As someone who works online all day managing websites, integrations and email systems, taking security precautions is routine. Everyone needs to keep their business and personal data private, and financial accounts secure. I thought it might be helpful to introduce and reiterate some online security tips which you can use to be more cautious in your daily activities.
Humans Are the Weakest Link in Online Security
This is a well-known fact in online security circles. Whether it is using a name and birth date in passwords, or being susceptible to scams, people are the weak link because they just don’t realize how seriously they should be taking online security.
Becoming more aware of the risks may open your eyes and give you more resolve to take precautions. Consumer friendly information about scams and security can be found on government websites such as the Consumer Financial Protection Bureau, or on other sites like Consumer Reports.
We have included a note you can jump to below about Social Engineering after the tech security tips.
5 Easy Online Security Tips
As we conduct our everyday activities online, we can have the most impact on preventing harm to ourselves and others by practicing smart online security habits.
Here is a quick list of the 5 tips covered:
Use Complicated Unique Passwords
Use a Password Manager
Always use 2FA/MFA
Use an Authenticator App
Log Out of Online Accounts!
The first, most preventable way that humans can stop being the weakest link has to do with passwords…
Use Complicated Unique Passwords
This is the online security tip you hear constantly, but find excruciating to act on. We all know that you MUST use strong passwords. But you also must not reuse them EVER. And this is when we hear the common question, “Why would anyone want to target me?”. The answer is that everyone is targeted without the perpetrator knowing much about their targets. But they do often have archives of email addresses, and these are commonly accompanied by passwords. This is because large scale hacks occur frequently, providing an archive containing millions of email + password combinations to bad actors.
That and more of your sensitive information is sold on the dark web from past hacks of Ticketmaster (.5 billion users’ data), AT&T, Marriott, Equifax, and numerous other large organizations.
You shouldn’t be able to remember any password!
If your passwords can be spelled or remembered then they are too simple, AND you are probably using them in more than one place.
According to Bitwarden’s 2023 World Password Day survey,
19% of respondents admitted to having used “password” as their password.
52% have used well known names, lyrics, or personal names (such as their child or pet).
Graph from Bitwarden’s World Password Day 2023 survey. https://bitwarden.com/resources/world-password-day/
Re-using Passwords is extremely dangerous.
When your stolen user name + password pairs get sold and distributed on the dark web, you are compromised. It’s called being “Pwned”, meaning owned in cybersecurity slang. The combinations are used in “credential stuffing attacks”, in which they are loaded into bots that will try to log into numerous targeted sites to gain access to financial and other sensitive information.
Have You Been “Pwned”?
You may have old shopping / other accounts that you’ve forgotten about, and they may be the ones to get hacked someday. When that happens and you are still using the same passwords elsewhere, there is a good chance that others can access your accounts.
Go and change passwords on your important accounts now. Check Have I Been Pwned and Mozilla Monitor to see if your info is out there. I can guarantee that if you check various email addresses you have used over the years, that you have been Pwned!
Use a Password Manager
Complicated passwords can be created unique from eachother and saved using highly secure password managers. Be careful when choosing one.
Built-in Password Managers aren’t the best
The easiest and free choice for a password manager is to have your browser or operating system save your passwords, whether that is Apple’s Passwords app, or if using Chrome, it is Google’s Password Manager. These might be better than nothing, but the weakness is that they don’t require someone who accesses your device (when you step away or if your phone is lost, stolen, or hacked) to enter a master password or PIN in order to log into websites and apps from the device. Requiring a master password or PIN to use it would also give you a moment to determine if you have landed on a secure website prior to it auto-filling your address and credit card information on the website.
Password Manager Apps
A third party Password Manager is an app which you can install on your device, which saves your logins in the cloud as encrypted data, and syncs the data to the app. It is important to choose a reputable password app, and one which has at least a free trial. Again, it is important to choose one which requires a master password for use. Other features that most have are the ability to share a password with someone safely, which you would do through an online account. For example, when I need a client to share website related passwords with me they can enter them into an encrypted guest account in my online password manager or reply to an encrypted message that I send them requesting the confidential information. Bitwarden and 1Password are both reputable and have offer these important features. Lastpass has been hacked twice 😱😱, so I would avoid it. Forbes article about Password Managers.
Use an Authenticator App
(Google free, Authy, or Microsoft)
Always set multi-factor authentication, such as using an authenticator app or receiving a text whenever you log in. It may be inconvenient for you, but less inconvenient than having your identity or thousands of dollars stolen! The authenticator app is more secure than text messages, as phones risk being “sim swapped”. Verizon article about Sim Swapping.
Authenticator apps use a TOTP (Time-based One-Time Password). It is easy to setup in many online accounts you have, by simply aiming your phone camera at the QR code and following the website prompts.
Recommended: A more secure method for implementing two factor authentication (2FA) is to a use a hardware key, such as Yubikey which you touch during login.
Log Out of Online Accounts
Be sure to always log out of accounts when you are finished, including Social Media, Email, Banks, Insurance, etc.
A trending hack on the rise is called session hijacking. Your logged-in authentication cookies can be intercepted by malware on a visited website or your device. The attackers can then access any websites you’re currently logged into after you’ve stepped away.
This is something that can take place on just about any kind of account. Even Google is scrambling to protect their users against session hijacking attacks. PCMag article about Google’s fight against Session Hijacking
You can greatly reduce session hijacking risk by simply logging out of your accounts as soon as you are finished with your task. Logging out will expire the session cookies, logging out any imposters or preventing hijacking of your session.
⚠️ A Note About Social Engineering
Lately I have been hearing about payroll diversion scams and fraudulent invoice collections from managers who have encountered it, some of whom have fallen for it losing tens of thousands of dollars. Payroll diversion scams are often done when an imposter emails a staff member at a targeted organization pretending to be one of their highly paid executives, partners, or any employee. The imposter then provides a new account number where their compensation should be deposited, and the staff makes the change without verifying the request directly with the executive.
“Social Engineering” is the term used to describe people tricking people into giving them access to their systems or money. This psychological manipulation can take many forms, often without reliance on high tech systems. Victims can be targeted specifically or found by casting a wide net of communications to find potential victims who respond. The perpetrators succeed at deceiving and defrauding the innocent with merciless dedication. The most common occurrences involve impersonating a person or company by email, phone, or text and may involve spoofing the email address or phone number to look like it came from the legitimate source.
The possibility of being fooled by forged emails, suspicious texts, and imposter calls / letters is something that we must remain vigilant about. There must be procedures in place to verify the authenticity of requests, such as obtaining a confirmation signature for the request in person before any action is taken to fulfill the request.
If you have questions about any of these online security topics, feel free to contact us and subscribe!
