What would you not want a stranger to know about you?
At the very least, you would not want them to be able to spend your money - right?
Inspired by Hackable podcast, I decided to learn just how [un]safe I am.
They probably already have your email address
How? For starters, it is your user-name in most cases.
Why? Why would they know it? There are smart kids everywhere, smart kids that get interested in achieving a challenge - for example getting into the systems of an organisation. They may not have bad intentions, this might only be one of the steps that makes it possible for someone to later scam or ransom you. If you have not had an unfortunate incident such as this, it is probably because the later part had not taken place rather than your information is safe (it turns out that we should never assume that our accounts are safe - even Equifax (major credit-reporting bureau) has had it's customer's data stolen, and they are not alone according to NPR).
So I had a look at whether anyone has my details... I went to Have I been Pwned (https://haveibeenpwned.com) and here is how I found out that on at least 7 different occasions information about me, has been stolen and these people know my email address, password, DOB, geographic location and phone number:
Why is it a problem that they have one password?
So what if this stranger(s) has my password to Houzz where I organise the interior decorating pictures or any other site that does not have my credit card information?
... do you know anyone who reuses their passwords?
I used an app to scan my inbox to estimate how many accounts I have made over the years.... 590 accounts!
...sure...each one has a different password... I swear.
Can you see why it might be a problem?
What would you do if you wanted some quick cash?
Say, I am a youth in somewhere far, far away with a computer and knowledge of English. There are no safety nets for me, not sure what future I see for myself. I have some family members, they might be old or young (probably both). I come across a formula to make money off someone living in a 1st world country - "I've heard things are good there, what will they care? They can manage, I need this more than them," I would think and I would get to work...
So if I had your email and password and I wanted to know a bit more about you, what would I do?
I could google your email address, see what I could find...
That would give me some ideas.
But if it didn't, I could try each social media account using your email address and password. If I successfully logged into one of your accounts, I would probably be able to see your full name, address, maybe some other stuff.
I could use that knowledge to log into more accounts. If the password didn't work, I could try using the 'forgot password link' and say that I don't have access to "my"[which is actually your] inbox. It might ask me for a phone number or some security questions. Like school. I could assume that you are still living near where you grew up and look at some of the nearby schools... It gives me a few tries, right? (Each website and system is different, most are better than others, but if you think this is impossible, you can listen to the story of how US Tax Department was unable to stop strangers in Africa filing and cashing in tax returns on behalf of US citizens).
Lastly, two-factor authentication... it will definitely stop this from happening right?
More recently, it has become apparent, that if you have the above information (and remember the information from haveibeenpwned.com - many phone numbers have already been leaked) you could call the provider of the number and simply pretend to be the owner of the phone number. You would need to pass a security check - this could be hard or easy depending on the employee or the policies of the provider. Then the caller gives a sob story, about how their phone has been stolen or something else and says they already have a number and they just need to have their old number ported across...
At that point, they have the keys to the accounts that you wanted to keep most secure (for many people that is their email address, this often has tax information and other important information you don't want anyone else seeing). If you think that this is far fetched, you can listen to this story about a guy who woke up to being told 'You need to give me the money then I will give you your phone number back.'
You may have figured out at this point, that this is longer than 2 minutes, but this is worth your time. This is important.
= Action Plan =
I have followed Motherboard's guide to not getting hacked for this, you can follow along.
"Trying to protect all your data from everyone all the time is impractical and exhausting." - The Electronic Frontier Foundation
Step 1 - Update your passwords, go unique
Use a password manager. Every security professional recommends this.
Why is it safe? Because the leading password managers store your passwords do the equivalent, of keeping the flour and eggs up in the cloud while the app or browser extension keeps your individual top-secret recipe on your device. That means that the password manager doesn't know your passwords, and these passwords are safe if your machine is stolen. In theory, if this stranger is really motivated and has a lot of time, they can infect your device to enable them to watch everything you do (and type) but this is less common, to combat this danger you can enable two-factor authentication (which we will talk about in step 3).
If you are not ready to lock yourself into paying yet another bill every month, I recommend LastPass, it does not only have the best free plan but this plan is equal if not superior to some paid solutions. The only feature that had me tempted to upgrade was Emergency Access but there are other features built-in for all accounts, for example, there are 4 methods of password recovery and my personal favourite, One Time Passwords for the just in case scenario.
Password managers (such as LastPass) are MORE safe than letting your browser to remember your passwords for you.
Step 2 - Don't rely on a password alone for your most precious accounts
You can start using second-factor authentication by downloading an app on your phone that will give you codes when you try to log in on a new device. You can then ask it to trust that device, which means you will not make your daily life any harder but it would most likely make it too difficult for any snooper or hacker to log on from their own device.
Step 3 - plan for the loss of your devices
So what are the parts involved in getting access to your accounts?
Your phone, your laptop, your brain.
The sad truth is that your devices and/or capacities can be lost or stolen from you.
Lost phone: Be prepared to erase your device (android/iphone). You will have your trusted machine, so you will be able to log into your LastPass vault and turn off two-factor authentication. If you are using Google Authenticator you can create back up codes to enable you to bypass 2FA when needed (these would need to stored in a safe place).
Lost computer: You will be able to turn to your phone to change your LastPass password if you wish. However, if you have a strong password securing your laptop (12 or more characters) it will be very difficult to crack. Your LastPass session should, therefore, be secure (listen to Hackable's Prying Eyes episode to hear what would not be safe).
Brain lets you down: You can store some One Time Passwords for your LastPass account in an extremely safe place, as part of your will, or with a person you trust (if you use 2FA for LastPass you will still need your phone for this however Google Authenticator users can create some backup codes to prevent this).
Step 4 - [optional] protect from malicious advertising
It is possible to use paid advertising to infect computers. These can be shown on any website. However, if you only use online banking and email, you may not feel this is worth your while. When I trialled add blocker I chose Ghostery extension for my browser (it is important that you only install reputable extensions and apps on your devices, that are updated regularly by their creators). I stopped using this because I wanted to support the cooking websites I use through the little ad revenue I may provide for them.
---
You don't need to take my word for all this. You can read Motherboard's 10,000 word version of 'How not to get hacked'.
If you don't do any of this...
At least start being aware of what information you are protecting using one password, and for the accounts that really matter to you...
...Use Truly Secure Passwords
'In 2013, Ars Technica gave three experts 16,000 passwords and asked them to break as many as possible. The winner got 90% of them, the loser 62%. Pretty much anything that can be remembered can be cracked' says Bruce 'There's still one scheme that works: If you want your password to be hard to guess... my advice is to take a sentence and turn it into a password. Something like "This little piggy went to market" might become "tlpWENT2m". That nine-character password won't be in anyone's dictionary. Of course, don't use this one, because I've written about it. Choose your own sentence - something personal.
Here are some examples:
- WIw7,mstmsritt... = When I was seven, my sister threw my stuffed rabbit in the toilet.
- Wow...doestcst = Wow, does that couch smell terrible.
- Ltime@go-inag~faaa! = Long time ago in a galaxy not far away at all.
- uTVM,TPw55:utvm,tpwstillsecure = Until this very moment, these passwords were still secure.
You get the idea. Combine a personally memorable sentence with some personally memorable tricks to modify that sentence into a password to create a lengthy password."
- Advice courtesy of Bruce Schneier
That's it!
Summary:
- Install LastPass browser extension and start saving passwords as you browse.
- Create a new strong password using the Schneir method above, to secure it.
- Install Google Authenticator on your phone and activate two-factor authentication for your most sensitive accounts.
- Print back up codes and store them in a safe place, where you will find them when sh*t hits the fan
- Never click on adds on un-reputable sites, best to block them using an extension such as Ghostery.
Let me know what part of this article was most interesting to you in the comments below.
PS. If you want a great entertaining story, about a good-natured guy who test the security in work environments and how he accidentally broke into the wrong bank (with the aim to educate the staff) check out my favourite podcast.
We can do this.
x