Get yourself cybersecure for 2020
By Davey Winder
Technology is changing our lives for the better; yet it’s also exposing us to organised crime, online scammers and hackers – and whole industries built around monetising our personal data. But you don’t have to be resigned to cyber-victimhood. Give yourself, and your devices, a security update for 2020 and start fighting back.
Random and unique passwords
A study carried out by the Ponemon Institute found that 51% of individuals in the UK reuse an average of five passwords across different sites and services. “This makes your accounts far easier to hack,” says Nic Sarginson, senior solutions engineer at security firm Yubico. “By gaining access to one account an attacker could quite easily crack another.” It’s the cyber-equivalent of having one key that unlocks your front door, your office, your car and the bank for good measure, and then keeping a spare under the doormat. “Every year billions of credentials such as email addresses, passwords and personal information are shared and traded online by cybercriminals,” says Dr Richard Gold, director of security engineering at Digital Shadows. You can see if any of yours have been compromised already by going to haveibeenpwned.com. If you think coming up with a unique, long and random, complex password that you can remember for every account you use is impossible, you’d be right. Unless you use a password-manager app, such as LastPass or 1Password, which will not only generate the passwords for each site, but also store them securely and then automatically use the right ones when you need to log in. All you need to remember is the master password to unlock the app, and most will let you use your fingerprint on a smartphone instead of entering this every time.
Yes, seriously. Your smartphone is a treasure trove of data, and while your passwords are likely to be safe from prying eyes (your password manager will keep them encrypted), what about your email, social media apps, contacts etc? Criminals can use these to change passwords, take account control away from you, and commit fraud in your name or simply steal directly from you. “Most people do not set any lock code on their devices,” warns Fennel Aurora, security adviser at F-Secure. A long password is most secure. Even if you’ve set up a fingerprint scan to unlock your phone, it will ask for your pin or password after a few unsuccessful attempts. A thief can try to guess your pin (and 0000 is still a common option) or obvious password. Smartphones can be configured to automatically perform a factory reset, wiping all your data, after a certain number of incorrect unlock attempts. For Android check Settings/Security & Location/Screen lock, and on iPhones, Settings/Face ID & passcode/Erase data.
Secure your dumb ‘smart’ speakers
While you may have read about smart speakers being at risk from hackers with maliciously crafted audio tracks or lasers (yes, seriously), in the real world there are more pressing security and privacy issues to consider. The account holder can see any requests that have been made of the device; worth remembering when using one at a friend’s house. To prevent this, tell Alexa to “delete what I just said”, and Google Assistant to “delete my last conversation”. That’s assuming they have enabled the “delete by voice” option in the account settings, of course – which,. as a courtesy to your friends and family, I’d recommend doing for your smart speakers. While in the account settings, you can also delete past recordings for good measure. Using the “voice match” function for Google Assistant can prevent your personal results being available to anyone but you, and possibly Jon Culshaw. If you have enabled purchasing and have one-click payments “on” for your Amazon account, you can set a spoken pin to stop others shopping on your behalf and at your cost.
Become a cyber-liar
If there’s one thing hackers really don’t like, it’s a liar. Especially if the fibs relate to those security questions sites ask you to answer as an identification method should you need to reset a forgotten password. “Most of the answers to security questions like these are easily acquired by hackers,” Tom Lysemose Hansen, founder of mobile app security vendor Promon, explains, “using simple trial-and-error methods based on LinkedIn, Facebook, Twitter and even Wikipedia data, which give away much of our personal and family details.” Indeed, it’s incredible, and incredibly worrying, what a simple Google search can uncover. Instead of being honest about your mother’s maiden name, your place of birth, where you went to school or what you called your first pet, lie like a politician at election time. Of course, remembering fibs is harder than remembering the truth, and as with passwords, it’s best to avoid reusing the same ones for every site. Password manager apps can help, as they have a secure notes entry for every login.
Stop using SMS-based 2FA
Two-factor authentication (2FA), which adds something you have to the something you know (your username and password) during login, is a must-have. This builds a second wall for the cybercriminal to climb if they have nabbed your password from somewhere. Use either an authenticator app such as Authy or Google Authenticator, or a hardware token like a YubiKey. Don’t use 2FA that sends codes by text message, as this can provide a ladder to climb that second wall with. “If your phone is stolen, the thief can put your sim in another phone and request an SMS code for resetting the password to all your accounts,” warns Cesar Cerrudo, chief technology officer at security research company IOActive. Setting a pin on your sim card is recommended, but that won’t help if someone cons your network provider into transferring your number to their device, a scam known as sim-swapping. “SMS-based 2FA is vulnerable to sim-swap attacks,” says Paul Bischoff, privacy advocate at Comparitech.com, “but if it’s the only option, it’s better than no 2FA at all.”
Stay secure when away from home
There has been much coverage of “juice jacking” of late. This involves a cybercriminal using altered USB charging ports in airports, train stations and hotels to infect your device with malware. You can carry a USB charger that plugs into a power socket or invest in a power-only USB charging cable to prevent this. A more widespread problem is that of free wireless internet access. “Criminals can exploit public wifi to steal your personal information, such as emails, photos, passwords, private documents and bank details,” Oz Alashe, CEO of CybSafe, says. Using a virtual private network (VPN) is recommended to reduce the risk. A VPN app creates an encrypted “tunnel” between your device and a remote server, protecting your data from snooping hackers. If you’re using your phone to check your bank balance or pay bills on the train or in the coffee shop, a VPN provides “a safety blanket that will help keep your data out of the wrong hands”, Matt Lock, technical director at Varonis, says.