10 Security Mistakes You Might Be Making On Or Offline
Keeping yourself, your online data, and even your home safe doesn’t have to be overly complicated or convoluted. You don’t need a computer science degree to take some basic precautions. Below are ten mistakes you might be making, either online or off, with straightforward solutions to keep yourself, your data, and even your home safe from bad actors.
Posting Personally Identifiable Information Online
This has been a prevalent trend in recent months, as more people get vaccinated and show off their vaccination card on social media. The excitement around vaccination is certainly understandable, but it’s important to recognize the Personally Identifiable Information (PII) available on vaccination cards. Vaccine cards in America show your full name and date of birth. And while that might not seem all that revealing, it’s a good start for a scammer looking to steal your identity. The Federal Trade Commission website says it best. “Think of it this way — identity theft works like a puzzle, made up of pieces of personal information. You don’t want to give identity thieves the pieces they need to finish the picture.”
The same goes for posting information related to your passwords, or supplying answers to common password security questions (“What was your first pet’s name?” “What street did you grow up on?”) on social media. Enough of this information makes it easier for bad actors to break into your accounts or pretend to be you on or offline.
A good solution here is to think before you post information online. Ask yourself, “Does this help someone else access my email, social media, or health information? Or make it easier for someone to pretend to be me in some way?”
Posting Photos Of House Keys Online
The PII scenario also applies to posting pictures of keys online. It’s not uncommon for a social media user to post a picture of a new set of keys upon securing a new apartment, house, or car. The problem is, it’s absolutely possible for a bad actor to reverse-engineer a physical key, just from your picture online. It’s called key-cloning. And while I won’t detail how to do this here, that information is out there for anyone to discover.
Couple that with pictures of your car or home on social media, or your home address being otherwise discoverable online, and suddenly you’ve made it possible for someone to access your vehicle or enter your home, all from the picture of your keys that you posted online.
Reusing passwords across multiple sites is an understandable practice. After all, there are so many social platforms, email platforms, streaming platforms, banking and money websites and apps — it never ends. (I’ll talk about a solution for this in a moment.) But while many of us know we shouldn’t reuse passwords, we might not think about why we shouldn’t.
It’s easy to become numb to the headlines, but large scale database breaches are a common occurrence now. If an attacker breaches a company’s server and steals a wealth of usernames and passwords, they could sell those on the dark web. Suddenly, the username and password for your gym membership site, email, or healthcare app is available to those who know where to look. The first thing an attacker is going to do with that information is try that combination for your bank and social media sites. If you use a different password for each site, a database breach becomes less impactful for you. It’s still not great, but now an attacker has access to one of your logins, not two or three or six.
Using Weak Passwords
Similarly, using a weak password isn’t great, either. If it’s widely known that LeBron James is your favorite athlete, and your password is lebron23, you’re making it easier for attackers or services like nmap or Metasploit to guess your password. So what’s the solution? Super difficult to remember passwords for every single site you access? Read on below!
Not Using A Password Manager
Passwords can be difficult to remember and a liability, as covered above. A good password manager offers a strong solution to that problem. Password managers store your existing passwords, thus preventing constant password resets when you forget your login. A password manager can also help you develop stronger passwords. As stated above, weak passwords are just that. Weak. Give yourself some additional security.
Two trusted options are 1password and LastPass. Both options come out to $3 per month (billed annually). A small price to pay for increased security for your emails, financial or health information, social platforms, etc.
Connecting To Public WiFi Networks
We’ve all gone to a Starbucks and logged on to the public network to check our email. Or used airplane WiFi to surf the web during a long flight. The problem is, you’re not the only one on that network. Especially on a free WiFi network at a crowded business. What’s to stop your neighbor at the next table from trying to access your device?
For example, imagine you’re online at your favorite coffee shop. There may be multiple WiFi networks. Maybe there’s Starbucks and StarbucksOfficial. You might assume both are legit, when in reality, an attacker may have set up StarbucksOfficial to confuse patrons. Now you’re on an attacker’s network, thus making it easier for them to access your device and your data.
When in doubt, ask an employee which network is the official WiFi network for that business. Or, even better, use your phone as a mobile hotspot when you’re in a public space, with a password only you know. This way, you’re less vulnerable to someone on the same free public WiFi network gaining access to your device.
Leaving Bluetooth On In Public
Bluetooth can be great for sharing a photo with a friend via AirDrop, or playing music from your laptop through your smart speaker. Unfortunately, Bluetooth can also leave your device vulnerable. Especially in a public setting.
Maybe you’ve experienced bluejacking in the past. Bluejacking occurs when you receive a message (text, photo, video, etc.) from an unexpected source. Maybe someone on the same train as you sent you a funny meme, or decided to send a message meant to start a conversation. This may be nothing more than an annoyance, though an unexpected photo, file, or link sent to your smartphone, tablet, or laptop may actually be a Trojan horse, installing a virus on your device.
Bluesnarfing takes things a step further, as this allows an attacker to access and retrieve information from your device. This could be personal information, text messages, photos, videos, etc. Obviously you don’t want strangers gaining access to your personal information, so it’s worth double checking that your bluetooth is off when you’re in a public setting, or even at home if you live in a building with a lot of other residents.
Posting When You’re Going On Vacation
Certainly one of the best parts about going on vacation in the mobile age is sharing photos from your trip in real time across social media. Whether at a gorgeous national park, a swanky dinner in another city, or relaxing on a picturesque beach, snapping a quick photo, throwing a filter on, and posting to Instagram, etc. provides a certain rush of dopamine. Unfortunately, it can also leave you more vulnerable in the real world.
If you’re posting photos from a beach in Europe, or even from a restaurant in another state, it strongly suggests that your home is left unattended. And while this may or may not be the case (maybe you have a housesitter, or someone coming by to walk the dogs throughout the day), it’s still not great. Especially if you previously posted your keys as a photo on social media, and your home address information is discoverable online. All of these seemingly innocuous elements can add up to leaving your physical domain vulnerable.
So while it may not provide the same instant gratification, you’re likely better off posting vacation photos once you’re back home.
Not Doing Basic Checks For Email Scams
Email scams are a staple of Internet attackers, and your spam folder can only do so much to keep your inbox safe. You need to take steps on your end, as well.
Always double check the sender, to make sure the message is from who it says it’s from. Anyone can choose any name to attach to an email account. Take a second to confirm that you’re getting a message from a legitimate sender. For example, if your bank is (the hypothetical) USA First Bank, and your notifications usually come from firstname.lastname@example.org, it wouldn’t be hard for an attacker to send an email from email@example.com, which looks a lot like the first address, but isn’t from the same domain.
Additionally, you should always hover over links in your email, to confirm the link actually is what it says it is. If you get a notification from firstname.lastname@example.org (note the extra “E”), and it instructs you to click a link to reset your password, that link is almost certainly going to a malicious site. So it’s always a smart move to confirm the sending address and hover over a link to confirm that it actually is sending you to the intended site.
Even better, whenever possible, go to the website itself, vs clicking the link. For example, if you receive an email that appears to be from your bank, asking you to confirm a transaction, with a link to click within the email body, go to your bank’s website and log-in there. That way you know you’re accessing the actual website, not a spoofed site from a phishing email link.
Email scams are simple and designed to take advantage of the fact that we’re used to trusting our inbox and we’re often distracted while checking our emails. All of that works to an attacker’s advantage.
Not Using Multi-factor Authentication And Push Apps
Choosing a strong password and using a password manager is a good start towards better security for your online logins. Multi-factor authentication (MFA) and push authentication apps take your security even further.
MFA occurs when you link your phone number to one of your online accounts, like an email client. If the site suspects that someone is logging in who isn’t you, that site may request that you enter a code that has been sent to your phone or email.
For example, if you live in New York and an attacker in Australia is trying to log into your email, your email client may note the difference in location and request a code that they’ve sent to your phone. Now the attacker not only has to guess your password, but also a random string of characters. This provides another level of protection.
(It’s worth noting that there’s also another attack called simjacking, which results in an attacker gaining access to your phone number, and thus receiving calls and messages intended for your phone. Learn more about simjacking here and here, with some helpful solutions here and here.)
Two factor authentication (2FA) apps add another level of protection. These apps skip your SMS messaging (texts) altogether, and are installed on your mobile device. This way, if you’re logging in to your bank, for example, your bank would send a push notification to an app like Duo Push, which can only be accessed from your own mobile device. This decreases the threat of simjacking or password hacking. There’s also Google Authenticator for Google services, as well. (Android or iOS)
Watch this site for more security tips in the coming weeks!