Recently I reported some phishing scam spam coming from a friend’s account – it looked likely that his email account had gotten cracked.
No shame on him for that; it happens all the time.
These are a few things that I do to help avoid that myself.
[small update: I know this list may be intimidating – just doing a few things on it can help a lot – don’t worry about trying to be perfect – you can’t be. But if you try doing one or two things that you don’t already do, you’ll definitely improve the security of your Internet accounts]
1. I only login from my own computers
I only use public computers for simple web viewing. I never log in to any services, particularly email or financial, over a public computer. Using a public computer is just too dangerous. It’s far too easy for it to be harboring a key logger or other malware which could capture my login.
Also, I carry an iPhone and often an iPad. If I need to do something that requires me to login, I use those.
2. I only follow links I’m confident of
First of all, I don’t follow links in email from strangers. Some web browsers have bugs that allow simply loading a web page to run malicious software on your computer.
Second, when I receive email from someone I know I look for whether it sounds off – is it out of character? Does it not sound like it’s written by the person who sent it (out of character, typos, spelling errors?)
Third – I always check a link before clicking it. Even my Macintosh is not 100% impervious to malicious web sites (Java has had some very high profile vulnerabilities). And if I click it and it’s acting weirdly (the email said Google Docs, why is it asking me for a Yahoo login??) I back off. For instance, this is not a link I would follow to get to Google: http://googlemebaby.foobar.com/
There’s almost always time to send a note back to the person who supposedly sent you suspicious email and ask if it’s correct. And given that most phishing scam email is sent by software rather than a human, odds are good there won’t be someone there to write you back with a lie.
3. I use strong, unique passwords on web sites
Strong passwords are unique strings not based on personal information or words in the dictionary. For instance, m;8maUt7CfQD is an example of a strong password. Does it mean anything to you? Sure doesn’t to me.
By using a strong password I make it much more difficult for software to crack my account by trying words from a dictionary or well known passwords. Software can easily try hundreds or thousands of passwords a second, so if I use an easy to guess password, my account is unlikely to stand up to an attack.
By using a unique password for each web site or service if the web site or service is cracked and its user information stolen that won’t affect any of my other accounts.
A side effect of this is that I don’t know my own passwords!
4. I use a password manager
Since I don’t know my own passwords, how do I keep track of them?
First of all, I’m on a Mac and I let my web browser memorize them for me (this will make security geeks blanch but it’s a compromise that helps make having strong passwords survivable). MacOS X 10.9 Mavericks also has built-in support for creating stronger passwords in Safari, and can automatically sync stored login information to my iPad and iPhone (again, this will likely make security geeks crazy as you’re just trusting Apple to do the right thing in protecting this information).
Second, I use 1Password, a password manager which integrates with all major web browsers and also works on most smart phones and tablets.
1Password records login information for web sites and can automatically fill it for you when you need to login. It can also suggest strong passwords and has a handy option to make the passwords pronounceable, which means you have at least the ghost of a chance of being able to remember some of them.
Of course, if someone gets your password manager’s list of passwords, you’re screwed. The password manager encrypts its list of password, but you choose the key (a master password for your passwords), so if that key is weak and someone gets the file, game over.
5. I only give my id and password to the site it goes with
There are many add-on services for web sites which need your login information in order to access the site and provide the service they offer.
For instance, I use a package tracker which offers to login to my Amazon account and automatically track packages that Amazon is sending me – but, without casting aspersions on the makers of this package tracker, there is absolutely no way I am giving my Amazon login information to strangers.
6. I lie when answering to personal questions during account signup
Ever sign up for a random photo service that wants to know your mother’s maiden name and where you were born – you know, those questions your credit card company or bank like to use to make sure you’re you?
Yeah, I don’t think some random company needs to have that information. I wouldn’t give them my social security number, either. So I make something up – I have a couple of stock answers for this kind of thing. Generally I find this a poorly designed security process which unfortunately I have to deal with if I want to use the service. So I tell them a lie that I’ll be able to remember (or I record the answer somewhere).
7. I only install software from known sources
I’m happy to install software from sources I already trust, and I’m willing to extend trust – usually to well known businesses or individuals or businesses I’ve seen recommended. I don’t install goofy extensions that change my browser’s behavior or give me cutesy cursors (“comet cursor” was an infamous bit of Windows malware that many, many people installed).
8. I use protection
I’ve installed the Chrome Shield extension which monitors the Chrome browser and warns me if I install a malicious extension.
If I were running Windows I would absolutely run some kind of antivirus software on it. I’m generally working on a Mac, which is not impervious to attack but much less likely to have problems, especially given that I don’t indulge in risky behavior.
If also never connect my computer directly to the Internet (for instance, directly to a cable modem or DSL modem). I always connect it through a “firewall” device. A firewall will prevent most unintended direct access of computers it protects. Most wifi access points and routers act as a firewall, although firewall functionality may need to be enabled.
Extra credit: Use a unique email address with each site
When a cracker manages to break into your account on a web site (or get the user list for a web site), they’ll have your email address. One way to enhance your personal security is to use a unique email address for every web site you have an account at – when you do that and have a strong password, you’ll definitely reduce the likelihood that a cracker will be able to break into your accounts on other web sites.
I realize this is a huge pain. If you use Gmail, you may not realize a simple thing you can do to make this work for you. If you put a plus sign in your gmail address, gmail will ignore the plus and everything after it when it matches addresses. So, for instance, you could sign up for Amazon with “[email protected]” and any mail to that address would be received by “[email protected]”. A human would likely guess your correct email address but most attacks are automated, so this may help save your other accounts from attack.
Extra credit: Use two-factor authentication
Two-factor authentication requires you to give more than just your password when you login. For instance, when you login you might be required to enter a code delivered by a text message in addition to your password, or you might enter a code displayed by a app on your phone in addition to your password. This makes it much more difficult for someone to break into your account, but it also makes accessing your account less convenient for you.