Have you thought about Digital Hygiene? (Part 1)
I was standing in line at the supermarket when I overheard a rather stressed lady talking on the phone about how her online email account was receiving and sending strange emails. Her web-based interface email provider had told her she had been hacked, her account was now frozen, and she needed to change her password. When she hung up, I politely asked her whether she used different passwords for different sites. She said, ‘No, of course not, I can’t remember so many different passwords, so it’s easiest to just use the same one for all of my accounts.’ Once I explained to her that she now potentially had given hackers access to most of her accounts, confidential information, personal identity (theft), contacts, payment methods etc. she looked at me in horror and looked like she was going to faint.
It got me to thinking and being perplexed about how many people essentially don’t realize how easy it is to get hacked and misused in a growing digital world. Are you aware of the concept of your digital hygiene?
How much control do you have of your personal data security? To some degree, we are naive and want to turn our heads to avoid the reality of digital safety trailblazing and how criminals (and some legitimate organisations) attempt to track us. After all, your laptop, phone or tablet should protect your digital safety and privacy by default, or have you become accustomed to ignoring those relentless pop ups showing you Terms and Conditions that you are no longer bothered to read? And then, of course, you likely feel protected in reusing your seemingly unbreakable password that you repeatedly use for most of your internet accounts. Just like hiding the key to your front door under the mat of the outside entry to your private residence.
If your password is not unique to all log-in sites, you are essentially helping criminals steal from you and possibly those around you. It happens hundreds of times every day. Don’t get me wrong, there are legitimate and innovative companies and organizations that want to help protect you, but at the end of the day, you need to take the time to systematically reconsider and re-evaluate how to define your own personal digital identity, usage and needs – for your own security and protection.
Why do so many internet users use the same password?
Because it’s easiest until we are compromised. A growing fact is that it’s the same repetitive thinking and inferior strategy by everyday internet users that criminals want you to keep practicing until you realize 50% or more of your personal sites have suddenly been compromised. This is a criminal fishing boat – hook, line and sinker, and you likely won’t be released until you pay a ransomware fine or are forced to change all your passwords once you’ve assessed the damage. It makes the criminals’ job easier when they attempt to invade your virtual space and your privacy, hard earned money, and social space because you are repetitively complacent.
What can you do about it?
Today, public internet users are subjected to criminal networks that use algorithms, massive legal or illegal networks of connected computers (aka botnets), Artificial Intelligence, government funded hacking networks etc. It has never been more important to protect and educate yourself as an internet user as it is today.
Today, the currently accepted overall strategy for security protocol both privately and publicly leans on SCA:
It’s called Strong Customer Authentication (SCA) which is essential for providing a secure payment environment and is often referred to in connection with PSD2 (no, not the robot C-3PO from Star Wars). It’s currently the most recent Payment Services Directive designed by countries of the European Union, but it can also be applied to personal password management.
It basically says that user authentication should involve two of the three below listed approaches:
· Ownership: Something that only the individual has in their possession (i.e. a cell phone)
· Knowledge: Something only the individual knows (i.e. a code, personal ID number, or a static password)
· Inherence: Something that exists as permanent or as an individual attribute (i.e. a bio-metric characteristic)
Try to remember these principles: O.K.I. It can also be applied outside of your digital sphere.
In it’s essence, the non-layman explanation dictates that the multi-factor authentication process must be executed in a manner that protects the confidentiality of the authentication data, as well as the user’s private data. Reread that sentence.
In terms of us everyday internet surfers, here are some non-exhaustive suggestions to protect your digital life:
Always remember that no one from your general private space, bank, the police, or government authority will contact you to ask for personal information, credit card numbers, or passwords. You own this information, nobody else.
Virtual Private Networks aka VPNs (there are many good free versions) will help you hide to some extent and encrypt the data you send and receive.
The most common criminal method today is for someone to call or email you and act like they are representatives of a legitimate organisation, i.e perhaps like a globally advertised delivery service. It’s called Phishing and you need to be very aware of this. Be aware that you always have the option to contact the legitimate organisation via the organisation’s public contact information that you can confirm without the original caller’s help or influence.
If the offer sounds too good to be true, it most likely is. Don’t click or forward dubious or strangely worded links. Take notice of misspellings, grammatical errors (not just spelling mistakes), unnecessary attachments, strange IP addresses, and subtle discrepancies in company logos and slogans. If the message is notably urgent, be cautious, and read it again with fresh eyes a couple hours later.
Here’s one of my favorite examples from scammers using the name of one of the world’s most known companies. Thousands of versions of these types of emails are sent every day because they often work on unsuspecting and unfocused recipients.
I can guarantee you, the sender of the above email will likely ask for your personal identity, accounts, and banking information once you click and reply.
Rethink your passwords
Here’s one strategy for selecting passwords: The basic strategy is to use prefixing or suffixing.
Find the first letters of a phrase or song text that is unique to you and easiest for you to remember, combine it with a number(s) or sign(s) mid phrase and/or end phrase, and apply your unique chosen password – per site – by using the first and last letter of that respective site.
Why add a unique sign to your password? There are 96 keys on a qwerty keyboard, so 1 sign added to a password takes 96 guesses to find; 2 signs equals 9216 guesses, and 3 signs means 884,736 guesses. It grows from there on.
Password Managers like LastPass or Dashlane will encrypt and keep your online passwords secure with 1 Master Password (so make it a good one!). These sites are free, or can offer extra password management for a relatively small price.
Generally, it’s safer to write down your digital Master Password on paper and hiding it physically at home rather than saving it on your computer.
Don’t use a family name or something that can be researched on the internet and connected to you like Facebook (do you know if your Facebook profile is public?), Instagram, internet forums etc.
Bio-metric additions like a thumb print or the blink of an eye to open your cell phone are unique to you and generally can’t be copied. Have you considered how many of your personal sites someone who finds or steals your cell phone can get access to without physically entering a single password? Can you count the number of times you accepted your operating system’s request to remember your password for you? Where is it stored and for how long?
Consider adopting a one-time password (OTP) via E-mail or SMS each time you log on to your most important site(s), if it is offered. I do this for my cloud based back-up solution. It’s a small pain for a huge peace of mind.
Ultimately, don’t underestimate the importance of staying educated and updated on criminal methods reported by the press and dedicated security sites. One day, it might very possibly be you in panic talking about cyber criminality on your cell phone in a supermarket queue…