Many of today’s intrusions happen from some of the simplest methods, one of those being phishing. Phishing not to be confused with spam, is a fraudulent attempt, usually made via email, to steal personal information such as credit card numbers, social security number, account numbers, passwords, and home addresses, etc. Phishing emails are those that appear to come from well-known organizations or businesses. Most of the times phishing attempts come from sites, services, companies or individuals in which you may not even have an account or any prior association with.
The first way to combat phishing and spam in general is to never reply to emails asking for personal or sensitive information. While a very “duh” tip people wouldn’t try it if it didn’t work. While I can’t say all I will say most sites, services, and companies that do request such information always request it over the phone where it can be verified with preceeding security questions. The minute you receive an email requesting sensitive/personal information chances are it’s a phishing scam, don’t click any links or download any attachments. Don’t always assume that a link must be safe because it’s prefixed with https, the secure connection between you and the website that was linked in a phishing scam means nothing if the sites goal is to harvest your personal information.
Rather than explain in long form the reasons for each tip, here’s the list with brief explanations for why they could be useful.
-Use email aliases when signing up to non familiar services, like a newsletter. Many web email solutions give you the ability to add a + sign and a descriptive word to the first part of your email address. While using a + (Yourname+Shopping@gmail.com) is typically used to see where the spam is coming from, some services such as hotmail and Yahoo also allow you to create an alias. Email aliases allow you to use a completely different email address to receive email with without giving up your main email address.
-Use different email addresses or aliases for different services/sites. You don’t typically want to use the same email address or alias for banking as you would for living social. By doing so you limit your exposure if one of these services are hacked and it’s password and username/email address database is compromised. Spam and phishing attempts would be aimed at the alias, which if compromised you can easily disable or discontinue.
-Use different passwords for varying sites and services and when applicable use pass-phrases. The benefit is similar to using email aliases. If you were to use a password such as W@P*s$4j7 to sign into a web mail based client or social networking service (Facebook) and it happened to be compromised, the damage would be limited to only the sites/service that the password is used for. Let the amount of personal or sensitivity of your information made available determine the level of difficulty used for your password. Now I’m not endorsing easy passwords (ABC123) but again, banking sites and sites with credit card information should not be using the same passwords you use for Twitter or Skype. For help with passwords check out services such as LastPass. And a great way to understand more about passwords, appropriate lengths and entropy check out Steve Gibson’s GRC website.
-Randomize your passwords. This is another “Duh” tip but obviously if people didn’t do it I wouldn’t list it. Think about it, if your name, email and personal address was compromised in a resulting hack any combination of that information would be used to “hack” into other services you may use. Don’t use birthdates, your name (or those of close family members), or any other obtainable information such as anniversary dates and current/past employers. Another misconception is that using “Leet Speak” is more secure. Leet speak or the substitution of letters with other characters can be accounted for in brute force hacking. Using 3′s to represent your E’s or using @ or $ to replace your typical A and S isn’t as clever as it once was. A more secure method to cipher your passwords would be to randomize your substitutions e.g. let & represent C or even a word such as Cake.
-Use single use credit cards also called disposable or virtual credit cards/account numbers for purchases online. Single use or disposable credit card numbers have been around for quite some time but aren’t used by most people. Discover, Bank of America, Citibank and Entropay which powers Visa and Master Card virtual accounts are just a few of those that allow you to make purchases online without entering in your actual credit card information. Again if a database was breached and the number on file with a purchase made by you was of the disposable/single use kind you’d pretty much be in the clear from any financial woes. Essentially this works just like an alias for email but for credit card number, allowing you to give online merchants a different number, but have them withdraw the funds from the same account. If one number gets compromised, you can just cancel the compromised alias and it won’t affect any other single-use numbers.
-Make sure the websites your ordering or purchasing content on is secure, https. Certificates aren’t fool proof and neither is https but it’s better than plain text. Even some mobile apps and web mail clients (Hotmail, Gmail) allow for https logins. Check thoroughly each client and application you use to see if secure connections are an option, most aren’t enabled by default (Facebook).
-Setup two factor authentication to verify account changes. Facebook, Gmail, most if not all banking web sites and others now use a two factor authentication system where you have to not only know the password but another piece of information used to verify that you are really… you. Again check the settings of every application and service you use to set these methods up.
-Do not have your browser automatically save your online banking password or any password that may grant access to any personal or otherwise sensitive information. Type your password in each time or if you prefer use a digital locker service to house otherwise too complex passwords I’d suggest using LastPass. Last Pass even offers what it calls a “secure password generator that you can customize (length, character type, etc). Last Pass is one of the most secure password saving services in the world and has been praised by many security experts.
Limiting what credit card and email addresses you supply online retailers and other web sites allows you to control the financial liability from compromised databases. While we can’t control what databases are targeted and are breached we can control what information we supply them with. Be conscious of who you’re giving information to. Using these tips, even if banks database was compromised (similar to what happened with Bank of America) you wouldn’t be totally vulnerable. Yes personal information such as your home address (commonly used as your billing address), credit card information, username, password and possibly email address would all be exposed but the financial liability could be limited to just Bank of America. By using different passwords and not sharing usernames for banks/credit cards your other data would be safe. Same goes for hack attempts on popular companies such as Google and Facebook, if those databases were compromised and you use the same email and password for other sites you’d be exposing potentially more information about yourself.
Most of these recent “hacks” don’t come from overly sophisticated attacks, simple SQL injections or phishing attacks are successful enough. The recent RSA hacking happened because of successful phishing of enough high profile individuals within the company and then gaining access to systems using the information gained. With the breach of the RSA and the SecureID system exposed Lockheed Martin (one of the world’s largest defense contractors) was breached. All because they were using a compromised system, hopefully they learned from that mistake, hopefully we all learn.
No comments:
Post a Comment