It is National Cybersecurity Awareness Month (NCSAM) and I am reposting most of what I posted last year around this time which are mostly applicable and I am amazed at the number of people who are still not aware of all different ways you can protect your information. You don’t want your important information compromised or your financial assets stolen. So, better to take precautions early. I have added something about SIM swap, a technique that used to be prevalent in certain foreign countries is becoming common here.
Passwords & Passphrases
I use fairly long and complex passwords. I prefer passphrases wherever they are supported. It is so sad that so many systems still do not support passphrases and are restrictive in terms of the length of the passwords. As a rule, I use different passwords for different systems. I will be very happy to privately share with anyone who is interested in knowing more about how I maintain/remember all of these passwords. I also avoid saving passwords for some of the critical systems and financial institutions in my browser’s password manager. They are safe and continue to be safer, but, if ever someone steals my Google Password AND bypasses two factor authentication, they will have access to all my passwords (paranoia!).
To change the passwords often or not is an age old question and I believe that having a long and hard to guess password is much better than changing passwords often. One of the reasons for mandating the password change was that if hackers had access to your password, changing it prevents them from accessing your data and that it is hard for them to guess your new password. With the exponential increase in computing power, the moment your password has been hacked, a lot of your information has already been accessed before you can change the password. Secondly, it has been shown that mandatory password changes result in predictable password patterns that are easier to guess than one can imagine. I encourage you to read this article “Time to rethink mandatory password changes” on this subject. So, my advice – make passwords long and hard to guess.
Two Factor Authentication
I always opt in for this whenever any system makes it available. I use DUO as well as Google Authenticator for this purpose. Some systems such as banks may not support these, but instead send a code via text message to your phone as an additional step to logging in. Is it inconvenient? A little bit and you will get used to it over time.
Some things to be aware of. When you are flying and you connect your computer to the plane’s WiFi and you want to access a system that requires two factor authentication, you may be out of luck, unless you are prepared. If the two factor system works over WiFi like DUO Push or Google Authenticator, you also need to connect your phone to the plane’s WiFi. That may or may not be possible depending on the cost. These two factor authentication systems always provide a backup codes (that you can save on your laptop) that can be used or you can carry a USB Key like the Yubikey. Also, make sure to follow the steps to install Google Authenticator on your new phone first before discarding your old phone and your life will be much easier.
Complicated? Yes. Worth it? Absolutely… Unless you are the type who taps yes on DUO Push screen without paying attention. Because, when a hacker who stole your password tries to login and you get a push notification, you don’t want to do that!
I found the article “How to Protect Yourself Against a SIM Swap Attack” in the Wired magazine to be useful for understanding how this works and I strongly encourage you to read it. As the article says “At its most basic level, a SIM swap is when someone convinces your carrier to switch your phone number over to a SIM card they own.” One would think that is hard to do. Think about it. If someone “bought” in the underground network the last four digits of your social, your address and your phone number, they can call your cell phone carrier to convince them that it is you who is calling and ask to “port” your number to a different phone. Or go to a retail store to do it and when asked for identification, claim that they forgot their wallet at home and sweet talk the staffer there to do this. Or in the worst case, the staffer may be a part of the scheme. Presumably, someone is trying to do this when they have your password. If they also have their phone number, all bets are off. The text code will be sent to their phone.
The article provides specific recommendations including setting up additional barriers that come into play when someone wants to make such a change. Follow it right away. As I mention above, it is better to use Duo push, Google Authenticator type of options instead of text. But this may not be available everywhere.
Protect your phone & laptop
Set up screen lock on your iPhone or Android phone. If your phone supports facial recognition or has a fingerprint reader, set them up. In case you lose your phone, you want to be able to find it and if it happens to be stolen or lost (not in your home or office), you also want to be able to erase its content. All of these are possible if you can spend a few minutes and set them up early. Obviously trying to do this after the fact doesn’t always work! iPhone instructions are here and Android instructions are here.
Do the same for your laptops. Macs – Lock your screen, have it go to sleep after some idle time and require password to wake up. Also, encrypt your disk using Filevault so that it becomes unreadable if it is removed and a hacker tries to read the content. Windows – do the same. For encryption supported at Wellesley, see here.
Many financial institutions will support a “verbal password”. There are still some instances when you have to call a financial institution. Many hackers who steal your personal information call banks to get addresses changed, request money transfers or do other damaging things. To prevent this, you can ask them to set up a verbal password. When you call the bank, in addition to the usual personal information, you will need to provide it before they will move forward. It is a great added security. I also have it on ADT.
Consider enrolling in Credit Freeze.
The most important thing is for you to figure out a safe method to remember all these steps you took because in some cases, such as FileVault, not remembering how you set it up and what the password or recovery key was, can cause some headache.
Many of us have shared back accounts or shared Netflix accounts, so the other person needs to know what you are doing so when that person needs to look up account information or transfer money, they are not frustrated. So, having a plan to share your methodology with and getting a buy-in from a trusted partner is essential. Otherwise, all your work can potentially be undone by that person.
Hope you found some of these pointers useful. As overwhelming as these are, most of the time it is all about a good plan and execution. Many of these are one time activities, which has the advantage that it is a one time deal, but has the disadvantage that unless you planned it well and documented it somewhere safe, you might forget it! But, you will be thankful for taking all of these precautions and keeping an eye on all of your information so that it is safe. Others can help, but, it is a shared responsibility and you have a lot to contribute to keeping your information safe!