By Adam King - Security Consultant at PGI Cyber
As a security guy, the most common question I find myself being asked is, “how do I stay safe online?” In this second article, I will cover some other methods to keep safe online.
If we drill down to the basic level, a recovery question is a type of password. The answer to the question is supposed to be a secret which only you know the answer to, however, the questions posed by almost every organisation are often very insecure – it is almost certain that close friends and family will know your mother’s maiden name or your first school. My advice for these questions is to use something which isn’t the correct answer, or something which is - in a sense, a password.
You may get a confused response when telling a customer assistant over the phone that your mother’s maiden name is Trombone123, however it is safe to assume that nobody else will think to give this answer when attempting to gain access to your personal information. By using this method, even if an attacker were to find out the required information from the likes of Facebook and Ancestry.com, they will be unable to use this information against you.
Account Privacy and Security Settings
Leading on from recovery questions, it is important to recognise where this sensitive information may be in the public domain. For most users, the answer to this will likely be social media sites. Luckily for you, it is a very simple process to go to your privacy settings and remove this information or replace it with fake details – there is nothing wrong with leaving a few red herrings for the bad guys.
Enabling two-factor authentication is also highly recommended for applications which support this functionality. By doing this, you must login using a username and password, and also a security code which is sent to your mobile device, ensuring that nobody can access your account without physical access to your phone.
Finally, a lot of online applications will allow you to configure alerts via text or e-mail when your account is accessed. Receiving one of these alerts may start ringing alarm bells, and as such you may encourage you to change your password or contact the organisation to verify where this login has come from.
Last but not least, phishing e-mails are a common cause of losing personal information to a malicious party. Most of us will receive these e-mails daily, however a lot of them will be filtered as spam and you may never see them.
It is important to think about the content of e-mails requesting personal information. Why would an organisation initiate contact with you and ask that you prove who you are? They are the ones who have made contact and should therefore be the ones to prove authenticity.
Verify the source of e-mails. Ensure that you have checked, double checked and triple checked the domain (after the @ symbol), for example firstname.lastname@example.org has a spelling mistake which could be missed. If there are mistakes in the e-mail address, it cannot be trusted.
Given time, forward these e-mails to an appropriate handler. Many companies have teams that will investigate scams, and in some cases will distribute e-mails to all customers warning them of phishing attacks or will contact e-mail providers to block these messages.