The world we live in has moved online and now we rely on the internet for much of what we do. While the internet makes our lives convenient, it can also make it a living hell if your identity gets stolen. Just last week, another new attack was discovered, this time by a group of Russian hackers who obtained over 1 billion unique passwords.
We’ve seen a series of high profile attacks on sites like Target, eBay and Yahoo! since the beginning of this year alone. In 2011, Sony suffered a major security breach on its PlayStation Network, with over 77 million accounts compromised, including credit card information. Unfortunately, these attacks are becoming increasingly common.
“Such attacks and breaches are going to happen more often as the criminals are always looking for new targets and monetization schemes. We are unfortunately in the age where we simply don’t have security in our own hands, the age where we have to trust others,” says Jiří Sejtko, Director of Viruslab Operatations at AVAST Software.
The world of online security is a game of cat and mouse. Companies are always trying to stay one step ahead of hackers, but it’s not always possible. Of course, the companies you entrust with your information bear some responsibility for your data, but you also have a duty to educate and protect yourself.
Here’s how you can protect yourself online and why you should care about security.
Don’t use the same password on multiple sites
One way to stop hackers in their tracks is by using unique passwords for every site. It’s impossible to memorize hundreds of unique passwords and that’s where password managers come in.
Password managers are programs and services that act as a vault for all of your passwords. You have one master password that lets you into that vault, so make sure you make it a strong one. Password managers like 1Password (Android | iOS | Mac | Windows), LastPass (Android | iOS | Mac | Windows | Windows Phone) and RoboForm (Android | iOS | Mac | Windows | Windows Phone) help you randomly generate passwords with numbers, letters and symbols, making it extremely difficult for hackers to decrypt if found. Make sure your password is long, as it’ll be extremely difficult for hackers to using simple brute force to decrypt it.
If you use the same password on multiple sites, you’re putting yourself at risk. “Companies storing these passwords aren’t protecting them well, and if you’re reusing them, it’s like reusing the same key for every lock,” says LastPass CEO Joe Siegrist.
Enable two-factor authentication
If a site supports two-factor authentication, you should enable it immediately. This secondary layer of security requires you to input another randomly generated password sent to a device like your phone, or to an email address.
Popular sites like Facebook, Google, Dropbox, Box, Evernote and others already have this feature. Some sites require your phone number to text you a temporary password to use in addition to your standard password. This makes it difficult for hackers to access your accounts since they would need to have control over your phone too.
Google has an authenticator app that allows you to add multiple sites. The app cycles through randomly generated six digit passwords every minute. Not all sites support authenticator apps like Google Authenticator (Android | iOS), so expect to give out your phone number instead.
While it’s nice to see some popular sites implement two-factor authentication, it’s shocking how many sites don’t do it yet. American Express has no two-factor authentication, which boggles my mind.
If you use a site that doesn’t offer two-factor authentication, write to the company and urge them to step up their security. There’s even a great website called twofactorauth.org that lists sites that do and don’t support two-factor authentication. Companies that don’t support the feature have an option next to their name to tweet at them, asking them to support it.
A little inconvenience is worth it
One thing I hear repeatedly is how annoying it is to make different passwords for different sites, or how it’s easier to save all your passwords in your browser. Yes, it’ll save you a few precious seconds, but you’re also making yourself extremely vulnerable.
Do not store your passwords in a browser. They are extremely easy to extract if someone gains access to your computer. While Chrome requires your Windows password to access your saved passwords, Firefox won’t ask for a password unless you set a master password in the settings. Again, use a password manager to help you fill in usernames and passwords. Password managers offer mobile apps too so that you can take all your passwords on the go.
Don’t store your credit card information with online stores. I know it’s a pain to fill in all your payment details each time you want to buy something, but if you store your credit card on every online store you use, you’re putting that info in more places that hackers can get to. Password managers can save your payment details and fill out the shopping form for you, which avoids storing your info on a site’s servers. Since you can’t rely on a site to keep your information safe, you have to do it yourself.
Many websites don’t prioritize security because there’s no money to be made from it. “[Companies] aren’t spending millions of dollars to make sure they’re not going to get breached. What actually happens is that you need features and content, and that’s the only priority,” says Siegrist (LastPass).
I can’t tell you how many websites I’ve encountered that send a confirmation email with my password in plain text. If a hacker gains access to my email account, he or she now has access to these sites, all because a site didn’t want to invest in basic security that encrypts passwords.
“A lot of consumers don’t understand the risk of losing their identity until it happens to them or someone close to them,” says AVG Senior Security Evangelist Tony Anscombe.
Keeping yourself safe
Keep your browser up to date
Security isn’t something you can just set and forget. You have to be active and vigilant to stay one step ahead of cyber criminals. A browser is your first line of defense online so it’s important to keep it up to date.
If you’re running an outdated browser, you’re not getting the latest security features and updates. Modern browsers can detect malware and prevent you from going to malicious sites. Microsoft is stepping up its browser security by forcing Windows users to use the latest version of Internet Explorer. Google takes it a step further and automatically updates its Chrome browser in the background.
Google also announced that it will prioritize secure websites in its search results. Hopefully this will get site administrators to take security more seriously if they want to show up high in Google search.
Run an antivirus application on every device
You should run an antivirus product on every device, in addition to creating strong and unique passwords for each site. There are a ton of free antivirus programs out there so that you have no excuse not to run one. avast! wins for the most complete free solution on PC. Mac users will want to check out AVG for Mac (also free). Be sure to check out our huge antivirus comparison for 2014 to help you choose which one is right for you.
These programs will catch anything your browser didn’t. If you download an infected file, an AV will block it automatically and will alert you of its dangers. This doesn’t apply only for desktop computers either.
Today, we live in a mobile world and hackers are now targeting our phones because they contain valuable data. Unlike your computer, your phone holds much more personal information about you. Your phone is also tied to your carrier’s billing system, making it a high value target for hackers.
“It’s an easier place to monetize,” says Anscombe (AVG). “Viruses [on PCs] were disruptive. The disruption has never been on a mobile device. The disruption is silent because the malware writers have become clever. They’re not doing it for a ‘badge of honor’ anymore.”
On Android, there are plenty of choices for antivirus applications. AVG Antivirus (phone | tablet) is available for free as well as Android veteran, Lookout, my antivirus of choice. avast! also has their Mobile Security & Antivirus app for Android.
Premium plans for antivirus and security apps offer more than just antivirus protection like link scanning, phone recovery, and much more. Weigh which features are important to you before choosing a security solution for your Android phone. If you don’t need features to locate your lost phone, then a premium subscription may not be worth it for you.
On iOS, antivirus apps don’t exist because Apple doesn’t allow developers to access critical parts of the operating system. While both Apple and Google do a good job of checking apps in their stores for malware, Apple doesn’t allow users to install apps found outside the App Store. Android users have more power, but also more responsibility to check that apps installed outside Google Play are safe. Running an antivirus on Android is a must if you have sideloading enabled.
Only install apps from Google Play, the App Store or Windows Phone Store to make sure apps have been checked thoroughly. Windows 8 users may have less luck as there are a ton of scam apps in the Windows Store and Microsoft isn’t doing anything about it.
Malicious apps will also ask you for an inordinate amount of permissions. If a flashlight app requires access to your contacts, there’s something wrong. Before you tap “Install,” double check the permissions list to see if the app is asking for access to something it shouldn’t be.
And of course, set a password on your mobile device to make sure thieves (or annoying siblings) don’t have access to your phone.
Use good judgment
Nothing’s going to protect you if you don’t use at least some common sense. Use good judgment when visiting sites, reading emails, and sending text messages. No, you didn’t win a free iPad. No, the prince of Nigeria isn’t giving you a million dollars. If it sounds too good to be true, it probably is.
Beyond attacking websites and your computer, hackers have become increasingly clever. Many will use social engineering to trick you into giving up your information willingly.
One of the biggest risk to your online identity are phishing schemes. This is when an attacker puts up a fake site that looks legitimate to trick you into entering your username and password. You can detect a phishing scam by looking for typos, aggressive language, and strange URLs. Some email providers like Gmail block some phishing emails, but it’s possible for some to get through.
The story is the same with phishing sites. While most browsers will detect these sites, they’re not going to catch all of them. However, you can use a browser to see if a site is secure. Look for a lock in the URL bar to see if a site is using a secure connection and if you’ve visited it in the past.
Remember, a bank will never ask you to send personal information over email.
Online security is a mess but we can change it
Companies need to take security seriously
Now that you know some basic steps on how to protect your online identity, it’s time for companies to start taking security as seriously as you are. Security across the web is inconsistent, with no standard implementation across websites. Some offer two-factor authentication, while many don’t. Some use perfect forward secrecy to secure their connections, but many don’t do that either.
We need to urge companies to take security seriously. If a service has a history of lazy security, it’s time to leave them. You shouldn’t have to trust a site with your personal information if they’re not going to take measures to keep it secure.
While big companies like Apple and Google take security very seriously, they’re not infallible. Both companies do a good job of checking apps in their stores and building security into their operating systems but it’s a constant battle. Android has a bigger malware problem than iOS because of its openness but it also offers more freedom for developers.
“Apple with iOS 8 is certainly getting better, but they’re still years behind Android. They’re making questionable decisions, like allowing different keyboards to be used but not allowing that keyboard to be used in password fields. It’s frustrating as a developer to not be able to give users more security and convenience,” says Siegrist (LastPass).
Beyond the password
Passwords themselves aren’t safe anymore. They’re not inherently weak, but companies are getting breached all the time. So what’s going to happen beyond the traditional password?
“I think we’re moving toward a federated password,” says Siegrist. Federated passwords are already here in the form of Facebook and Google+ login. This means security is handled using these standards instead of relying on a site to implement their own login system.
The only problem with Facebook Connect and Google+ Sign-in are that they require you to hand over your personal information before you can use them. If Google and Facebook really want to become platforms for federated passwords, they need to allow users to sign up without providing personal information. Permissions for these login systems also need to be more transparent about why each site and app needs access to your friends list, email, and other information.
There needs to be a standard across sites, but no one is spearheading this movement any more. OpenID used to be the federated password of choice, but it can’t compete with Facebook or Google. Facebook used to be a sponsor of OpenID but left in 2013 in favor of its own Facebook Connect login.
No one is 100% safe
You can be the most careful person online, but you’ll still never be 100% safe. It’s highly likely that a website you use has been hacked and your username and password are already exposed. By the time a company announces a breach, you’ve already been compromised for weeks, if not months. If you use a password manager to create unique passwords for each site, the attack stops there.
But if attacks are inevitable, why even bother? While we may not be able to control the security of websites we use, we can mitigate the damage in the event of a hack.
“It’s like saying if I get in my car tomorrow morning and my brakes fail, it’s all over. But I get in my car every day and I trust my brakes to be working. I think that’s a very defeatist attitude,” says Anscombe (AVG).
Just as Anscombe expects his car’s brakes to work, you should expect your antivirus and privacy tools to work. While it’s possible to be hacked, you can make it much harder for attackers.
As consumers, we need to let companies know that our information needs to be protected. Let companies know that security matters to you and that you’re willing to stop using their app, site or service if they don’t start taking security seriously. Security needs to be in the limelight instead of being an afterthought. If our collective voices are heard, we’ll have a safer internet for everyone.
Follow Lewis on Twitter: @lewisleong