you to use spaces! Using slang words or terms gets you even more bonus points, since they're not necessarily common. The sentence, "Johnny ate five bananas yesterday" converted to this password: "John E 8 5 bananas yesterday!" would be a very strong password, incorporating obfuscated words, special characters, uppercase, lowercase and numbers. Plus, it's 29 characters long. See, it's not that hard to come up with a long password!


Use Different Passwords for Banking/Shopping than Social Networking

Nobody likes trying to remember 100 different passwords. I get it. But, do not use the same password for every account. If you must use the same passwords, use the same password for your social sites (Facebook, Instagram, Twitter, Snapchat, etc.) but then use a different password for your banking sites and a different password for your shopping sites. Doing this will protect you from really having a bad day if a thief somehow ends up with your Facebook password. The first thing they will do is test that password on many different sites to see what they can get into.


Turn on 2FA (2-factor authentication)

Most websites that require you to login and house sensitive information have a form of 2-factor authentication (2FA) that you can activate. For those not familiar, 2FA is a second layer of security (think a locked gate out front of your house in addition to your locked front door). When you login to a website, if you have 2FA enabled then you will either receive an SMS/email with a code that you have to enter or you can use an authenticator app that will generate the code for you. With 2FA, even if somebody found your password, they would still need to have access to your phone/authenticator. While not impossible to break (SIM spoofing is a real thing, after all) it's difficult to do and would require a would-be thief to jump through some pretty serious hoops. With that being said...


Don't Leave Your Phone/Computer Unlocked & Unattended

I don't care if you're getting up for 5 seconds to grab a piece of paper off the printer--lock your device. It's very easy for somebody to come along and lift some piece of information off of an unlocked device and be on their way with you being none the wiser. It takes under 2 minutes to add a second account to your computer--mere seconds if the attacker is using a USB drive loaded with an auto-executing script-- that could then be used to remotely access your device without your knowledge. It's a very simple thing for you to do that prevents a lot of damage being done.


Limit the Amount of Information You Share Publicly

When thieves are trying to break into your account, often they will look at your social media posts to gather information about you. Do you have kids? What are their names? When are their birthdays? Who is your family? Where do you live? Where'd you grow up? Odds are you probably use that information as secret question answers to reset your password. If you're making 20 posts a day revealing any of that info in a public manner, you're making it much easier. Make sure you check the visibility of your posts before you put them out there--are they visible to the Public or only your friends? You'd be surprised how many social media services use 'public' as a default for your posts. Think of this as stapling a paper copy of your plans and vital information to the door on your house. Anybody passing by can walk up and read that info if they want to. Pretty creepy, right?


Be careful when using Single Sign-On (SSO)

SSO is SOO convenient (see what I did there?). It allows you to use your Google or Facebook account as your login credentials to a site or a game. Hey, one less password to remember! Big win! Well, make sure you're checking out what kind of privileges these sites are asking for when you're connecting your account to their SSO service. Malicious sites will want read/write access to documents, emails, contacts, etc. If there's no reason for them to have this access and they're asking for it, run away. Don't accept. You're basically giving this site access your account without using your password. That's right, they don't need your password to go on a joyride through your personal accounts if you give them access.


This is like tossing your keys to the unassuming dude reading the newspaper outside your house. "Hey man, I trust that you're a good dude, have these keys. Now we know each other, right bro?"


Don't Conduct Sensitive Business on Public Wifi

Picture this: you're at your favorite coffee shop, enjoying that $10 specialty Martian-blend coffee, but you just remembered that you need to transfer some money between your savings and checking account. Darn, you're almost out of mobile data on your phone. Hey, look! The coffee shop has public wifi with no password required! So you connect to "Joe's Coffee Public" and proceed to login to your bank account and transfer some money. Isn't life grand?


Well, the only problem is that the unassuming guy sitting in the corner drinking his free glass of purified water actually had the hotspot on his phone turned on and was broadcasting "Joe's Coffee Public". You connected to his phone instead of the coffee shop's wifi and now he has captured every packet you just sent, including your login credentials for your bank. Anybody can broadcast any wifi SSID (the network name) that they want. In fact, the thief could be sitting in the car outside the building broadcasting free wifi for anybody to connect to.


This rule applies to any public network--the grocery store, your hotel, favorite bar, etc. Even if that network requires a password, if it's something that they give out to anybody, then you're at risk. You have no idea who else is on that network and it's very easy for an attacker to run a scan of the network and see who else is connected, what device they have and what ports are open for business.


If you must conduct business on any of these shared networks, please look into subscribing to a reputable VPN service. A VPN service creates an encrypted tunnel that all of your web traffic runs through, making it impossible for attackers sitting in the middle to capture that traffic. NordVPN is probably one of the most popular. Be wary of cheap VPN services and do your research! If you use a VPN, all of your traffic will be flowing through that provider's servers. If it's a malicious company, THEY could be the ones capturing your data. Gah!


Don't click on links in emails

Wait, what? How is this even possible? Look, a lot of online attacks that are successful begin as phishing attacks. Phishing is the art of swindling information out of people by using emails that look legitimate, but then direct the user to a malicious website.


Back in the day, attachments were the main attack vector used to infect machines. But now, it's far easier to disguise a link as a login to Amazon and have you enter your credentials into that bogus site. I can type any text I want in an email and then use the hyperlink button to link that text to a website. I can take it a step further and fully copy the source code of the Amazon login page to make my fake site look just like Amazon's! Except that the login box is populating a spreadsheet on my server. Once you enter your information and I've collected it, I redirect you to the real Amazon site. You'll think, "Huh, must've fat-fingered my password! Oops!" Then you proceed to login and go about your day thinking all is well with the world.


If you hover over that link (or long press on a phone), you can see the address the link is trying to bring you to. Does it look familiar/legitimate? If you're not sure, close the email, open up a new browser tab and go to the site manually and login. If the email isn't something you're expecting, don't click any links or open any attachments. In most cases, simply opening the email is OK--you're still in the clear. Just don't click on anything inside of there.

You've Finally Reached the End

We went through a lot of scary scenarios, but by taking the simple steps outlined above, you will be far safer. This is by no means an exhaustive list of the things you can do to stay safe--just the low hanging fruit. If you enjoy podcasts (and even if you don't), I highly suggest listening to the Darknet Diaries podcast. Many hackers and social engineers tell their stories on there and it gives you a pretty good picture of the methods used to obtain information/credentials/identities.


Take your time. Don't be complacent when you're on the web. The web is a great place, but also dangerous. Kinda like a beautiful country you love to visit but every animal there can kill you. If you keep your wits about you and stay out of known bad places, you'll be fine. Good luck and stay safe!