Thursday, November 05, 2015

Don’t Get Hacked

Security risks are everywhere these days — whether it’s the NSA (possibly) listening in on your conversations or overseas hackers trying to gain access to your credit cards and social security numbers, you need to be careful about protecting your personal information. But you’re not a security expert, and you probably don’t have the time or inclination to hire one. How do you take care of your confidential personal and business information without turning your life into a endless series of padlocks and safes?

Don’t fret. Good security is really all about common sense and awareness. Perfect security is unattainable in the modern world, and you can quickly get into tinfoil hat territory when you attempt to lock everything down. Instead, I’d like to present you with a set of simple guidelines to keep your business and personal information secure. These aren’t truly “best” practices, because the absolute best practice is disconnecting entirely from the electronic world, paying for everything in cash, and living in a dark, musty cellar somewhere. So put away your rolls of aluminum foil and let’s get down to business.

Virtual Vaults



The biggest step you can take is actually one of the easiest: getting a password management tool. These software applications, like Last Pass and 1Password, do two things very well: generate high-quality passwords and store them securely; and provide an encrypted environment for your other sensitive information.

You can store secure notes, credit card numbers (your own, not your customers’) and any kind of data that you don’t want prying eyes to see here. These applications also generate complex passwords that are more difficult (though not impossible) to hack; and, perhaps best of all, they will fill in those passwords for you automatically when you visit a website.

These applications aren’t perfect, but they do add an extra-thick layer of protection around your personal data, and most of them now work across multiple devices - in other words, you can create a password on your desktop computer and, if you also have the companion app on your phone or tablet, it will automatically fill in your credentials on those devices as well.

Is that really you?



Another very simple and reasonably pain-free step to much higher security is enabling “multi-factor” or “two-factor” authentication wherever possible. If you ever worked in a big corporation for any substantial period of time, you might already be familiar with the little key fobs that change digits every minute or so, allowing you to log in to the corporate network.

Those 6 or so digits are a secondary form of authentication, and their purpose is to ensure that the person trying to log in actually has physical access to the secondary code. Since that code is randomly generated and changes every few minutes, it’s very difficult to hack - by the time a hacker could “brute force” guess the code, it’s already been changed!

For decades, multi-factor authentication was primarily a tool for securing corporate networks, especially when employees logged in from home or on the road. Now, multi-factor authentication is everywhere, and you don’t even need the little fob - all you need is your phone. With apps like Google Authenticator or Authy, you can have nearly the same level of security of a big corporate network, right on your mobile device.

Multi-factor authentication is really any authentication method that requires two or more challenges to your login. When your bank website says “We also need to know your favorite football team” before you log in, that’s decent security, but the best multi-factor authentication actually uses a completely separate communication method and device for the other “factor”. A hacker trying to get access to your bank account might be able to hack your password and guess your favorite football team. But with multi-factor, a hacker who hacks your password must also have your mobile phone in her hands in order to get past the second challenge. It’s not impossible, but it’s pretty darn close.

Many major tech companies (Google, Apple, etc.) now offer multi-factor authentication, and if it’s available for your website or application, by all means turn it on and start using it. The strongest password in the world isn’t half as powerful as good multi-factor security.

Look for the padlock



Awareness makes a big difference when it comes to security. For instance, by forcing my wife and daughter to use higher-quality passwords, I’ve made them acutely aware that there are risks out there, and they need to be careful about when and where they provide their personal information. Good passwords and multi-factor authentication are excellent practices, but it’s also worth noting a few things to avoid at all costs:


  1. Entering personal information of any kind into an insecure website or app: You probably know that when you see a padlock (or similar) icon up in the address bar of your web browser, you’ve got a secure (HTTPS for the technically inclined) connection to that website. What does that mean? Put simply, it means that the web browser itself (Chrome, Internet Explorer, Safari, Firefox, etc.) is talking to the website using encryption. Encryption makes it very difficult for someone snooping on that connection to see the information that is being transmitted back and forth. When you put any kind of personal information into a web site that does not have that secure icon, it can be hijacked quite easily by hackers.

  2. Entering personal information after clicking on links in emails: Phishing emails are everywhere, and they can look so much like an official email that you might not even give them a second look before clicking. Often, they will even take you to a web URL that looks similar to the one you’d expect to go to. As a general rule, don’t ever put your personal information - user name, password, etc. - into a website when you have reached it by clicking in an email. If you get an email from your bank about logging in and checking your balance, close the email and go directly to the bank’s website instead. That way, you’ll be able to ensure that it’s really your bank and you have a secure connection prior to entering your information.

  3. Provide personal information over the phone to anyone who calls you: With a few notable exceptions (your credit card company, for instance), you shouldn’t provide identifying information (social security numbers, etc.) to anyone that calls you. No one, in fact, should ever ask for you full social security number over the phone. And if someone calls you asking for information and you can’t confidently identify them as an authorized representative of the business you’re dealing with, just tell them you’d like to call them back. There’s a lot of “human” hacking these days, where hackers impersonate a victim and attempt to get their passwords or account information via phone. The most sophisticated hacks often involve many factors, from password resets to phone calls. Again, your awareness is the key here - if it smells fishy, it probably is!