Jun 8, 2012

LinkedIn Reminds Us – A Different Password for Every Site is Critical

Recent attacks on LinkedIn and eHarmony highlight the importance of different passwords for different sites.  LinkedIn confirmed that there had been a breach in their security whereby hackers stole approximately 6.5 million encrypted passwords.  eHarmony has also announced a breach in their security where 1.5 million passwords were stolen in the attack. Large scale attacks such as these are becoming more common.   Epsilon and a number of other companies, as we have discussed in previous blogs, fell victim to theft as well. In all of this hacking activity, there is one simple lesson – if all your passwords are the same on each site you use and someone fraudulently obtains your login info for one site, they will have obtained access to all your sites in one small coup.

Case in point.  A colleague of mine recently learned a difficult lesson when her computer was stolen from her car. At first, she was mostly concerned about having lost all of the work (she’s a writer) that was stored on her machine. Sadly, there was a lot more than poetry at stake: her entire identity was at risk.

While using one password for all the secure sites she visited seemed smart at the time, it turned out to be a disaster. It was anything but smart. One little password gave the thief access to literally every aspect of her life: banking records, bills, medical records, emails, social networks and more. A simple trick of creating a new password for every important, secure site you visit can keep you from this kind of tragedy.

To put this in perspective, think of what we already do in the real world. We have a different key for everything that matters – house, car, safe-deposit box, gym locker, work, file cabinet, desk drawers, etc. And yet, many of us do what my colleague did — use the same password across multiple websites.

The good news is that creating a more secure cyber life for yourself is not that hard.  Exercise caution in choosing passwords by selecting passwords that can’ t easily be connected to you, like names of loved ones or important dates. If you have a laptop you frequently take out of the house, consider turning off your browsers’ password storage function. You’ll likely find this function in the Tools or Preference menus.

Most importantly, use a different password for every site that matters, just like you do with your keys. Examples of sites that matter are sites for banking, mortgage payments, bill pay services, online shopping, and social media sites. Choosing passwords with combinations of letters and numbers is a good idea.

As I said in a recent Washington Post article talking about the LinkedIn breach, companies also have a role to play in protecting user information.  Companies must think about security and privacy from the moment they begin designing their products to better head-off hacker attacks, particularly as policy-makers push for data breach legislation. If they can make accessing their data too difficult, criminals will head elsewhere.

Thanks to mobile apps, websites and add-ons, tracking so many passwords doesn’t have to be daunting. For example, try using software like Password Locker and the app SecureSafe are great examples of methods to save passwords.

Choosing hack-proof passwords and different log-ins for different sites have saved thousands of people money, time, and hassle by making their personal and financial information that much more secure.

And we can all appreciate a little more security and peace of mind online.

For more of Hemu’s thoughts on safety, security, and privacy, please visit www.hemunigam.com.

Nov 29, 2011

Avoiding the Cyber Crime Holiday

Price Waterhouse Coopers just released a report finding that cyber crime against businesses has soared in 2011.  While Cyber Monday might be over, the online shopping discounts will continue to get better and better as Christmas approaches.  In essence, the holiday ad bombardment won’t stop until the New Year bells have tolled.

The press gives a great deal of attention to consumer protection over the holidays.  I even wrote an article for ABC News on this just this week.  And for good reason.  This year 40% of consumers will have their information misused.

But given the just as staggering figures for online crimes against businesses, what are these companies supposed to do? Are there good practices that businesses should adhere to this holiday season? The short answer is yes.

For any business, consumers are your most important asset.  If your customers don’t trust you, you won’t be in business long. Just as a manufacturers takes steps to ensure that the products they make are safe for consumers, businesses that engage in online sales must give cyber security the same level of importance.  Hackers will check how easy it is to break into a site, so put up the online security locks and force them to go elsewhere.  Note that the bigger you are, the more of a target you become.  Hackers love to make headlines, so be on the ready if you are popular site.

And follow these security tips to get started on the right path to putting your consumer first:

Cyber security basics: Make sure your system is secure by encrypting usernames, passwords, and valuable personal information that belongs to your consumer.  Also, break up personal information, for example, store username separate from full names and addresses.

“Red Team” your site – bring in a team of white hat hackers (a service SSP Blue provides, for example) to do a security assessment – they can find security holes and help you fix them before the bad guys exploit them.

“Red Team” your site again – anytime you change anything on the site – add a feature, for example – make sure it goes through the Red Team process again before going live.  A new feature can sometimes break something else.

Teach secure coding – the best engineers still need training on how to write ‘secure code’.  If you outsource your engineering, demand the outsourced company do the same.

Insert ‘Teachable Moments’ throughout your site – teach your users how to be cautious online and how to navigate safely – so they make it part of their daily routine and trust you more in the process.

Staying alert, engaged, and secure this holiday season isn’t just for consumers.  Businesses need to be on guard as much as consumers do.

A few cyber security steps can make the difference between a prosperous holiday season and a lousy lonely one.

Nov 28, 2011

Cyber Monday: 6 Tips to Avoid Getting Hacked or Scammed

Cyber Monday — which for many stores begins Sunday — is almost upon us. That means that more than any other time of year, we’ll be bombarded with sales and deals and notices and ads. One study found 84 percent of retailers saying they would email consumers about holiday-shopping deals.

Your email inbox will be stuffed like a Thanksgiving turkey with all sorts of offers. Many will be legitimate. An ever-rising number will be scams targeting your identity and money.

Facebook may need you to click in the link in an email so they can verify your login information. UPS may send you an email saying you need to view the attachment to get details about a long-lost package. Your bank may send you an alert that your recent transaction was declined and they need your information immediately to correct the error. And a Nigerian Prince may notify you urgently that you’re about to receive $5,000,000…if you can just send him $500 to get the money out of a closed account.

If you think the only scam is the Nigerian Prince, you’re terribly mistaken. And this mistake can be costly.

According to Javelin Strategy & Research’s 2011 Identity Fraud Survey Report, 40 percent of all identity theft victims had their information stolen while making an online purchase.

Viruses and scams are becoming intertwined these days, and they are more cunning than ever. The latest trend in cyber infections is the active virus — a virus that cons you into taking some action.

Hackers and attackers are sending emails impersonating well-known and commonly used services like Facebook, UPS and your local bank in order to steal your information. They are very good at it. The emails look and sound legitimate even though they are designed to infect your computer or steal your personal and financial information.

How do hackers impersonate something like Facebook? Usually they fill an email with company graphics and links, which are easy enough to find via a Google image search. Often the hackers will go so far as to give you a warning reminding you to “be careful of scammers out there.” They even put privacy information on the bottom to make the email look official.

Among the “good,” legitimate-looking links in the email, there will be a note asking you to click a link to “verify” your login information. The link will take you to a site that’s dressed up to look like Facebook or a UPS page, for example, or it will open an attachment or drop a virus.

Once you’ve entered your identifying information — thinking you’re being smart and keeping up with privacy — the hackers steal your identity and money. Other emails might ask you to download a simple attachment that will actually launch a virus designed to give the hacker access to your computer and everything in it.

How can you avoid falling prey to these scams?

  • Check addresses carefully. Hackers send you messages from addresses that look legitimate and don’t raise alarms. But if the email address is “facebooksupport@aol.com,” you can be sure that it’s not from Facebook. So don’t click the link in it. If it’s an official email, it will come from an official, company address.
  • Check the address again! Sometimes hackers even use technical tricks to make the address the email came from end with a legitimate, well-known domain. An example might be “help-hr178367459@facebook.com.” Emails like these often contain infected attachments.
  • Research and use online security tools and services. Some of them are free — a good example is BillGuard, which scans your credit card bills for questionable charges. BillGuard says it has saved consumers more than $500 million in fraudulent charges consumers might otherwise not have noticed
  • Avoid attachments. Unless you personally know the sender of an attachment or email, do NOT download or open the attachment. If you are tempted, at least run the latest anti-virus, anti-phishing and anti-spyware software on your system.
  • Do your research. Most scams are talked about on the Internet somewhere. Google the type or wording of the scam and see what comes up. A site called www.snopes.com offers lots of information about new and old scams. Also, call the company from which the email is allegedly coming. If you’ve gotten an email from a bank and you call the bank but they have no record of your transactions, the email is a scam or a virus.
  • Go with your gut. If an email seems fishy (or “phishy”), it probably is. Use the common sense you use in the real world — it may seem obvious, but for whatever reason many people often suspend their common sense in the online world.

The holidays are all about giving — but not to scammers and hackers.