It is somewhat apt that October is cybersecurity awareness month, given the spooky nature of Halloween and the actions of malicious actors hiding in the shadows. We asked some of our team members battling ATO attacks for our customers for tips they might provide friends and loved ones. Here are the top ten tips for Cybersecurity Awareness 2021.
- Use Multi-Factor (aka MFA or Two-Factor) Authentication: Enabling multi-factor authentication for your application and website accounts dramatically reduces the likelihood that your account will be hacked. With multi-factor authentication turned on, a bad actor would have to also have access to your authentication method in order to gain access to your account. The types of authentication methods vary from app to app and site to site – some may allow you to select from multiple options like SMS text message, using the Google Authenticator app, or a soft token (or software token).
- Use Unique Passwords for Every Account: Bad actors know that people love to reuse passwords across online accounts and applications. Fortunately for them, there are billions of userID/Password combinations for sale (and for free) from the continuous stream of data breaches. With stolen credentials in hand, they count on our bad habit of password reuse and they’ll test out your password (along with all of the other most popular passwords) to see if they can get into your account. (This is called credential stuffing.) This is why it’s important to use unique passwords for all of your accounts, making password managers a necessity.
- Use Strong Passwords: Password123, 123456, Qwerty, LiverpoolFan, These are all examples of weak passwords, which bad actors will try first to see if you resorted to using a commonly compromised password creation pattern. Using these weak passwords makes it possible for even beginner hackers to get into your account in seconds.
When creating your password, avoid using your birth year (or another year with special meaning), family or pet names, the city where you live, and the names of your favorite sports teams. These are all easily discovered through your social media or guessed based on other demographic signals. And simple number/symbol substitutions like p@ssw0rd are quickly cracked. (Sorry!) The longer the password the better – and the best password is one that you can’t remember (unless you have total memory recall). Again, that’s why you need that password manager.
- Use a Password Manager: If you’re going to follow the best practices of using unique, strong passwords on all your accounts, using a password manager is pretty much a necessity. It will help you create strong passwords and store them with encryption, and many will even facilitate Autofill into login fields. And, if you need to share your HBOMax password with your family, (a no-no that many ignore), many password managers have family accounts so you don’t have to dumb down the password or send new passwords over email or text (a really bad idea). My favorite password manager is 1Password, but there are some newer free ones available – like Myki — that look good, too.
- Don’t Save Passwords in Your Browser: Every web browser makes it possible for you to store your passwords – they’ll even prompt you to store them as you’re logging into new sites or apps. Similar to password managers, they’ll also offer up suggestions for strong passwords as you’re creating new login credentials. The problem, however, is that those passwords are most likely stored on your computer in an unencrypted form – meaning that if someone steals your laptop, they could get access to all your online accounts. This is why dedicated password managers are preferred. However, if you have to make a choice between using your browser’s password manager or using weak passwords, opt for stronger passwords (created by the browser) every time!
- Be Careful About the Emails You Click: Bad actors will often use email as a way to get access to your account information. I’ve known too many people who have gotten emails from their favorite retailers – only to realize later that it didn’t actually come from that retailer, but rather a bad actor. These bad folks hope that you’ll click a link on the email which takes you to a faked account login screen where they can then capture your login details. As a best practice, retailers typically never ask for personal information such as login details or passwords in email communications or on the phone. If you get a message that asks you to log in (or if a customer service rep asks you for this information) it is likely an attempt to steal your data. Look closely at where the email is coming from – if it is an Amazon email, look to see if it is originating from amazon[.]com; read the email closely – are there obvious grammar and wording errors. If you think it’s legitimate, open a new browser window and log in to your Amazon account directly to check error status.
- Check to see if your account password has been breached (change it if it has been): Use Have I Been Pwned? to find your information in old data breaches. This is a scary thing to do, but helpful to understand your exposure. Obviously, if your information is there, make the necessary adjustments.
- Don’t Save Credit Cards in Your Online Accounts: Storing credit card information in your online retail accounts and subscriptions may seem like a timesaver, but that also makes it easy for an attacker who has gained access to your account to run up a credit card bill, too. Think about all the time it would take to deal with the fraudulent charges that a bad actor could run up – the extra 30 seconds it takes to enter in your credit card pales in comparison. And, if you’re using a password manager, you can store your credit card information there which makes it easy to copy and paste your numbers when you’re checking out.
- Don’t fall for “Pay me with a gift card!”: This is a well-known, yet still a wildly successful tactic that commonly targets older, or less technically savvy folks. Either via email, phone, or both, the bad actor convinces you that you need to pay them to fix your (not) broken computer, or update a software subscription. Preying on fear and lack of technical acumen, the bad actor gains access to your computer, installing a remote access tool, which is then removed only after you pay them – in gift cards. It’s so common that Apple has placed a limit on in-store gift card purchases.
- Don’t respond to demographic quizzes/polls on social media: These Facebook questions and quizzes look to be data gathering for a report but in reality, are often designed to farm demographics and steal password hints. Bad actors establish a fake account, use automation to gain a following, and then begin posing questions, polls and quizzes, based on the interests observed. Don’t fill them in.