U.S. NEWS

A Guide To Not Getting Hacked

Don't be like Jeff Bezos. We're breaking down the basics of what to do, what not to do and why it matters.

It’s 2020 and unless you’re Ron Swanson, the odds are high you’re dependent on the internet for many things. Banking, getting a ride home after a late night, filing your taxes, paying your friend back for pizza, managing your 401(k) ― the list goes on.

A lot of your personal information is out there, and a lot of bad things could happen should it ― and the accounts that safeguard it ― be divulged to the wrong people.

The good news is unless you’re Amazon head honcho Jeff Bezos, Saudi Crown Prince Mohammed bin Salman probably isn’t targeting you with elite hacking tools. Probably. You may have been targeted by a covert Saudi disinformation campaign on Facebook, though!

The more realistic threat to your personal information will arrive in a data breach. A corporate firm will fail to safeguard a database containing hundreds of millions of usernames, passwords and other private information you never realized you consented to their amassing in the first place. It’s a common enough occurrence that the term “breach fatigue” exists. (See incidents at Equifax, Experian, Target, LinkedIn and more.)

Another likely threat: A bad actor could lure you into divulging your password or inadvertently installing malware on your computer via a cleverly designed phishing email. Russia hacked John Podesta, chair of Hillary Clinton’s 2016 campaign, with one of these, giving Donald Trump a boost in his 2016 bid for the presidency.

It’s easier to protect yourself with a couple of simple steps now than to try to recover once the damage is done. So shake off that “it won’t happen to me” mantra and follow along. Here are the basic do’s and don’ts of online security.

DO

Practice password common sense

Check to see if your email address has been involved in a breach at HaveIBeenPwnd.com, a database created by web security expert Troy Hunt. If your account has been compromised, you’ll want to change your login(s) to something new and unique. Even if it hasn’t, you should seriously consider changing your logins if it’s been a while.

Use different passwords for all of your logins. Reused passwords give attackers easy access to other accounts you use instead of keeping them siloed in one compromised account. On that note, it’s also better to avoid using the “login via Facebook” or “sign in with Google” buttons.

“Steer clear from using third-party platforms or social media profiles to log into accounts,” said Wendy Zamora, editor-in-chief of Malwarebytes Labs, a cyber threat detection and prevention company. “If a prompt asks you to sign in using Facebook or Twitter, best to create separate credentials — otherwise if that account is ever compromised, or your social media profile is hacked, any linked accounts could be compromised as well.”

If your password(s) are on this list of the 50 most commonly used passwords of 2019, give this Electronic Frontier Foundation explainer about creating strong passwords a read. As Hunt says, “The only secure password is the one you can’t remember.”

Use a password manager

Using a password manager ― which can generate secure, unique passwords at the click of a button and automatically remember them for you ― is the easiest way to manage all of the above. Here’s a review of commonly used password managers, many of which offer basic options for free. All you have to do is remember one master password to log in to the manager itself.

Keep that phone on lockdown

While we’re on the subject of passwords: If all it takes to log into your phone is mashing “0” a bunch of times ― looking at you, Kanye ― your phone represents a painfully weak link in your personal security. Anyone who can unlock your phone can likely also access your email and messages, which they can then use to reset passwords for your other accounts.

Use your fingerprint to unlock it, or use a longer alphanumeric passcode that doesn’t follow an obvious pattern (e.g., don’t use something a bystander could easily remember after seeing it once).

Change the default passwords on any internet-connected device you have in your home. Your modem, router, baby monitor, smart TV and smart fridge (yes, they too have been hacked) likely came with a weak preset password that can be easy to crack. 

Keep all of your software up to date

Completely shutting down your computer every night is a good habit that can help with this.

“This is good because it frees up RAM for startup the next day, and it also forces your system to install updates when you’re done with work, rather than it trying to do so while you’re in the middle of something,” Malwarebytes Labs director Adam Kujawa said. “Also, offline systems are less likely to be infected with malware ― at least while they are offline.”

Encrypt your devices

Encryption encodes the information on your device, keeping it out of someone’s hands if your device is lost or stolen. If you have a newer iPhone or Android phone that’s protected with a passcode, it should be encrypted by default, but here’s a helpful guide to double-check just in case. The Intercept has a guide on how to encrypt your laptop.

Think twice about putting stickers on your laptop

Certain stickers could make your device, the information it contains and the work you do on it a more enticing target.

Use two-factor authentication

That’s the fancy name for needing to enter a code from your phone in addition to your password to log in. Ideally, you’d get that code via an app called an “authenticator” instead of via text message, since text messages can be tampered with, but a text message is better than nothing.

“You get what you can get,” Kujawa said, “and even one extra layer of authentication can defeat many attackers who are just looking for low-hanging fruit and don’t want to put in any extra work.”

Look out for a padlock in your address bar

That’s an icon used to signify the website uses a more secure, encrypted protocol known as HTTPS. If the padlock is broken or you see some other, more jarring icon like an exclamation point, don’t trust the page with any personal or sensitive information.

Use a VPN

A virtual private network acts as a secure tunnel for your internet traffic, shielding it from outside view when you’re on a public, unsecured network. Turn on your VPN when you’re using public Wi-Fi, and consider using it at home, too. In 2017, Republicans voted to allow internet service providers to sell your web browsing history. A VPN will also keep that ISP snooping at bay.

Choosing a good VPN can actually be a bit tricky. As a general rule of thumb, if it’s free, be suspicious. Facebook pushed a “free” VPN for years that claimed to keep users safe from snooping when in reality it was harvesting users’ data

DON’T

Overshare on social media 

Social media pages are prime sources of personal information someone could use to compromise your accounts. The answers to a surprising number of security questions are often hiding in plain view on social media. Make your social accounts private, lock down any public-facing information and limit what you share. (Here’s a good guide for all of that.) Better yet, consider deleting Facebook entirely. Your mental health and democracy will thank you.

Email sensitive information

The technology used to schlep an email from one mail server to another is remarkably insecure. Anyone with access to a server in the middle could, with very little effort, access the contents of the emails it’s delivering. It’s OK if hackers make off with Aunt Edna’s famous green chili recipe, not so much if it’s your Social Security number. That’s the sort of information that’s still generally better transmitted via phone call or even fax.

Auto-connect to public Wi-Fi networks

Kujawa explained:

Lots of attackers can set up hotspots in airports, hotels, hospitals, etc. and broadcast their network with the same ID as default routers or try to mimic the wireless network of the place they are set up in.

For example, at an airport I’ve been to a dozen times, they have free internet. So I connect to their network all the time and my phone auto-connects when it recognizes it now, because of that.

Well, Hacker Dude comes along and sets up their own wireless access point, maybe 100 feet from you, on their laptop. They have mimicked the airport wireless access point and your phone connects to it because it’s closer, has a stronger signal, and it thinks it recognizes the network and can trust it.

The hacker sets up internet forwarding so anyone connected to their network has access to the same internet they would have if they connected to the legitimate network, with the difference being the criminal has set themselves up between you and the airport’s access points.

Get phished

There was once a time when the biggest threat in your inbox came from a stranger claiming to be a wealthy Nigerian prince. Those halcyon days are long gone.

Scammers have perfected the craft of deceptive phishing emails. They come in the form of convincing counterfeits claiming to be some overdue invoice, or to be from Netflix or a large social media platform that “just needs you to confirm your login information.” Even fake emails impersonating climate activist Greta Thunberg are a thing now.

All it takes is a little disbelief to rob phishing emails of all their power. Be skeptical of every email in your inbox, especially ones with attachments (regardless of file type ― even PDFs can be weaponized) or links to sites that ask for your personal information.

Here are some pointers from the Federal Trade Commission on how to spot scam phishing emails. Be especially wary if: 

  • The email looks like it’s from a company you may know and trust.

  • The email says your account is on hold because of a billing problem.

  • The email has a generic greeting, such as “Hi Dear.” If you have an account with the business, it probably wouldn’t use a generic greeting.

  • The email invites you to click on a link to update your payment details.

If you’re unsure, reach out to the person who sent it and ask whether it’s legitimate. Do this in a separate email ― don’t just reply to the one you received. If the email claims to have been sent by your bank or other recognizable company (including your employer!), log into your account via the company’s website (not via the link “they” emailed you) to verify whether it’s real. Or pick up the phone and give them a call.

Other forms of communication can also be weaponized, so be wary of texts, WhatsApp messages, and even old-school phone calls that seem odd. 

For more information on how to spot ― and avoid ― phishing attempts, the Electronic Frontier Foundation has an excellent guide.  

CONVERSATIONS