Last Monday, I received a message from PayPal confirming that a payment from my account had successfully been transacted. They provided details of the recipient, the amount and date/time of the transaction — all very standard details found in any financial confirmation message. There was just one problem: I had not initiated any transaction and the recipient was not known to me. My account had been hacked.
As a technologist and early adopter, I pride myself in being very online-savvy. Getting hacked was both embarrassing and annoying. I’m sure many of you have had the same experience and it is not a pleasant one. In my case, the breach was a result of not having a strong password and it is possible that the password had been cracked or compromised via another site and then used at PayPal.
As consumers, we rely on websites we transact with to protect us. However, the fact is that just as we lock our homes and secure our doors and windows even when we have home security systems, the onus of protecting our online activities lies in large part with us.
At EA and in my earlier roles at Microsoft, countless hours and millions of dollars are spent to protect consumers and corporate assets. But a company and a network can only do so much.
The top preventative measures that can protect you online are actually fairly basic but in their simplicity lies a lot of protective strength. Here are the top 11 tips that I strongly advocate for online protection:
1) ALWAYS use strong passwords (combination of capital letter, number and punctuation). For sites that allow passphrases, it is a more secure and easier to remember option (e.g., WoWdid1reallys3ethatblueC@TjuMPacr0sstheBuilding? Except, now that I’ve typed that out it’s probably best you come up with your own :-))
2) Don’t use the same passwords for all accounts and change passwords regularly. This is easier said than done but it’s a necessary evil. You would never use the same key for your house, your car and your bank safe deposit box and the same applies online. There are password vault applications available (many free) on the web and on smartphones that can help you centrally manage your different passwords securely and often have the ability to help you create a secure password as well.
3) A more secure entry check would be to use a two step authentication process which requires you to receive a session PIN (via SMS). Several web services are beginning to offer this option and I recommend using this for the most important sites where you have financial and other personally identifiable information (PII) data.
4) The backup accounts used for restoring and resetting your password should be one that you use actively and provide near real-time notifications.
5) Back up your data into multiple and diverse solutions such as an external portable hard drive in conjunction with a secured cloud based backup solution. Don’t rely on a single storage medium for your most important data (family photos, etc.)
6) Basic information like your address and birthday are easily obtainable online. Always use secret questions that are fairly obscure and only you or close family would know.
7) Another good practice is to make sure public profiles on Google or Facebook are controlled and you only share information that you are comfortable the whole world can see. Don’t make it easy for someone to guess your password.
8) Full disk encryption (e.g., BitLocker for Windows, FileVault for Mac OS X, dm-crypt + LUKS for Linux) for your personal machines is critical to secure your data in the event you misplace or lose it. That way, despite the loss of the hardware, it becomes more difficult for someone else to access your data.
9) Be wary of using your credit card or other sensitive information online with websites that are not well known. Always ensure that HTTPS/SSL encryption is used when performing any transaction that requires you to enter sensitive information including your username and password. Look for https on the URL and the padlock icon in the URL. To even be safer, one can click the padlock and ensure the site has a valid certificate (such as Verisign).
10) Enable every alert possible for transaction confirmations, password changes and other notifications. It is one of the best ways to keep on top of any unauthorized change in any online account. Pay attention to the options each site provides and enable as many as possible.
11) Be aware of email phishing scams where a hacker attempts to gather information about you such as your username, passwords, or credit card details by masquerading as a trustworthy entity. Avoid clicking on any suspicious links or providing any data about yourself. Always contact the entity directly using their published contact details to validate if it’s a legitimate request.
I diligently follow these tips but it just so happened that for my PayPal account which had been dormant I hadn’t updated my password in a long time and suffered as a result. I learned my lesson and luckily there was no damage in the end, but it was a good reminder to keep your eye on the ball.
Mat Honan of Wired magazine wrote a very detailed article last year about security flaws that led to an epic hack of his Twitter, Apple and Google accounts. It is a fascinating read and showcases the relatively straightforward techniques that can enable someone to breach our accounts. The steps outlined above are basic but taken together can seriously protect you and your assets online.
Are there other tools and techniques you use to protect yourself online? Let me know what I may have missed.