We all have hundreds of online accounts that we have accumulated over several years on online activity. I know I have as I have just gone through all of them to ensure they are not vulnerable to any form of cyber attack.
What kind of Cyber Attacks are we talking about here?
There are many, including:
- Data Breaches
- Credential Stuffing
- Impersonation and/or Identity Theft
- Fraud
- Brute Force and Dictionary Attacks
- Email account takeover and/or compromise
- Social Engineering.
Any system that is available online is vulnerable to cyber attack. The best defences cannot defend against the unknown, and for the most part vulnerabilities are not known until they are discovered by either a security researcher or the development team that produces the software. We are talking about zero-day’s here. Also, databases are often put online without the required configurations to secure them, meaning they are often posted with default passwords, or no passwords making them trivially vulnerable to any would be attacker to download the whole database without challenge. The technical press is littered with such examples.
Identity theft is where information that identifies you uniquely (e.g. driving licence, Passport, address, social security number) is taken by a criminal and re-used to acquire services in your name. For example they might open a bank account or take out a loan for which you will be liable and which may severely impact your credit history/score since they will have no intention of honouring the debt.
Impersonation is often used as part of social engineering. An attacker will impersonate someone in authority to trick you into divulging information. An example of an attack is a call from HR requesting information on yourself or another person.
There are many more types of attack, but any of these can be devastating.
How do I defend myself?
The following is a series of tips that you can use to limit your online vulnerability. Despite the claims of many security software vendors, nothing will make you invulnerable and once you accept that you can manage the threat.
TIP 1: Trust in an online service – When you login to a website, you are literally trusting the owner of that service to keep your information safe and maintain a degree of security by encrypting all your details and not allowing the database that holds this information from falling into an attackers hands. The tip is to research the provider; make sure:
- The site has a reputation, and preferably someone you know and trust can recommend the site to you
- Use a unique password
- Where possible use independent two-factor authentication – preferably not provided through SMS since this is an unencrypted communication channel
- Limit the number of sites you do business with to the very few that you trust
- If the site has been subject to a data breach recently, don’t go there.
It can take a long time to gain trust in a service, and one incident to shatter their reputation and your trust. This is why a lot of companies don’t disclose data breaches since the reputation impact alone could take them down.
TIP 2: Manage your Passwords – When you login to a website or other service, you should be using a random username and password that is unique to the service. WHAT!!! That means I will have hundreds of combinations that I will never remember.
A lot of websites require an email address (e.g. your iCloud account address, Outlook address, GMail address). You may never use these for email, but you will use them to login to websites. This means that one factor is always fixed, but that leaves the random, long and complex password that you will never remember, let alone type accurately without cut and paste. There are several solutions available and they all require some form of password manager:
- Mainstream web browsers, (e.g. Chrome, FireFox, Edge, Safari), all have some form of feature that stores passwords for you and populates them automatically into website login forms
- Independent password managers (e.g. Last Pass) that have apps for smart-phone devices and extensions for Chrome, FireFox, Edge and Safari on your PC/Mac.
Browser based password managers are not all created equal, and depends on whether you using the same browser across all your platforms. I for one use multiple browsers across windows and android, but then maybe I am just different to the majority.
Password Manger services (like Last Pass) are all cross platform and cross browser and allow a more flexible solution. They also allow you to store other personal information, e.g. details of your passport, drivers licence, insurance policies.
The problem with this solution is that you are putting all your eggs in one basket, and if that service is breached in any way, your whole digital life is up-ended. I heard a quote recently that is very pertinent to this discussion:
“Put all your eggs in one basket and then watch that basket.”
Mark Twain, Pudd’nhead Wilson
In this context, put a unique email address (you can create an alias in most providers), a complex password at least 16 characters (preferably 25 or more) including upper/lower case, numbers and special characters and then lock it down with 2-factor authentication. There are various strategies to make memorable passwords (see my blog Guidance on Effective Use of Passwords for more info). If you are using your GMail/iCloud/Outlook account, secure it in the same way.
TIP 3 – Guard against Credential Stuffing – I have blogged about this attack vector on a number of occasions and remains the biggest threat to your online accounts. If you re-use login ids and passwords across various sites, and one of them are subject to a data breach, then all accounts having that Id and password are vulnerable to attack. Cyber attackers will just automatically try thousands of accounts with the same credentials and if they find one that works they retain it and they either exploit it themselves or sell it on the dark web.
You defend against this by having unique passwords for each service that are typically 16 characters or more (I suggest a minimum of 25 characters) and then using a password manager to secure them. If that account gets breached, often these password mangers offer a service to reset any vulnerable/disclosed accounts automatically.
If you want to read more about credential stuffing, please take a look at the following blogs:
TIP 4 – Secure your personal information – You will be amazed how much personally identifiable information people post on social media and then don’t bother to secure it. By scanning social media accounts I can derive names, locations, likes/dislikes, your photo and then use this information to attack you online. Knowing you have a GMail account, I can probably predict it and confirm the address by sending you a phishing email. I then look for the name of your dog, or best friend, or some other personal detail that is easy to remember and try that as your password on your GMail account. If it works I then use that everywhere else.
The best policy is to restrict access to your social media posts to just a few of your closest and trusted friends. FaceBook is continually changing this area so it is best to keep up to date on this. Twitter allows you to make your tweets private, and anyone who wants to see your tweets has to ask for permission. Other social media accounts have similar features, and if they don’t then just don’t use them.
TIP 5 – Secure your Messaging Accounts – Whether you use email, WhatsApp, iMessage, Instagram, Snapchat, or any of the many other options out there, you need to secure this account. A lot of these accounts require your email address, social media account or a phone number. This cannot be changed, but you can secure it with a strong password and 2-factor authentication. If the service doesn’t offer this, then don’t use it. You should also employ some form of recovery mechanism like a second email account or phone number.
TIP 6 – Login with your Social Media account – A lot of services allow you to login with your Google Id, FaceBook Id, or some other account not owned by them. When you do, you provide your login details for Google/FaceBook/etc. and then these services provide an authentication token to the website you are logging into. This is an alternative to using password managers, and it is down to the trust you place in these services to secure your account and the access to this other website.
The advantages here are:
- Single sign-in across many websites
- Only one username and password to remember and secure
- Trust that the website you are login into will not know your login credentials and cannot be disclosed in a data breach.
The downside of this, which is the same as for a password manager, is that if that Google/FaceBook account gets breached, then all associated accounts are breached. Also, if that account gets taken over by a cyber attacker (and this has happened to me), you can lose access to hundreds of websites and your whole online life. However, a benefit is that you change the password on your Google/Facebook account and it is secure again.
I mention Google and FaceBook a lot above, as these are the main ones to use. It is down to the trust you place in these services whether or not you use them. I personally don’t tryst Google or FaceBook to manage my online life, so I am not going to recommend their use. These two companies absorb so much personally identifiable information, firstly they are a ripe target for cyber attackers and their use of my personal information is not something I want to allow and they have a very bad reputation for managing all this data.
TIP 7 – Retire unused accounts/subscriptions – If you don’t use an account/subscription service, delete the account. It will be one less attack surface to guard against. If you are not actively monitoring the account activity, you wont know when it is compromised.
TIP 8 – Limit the number of primary accounts you have – You may have a large number of email accounts, messaging accounts, etc. I suggest you retire any that are not in active use so that you have maybe two primary accounts, and one on a different service. Your primary account might be your GMail account, Outlook account or iCloud account. Have a second account that is your backup and recovery account that is not on the same service. Create a third account for all those junk subscriptions and shopping accounts and don’t use your primary or backup account – keep these for personal messaging.
An email account that is not actively monitored, at least on a daily basis, is vulnerable to account takeover and use for other forms of cyber attack.
TIP 9 – Keep your accounts secure – If you hear of a service you use that has had a data breach (and you can monitor my twitter account for info if you wish since I re-tweet articles on data breaches), then change your password at that website immediately. Some services will send you a message notifying you of the data breach and some will even invalidate your password forcing you to re-set it the next time you visit. If you have re-used credentials anywhere else, then reset them as well since they will eventually be used for credential stuffing.
TIP 10- Always use a secure connection – When you browse any website, and specifically when you enter any login details (and any financial details e.g. your credit card number), ensure you have a secure connection depicted by https:// and the appropriate icon in your browser (normally a padlock). FireFox is particularly good at detecting threats and insecure websites. You can also use the Electronic Frontier Foundation browser add-on called ‘HTTPS Everywhere’. It is available for all major browsers (current version of Edge excuded) which forces all non secure URLS (http) to use the secure (https) equivalent. If an https equivalent doesn’t exist it warns you.
TIP 11 – Do not use a password at all – There are various solutions available (e.g. YubiKey) that use a USB style dongle that plugs into a vacant USB port on your PC and provides a strong single factor authentication. This does require support from the Operating Systems and I know that Windows does support this (others may also). I need to do a lot ore research on this method of authentication now that is becoming mainstream, so expect a blog from me in the future.
Conclusion
I have just undergone a significant effort over the past several months to secure my own online existence. I had hundreds of of online accounts that accumulated over many years. Luckily I had kept a record of all of them and was able to recover any accounts that I didn’t have the password for. Any accounts I didn’t use I closed. Any accounts I used, even infrequently, I made sure I had a strong password, 2-factor authentication where possible and stored them in a password manager. Basically I followed my own advice, but was horrified when I investigated and discovered how vulnerable I was based on historical activity before I became aware of these issues.
Credential re-use (re-using username and passwords on many services) is one of the most active cyber attacks on individuals today. This is born out of convenience and laziness on the most part by all of us.
Following the above tips will help to secure your online existence, but wont totally eradicate all vulnerabilities. In fact nothing you do can defend against all eventual cyber attacks. But what you can do is put in place a few road blocks to slow them down.
I don’t want you to leave this blog with paranoia that everyone is out to get you. But you have to accept that there are people out there who just don’t care about you and only want to exploit you to take what you have worked hard to accumulate.
Your Id/Password are the locks and keys to your online existence. Would you lock the front door to your home and then leave your keys somewhere a complete stranger could take them? Probably not! So, why would you run this risk of that happening with your online accounts? Your login credentials for the various websites you use are the weakest link in the security chain (hence the headline image), so please make sure you secure them to the best of your abilities.
I hope this blog has been useful, and that you will come back on a regular basis for more insights into securing your online life. If there are any terms in this blog that you don’t understand then please consult our Glossaries for more information.
Headline image provided by Image by analogicus from Pixabay
JM Business Security 