How Secure Is Your Online Activity?
By Jeff Mertz
While the cyber attacks of customers’ personal and financial information at large corporations – Target, Home Depot and Kmart – make the headlines, attacks on smaller organizations and individuals are still a very real risk.
The recent celebrity photo hack shows that linked email accounts, and shared passwords and usernames, can let a “cracker” (a hacker who performs illegal activity) gain access to the most personal information online.
Knowing how a cracker performs an attack against an online account is the first step in preventing it. It normally starts with reconnaissance, in other words, a search for any information about a person available online through publicly accessible records and social media sites. Crackers hope to find enough details online to be able to answer password security questions so they can reset passwords for email accounts.
For example, if a cracker was trying to access John Doe’s online banking account, he would look him up on Facebook, browse any personal information he is sharing, and maybe even send a friend request from a fake account to be able to see any hidden information. He also might obtain job history information from LinkedIn or Google and a current address or phone number from the online White Pages. With that information in hand, the cracker would attempt to change the password of any email accounts associated with social media accounts. If John’s email address were firstname.lastname@example.org, the cracker would go to Gmail, enter that email, and click “reset password.” Typical password reset questions are often first pet, mother’s maiden name and current phone number – information that in some cases can be easily found online. The password is reset and access to the email account is gained.
With access to John’s email, a cracker can see what banks or websites John is using, go to those webpages and use the “reset password“ links to send password reset requests to the now compromised email. He can then wire money, open new credit cards in John’s name, apply for fraudulent loans and more.
These attackers are smart, motivated and have time, but some simple precautions can greatly reduce the risks of being victimized. Most attackers will give up if they can’t access accounts quickly. Here are some tips that help provide better protection without having to abandon having an online presence:
Create More Secure Passwords
When developing a password, use a combination of upper and lower case letters, numbers and special characters (i.e. #, @, &). Adding these characters, or ideally, substituting them for letters, greatly increases the difficulty of compromising a password. Passwords should be at least eight characters in length, as long as 12 characters are more ideal. The lengthier the password is, the harder it is to crack. Passphrases – a sequence of words or other text – are an even more secure method for creating passwords. Lastly, it’s important to never use the exact same password for different systems and to not to share passwords with others.
Don’t Overshare On Social Media
When using social media such as Facebook, limit who can view your posts, separate personal pages from business pages, and don’t post personal information such as phone numbers, addresses, emails and birth dates. Also, don’t participate in posts that ask questions about personal information, for example: “20 things you may know about me.” These are phishing posts often used to obtain data needed for password resets.
Maintain Different Email Accounts
Maintain more than one email account and use a different account for personal business (banking) than you do for recreational purposes. For example, John Doe uses email@example.com for personal communications, shopping and social media, but he uses firstname.lastname@example.org for banking. The use of a different email account for sensitive information, one that isn’t listed on any other websites, makes it infinitely harder for a cracker to gain access to finances.
Monitor Online Banking
It is important to regularly monitor all online financial accounts. Follow up on any transactions that are not recognizable. Read informational emails sent from the bank and review credit reports. This can seem tiresome, but the sooner a breach of personal information is discovered, the more quickly a response plan can be implemented and repairs can begin to take place.
Always stay vigilant while online. Following these simple recommendations will go a long way toward protection from potential cyber threats.
Jeff Mertz is a senior network engineer at Safety Net, Inc. in Traverse City.