Adrian’s April 26 Security advice

Password advice

 

Create strong passwords. I strongly recommend at least three short random unconnected words, with an upper case first letter, a number and two symbols at the beginning. This gives you a strong yet fairly easy-to-type password that satisfies most online services password rules, e.g., 8!#Postwatcheggs. Passwords should be at least 13 characters long. THE best single protection is password length.

 

Why? Criminals usually don’t use humans to try and try and guess passwords – though that certainly doesn’t mean your password should be guessable. They use automated tools that try every known previously publicly leaked password (there are millions) plus every word in the dictionary and atlas (in multiple languages) as well as phrases, song names, place names, pet names etc. plus common variations on those, such as a number at the end, capitalised first letters etc. to find a password. Changing and e to a ‘3’, an ‘o’ to a ‘0’ or an ‘I’ to a ‘1’ etc is of almost no benefit, they’ll try those words too. My recommended formulae is enough to defeat this approach. Follow it precisely, even small variations on the above, e.g. two not three words will make you considerably more vulnerable.

 

This is why it is vital you never use words commonly used together (e.g., ArsenalFootballClub or tobeornottobe). Avoid family names, pets, dates of birth, parts of your address or anything else related to you or the service you are logging into. Stick with truly unconnected short words.

 

Criminals have also been known though to use ‘social engineering’ techniques and publicly available information to crack passwords – for example asking you complete a fake market research survey asking for your pets’ names. Children’s names, dates of birth etc or by using parts of your address.  There is also a wealth of public information available to. Your address, place of birth, date of birth and mothers maiden name are widely available, via for example, government  records and genealogy databases. Do not use real answers to create responses to security questions or passwords. Instead make note of them on paper Choose and write down random words for both security questions and passwords.

 

Don’t create memorable passwords!  A good password will not be easy to remember. Write them down in a notebook instead. Address books work well or a buy a password book from Amazon -  https://amzn.to/3HFKlV2.

Use each password once only. Online services regularly leak data, if you use the same password elsewhere, a single leak gives hackers access to places you used the same password. It is therefore vital you use a completely different password on every web site. NEVER use variations of a password you’ve used elsewhere.

 

Check for leaked public data associated with your email address at www.haveibeenpwned.com

 

Whenever possible use two-step authentication. It adds extra hard-to-steal information to your login. Most often a single use code is sent to your mobile by text message or via a mobile app. You usually only need use the code once per device. A hacker may steal your password, but they won’t – usually – have access to your mobile phone. All major online services offer this, sometimes under slightly different names. For setup instructions, search Google for: “two-step authentication” plus the service name e.g., for “two-step authentication Amazon” or “two-step authentication Facebook”.

 

Always practice good password security. All web sites are a potential risk. Criminals combine little bits of information from several, apparently low-risk sites, to build up information about you and sold on the dark web for a significant sum (see overleaf).

 

Why not use password manager software? I’m not a fan, they are a honeypot for hackers and several have a history of serious security flaws, they are though better than re-using the same or similar passwords. For assorted reasons I trust Google’s Chrome, Mozilla’s Firefox and Microsoft’s Edge browsers to store passwords more than password managers likes Dashlane or LastPass (which suffered a major breach in 2022). Better still, write them down in hard to lose address book or password book (available on Amazon). Alternatively store them in an Excel sheet (not called ‘passwords’) protected with a strong password (Google ‘Protect an Excel file’ for Microsoft’s instructions).

 

Why security matters.

Or

But surely nobody is interested in me? I don’t even use my machine for home banking.

 

Almost all personal data has value to fraudsters, for example:

●        Your name, address and date of birth are all that needed to take out a loan in your name, damaging your credit record in the process and in the worst case leave you facing debt collectors and bailiffs.

●        Your name, sort code and account number are all that’s needed to set up a direct debit.

●        Stolen access to a Gmail (email) account was worth (in 2020) $156 on the dark web (1)

●        A single credit card’s details sells for $12 to $65 (1).

●        Stolen social media accounts can be used to generate fake followers to promote fraudulent products and endorsements (and fake followers can be sold) and commit all sort of other fraud. Stolen Facebook accounts login details sold for example were selling on the dark web for $75 per login in 2020 (2).

●        A list of those you email can be used to send them spam. The resulting spam emails may appear to come from you because it is more likely to pass-through spam filters, be read it and the contents be believed.

●        An invoice sent by email and can be intercepted and replaced by one with altered bank details, so you inadvertently pay the fraudster.

●        Data gathered from your computer can be used to trick you or your contacts, for example, sending emergency funds to friend or family member (“Help Mum there are bailiffs at my door…”, “I am in a Mexican A&E and need to pay or they won’t operate….” – typically fake scenarios that aim make you panic and then take to immediate action.

 

Even if there’s zero personal data on your computer (which is unlikely) malicious software does many other thoroughly unpleasant things, including:

●        Advertising at you via pop-ups or by unknowingly redirecting you to criminal web sites (generating criminals a few $’s per year per computer).

 

●        Sending spam through your computer, making it harder for the recipient’s spam filters to block because is sent from many different infected computers.

 

●        DDoS attacks. Criminals use infected computers to attack organisations’ computer systems by overwhelming them with vast numbers of incoming connections. Called a Distributed Denial of Service (DDoS) attacks they are sometimes used to distract the victims from other more serious attacks or blackmail them into to paying to stop the attack. Some are also motivated by ideological or political causes.

 

●        Spying on you via your webcam / microphone, capturing your keystrokes as well as stealing your documents and pictures.

 

●        Cryptocurrency ‘mining’ – crooks may use your computer to ‘mine’ cryptocurrencies (like Bitcoin). The amount of most cryptocurrencies is limited because it can only be created (‘mined’) by solving complex mathematical problems that demand a lot of time-consuming computer time. If that happens on your computer it costs you significant amounts of electricity and, like a lot of software installed by criminals, slows down your computer.

 

●        Click fraud – software that imitates a human clicking on online ads. Web advertisers typically pay per click, a portion of the funds charged to the advertiser are  paid to the fraudsters who own the web sites hosting the ads.

 

●        Ransomware encrypts (scrambles) all your data (documents etc) unless you pay the fraudster a large fee to decrypt them (and there’s no guarantee you’ll get them back even then).

 

●        Installing a malware (malicious software‘dropper’, a program that installs more malicious software, for which the dropper’s owners may be paid by or they may use it for their own purposes, such as installing even more of the sorts of malicious software described above.

 

(1)    www.welivesecurity.com/2020/08/03/how-much-is-your-personal-data-worth-dark-web/

(2)    www.bitdefender.com/blog/hotforsecurity/your-hacked-facebook-account-goes-for-75-on-the-dark-web

To reduce the risk of becoming a victim

·         Use a good antivirus. I recommend the paid for version of Malwarebytes Standard on Apple Macs www.malwarebytes.com/pricingand Bitdefender Free www.bitdefender.com/en-gb/consumer/free-antivirus  on PC’s Turn off all Bitdefender’s marketing in settings / notifications. They are vital to have but no antivirus spots every threat, too many new ones appear each day for even the best to keep up.

 

  • Never ever connect devices such as laptops, phones or tablets to public internet connections, whether they are wireless or wired, including those in hotel rooms without using a Virtual Private Network (VPN) to encrypt all the data going in and outI recommend Mozilla VPN (by the non-profit makers of the Firefox web browser). It costs around £5-£10 a month and protects up to five devices: www.mozilla.org/en-GB/products/vpn/

 

or

 

Use your phone’s mobile hotspot feature instead (also known as ‘tethering’)This uses  the Internet supplied by your mobile phone network (e.g. Vodaphone, O2, 3, EE etc.) to supply the internet via Wi-Fi to another device. Check you have a sufficient data allowance included in your monthly mobile contract or ‘pay as you go’ plan – remember,  it may cost a lot more when abroad. PC’s and Mac’s tend to use data allowances up much quicker than phones do.  Google ‘iPhone hotspot setup’ or ‘Android hotspot setup’ for instructions.

 

  • Never ever install software unless you absolutely know where it comes from, and you trust them. If the software makers are crooked any; program for a Mac, PC, mobile phone or tablet can be used to access every part of your device; your files, keystrokes, microphone, camera, etc. Free (pirated) TV services, file converters, PDF tools, data recovery software, hardware driver installers, and apps that claim to ‘speed up’ or otherwise fix your computer are most common, but far from only, sources of this sort of infection. Pirated software is a very substantial risk. It is vital you know and trust the source of any software you install.

 

  • Follow the password advice above.

 

  • Install software updates as soon as possible. Updates to Windows, MacOS, iOS, Android and the software running on them are mostly there to fix newly discovered flaws hackers can exploit to gain access to your device. Updates can go wrong, but not updating is a bigger risk.
    The exception is major, usually annual, updates to the Operating System i.e., Microsoft Windows, Apple o0MacOS, Apple iOS - iPhone and iPads, and Android – almost all other non-apple tablets and touch screen phones. Wait a few months before installing major updates for the wrinkles to be ironed out. You will still get security updates for the older version for a while.

 

  • Be careful of the first few search results on Google and other search engines, they are usually adverts (marked ‘ad’ or ‘sponsored’), though poorly marked. They may take you to a fraudulent web site at worst, or a rival’s site at best.

 

  • Never click on a link in an email or other message nor call the phone number in the message. If you’re not sure it’s genuine check by visiting the website directly e.g., by searching Google. Be suspicious even of emails from people you know, they may not have been sent by them. Fraudsters send the same email to thousands. You may for example, get a “your DHL delivery is due…”  email just as you are expecting a real delivery or fake invoice that appears coincidently related to something you have (e.g. antivirus software). Don’t let coincidence trick you into clicking. If you’re not absolutely100% sure an email attachment or clickable web link is safe DO NOT CLICK ON ANY LINK OR ATTACHMENT IN A MESSAGE. Unless you have checked it’s real by either phoning the sender or visiting the web site directly.  For example, if say, you get a message that appears to come from PayPal claiming your account is due to be suspended, go directly to their web site (www.paypal.com) via your web browser (Chrome, Firefox, Edge or Safari) and login to your account. If the claim is true (though in this, PayPal based, example it almost certainly won’t be) you’ll see a message there.

 

  • Never ever give somebody else a one-time code generated by an app, security device or received by text message, unless you know and trust them and they are setting up software on your behalf.

 

  • AI (Artificial Intelligence) is increasingly being used to craft convincing, personalised emails, chat and text messages based on messages you’ve previously exchanged. If an message contains an attachment, web link or leads to a request for a funds transfer (sometimes indirectly after further, often convincing, follow up) check with the sender by phone that it is genuine before clicking or sending money.

                                                                 

  • Check bank details by phone before paying. Fraudsters often intercept emails and change only the banking details in otherwise legitimate emails.

 

  • Never give away personal details by phone, text message, web, or email unless you are a absolutely 100% totally sure the recipient is trustworthyHang up on all cold callers, if in doubt call the organisation back from another phone (the fraudster may keep the line open) using number from a bill or bank card. Caller ID is not proof a caller is genuine. Never ever give them remote access to your computer. Sky, BT, Microsoft, or Virgin (or anybody else) will never call you to say there’s a problem with your computer or your broadband. Nor will Amazon ever call you to about an Amazon Prime subscription or a fraudulent transaction. Household appliance insurance and Sky TV subscription scam calls are also common.

 

·         Be very very wary of friends or family or, at work, a manager / CEO saying they need money transferred (or claiming their phone number has changed). Insist on speaking to them by phone firstASK THEM QUESTIONS ONLY THEY CAN  ANSWER. fraudsters are using AI tools that convincingly imitate real voices and video of them. They only need a sample few seconds of an audio or video recording to do so. DO NOT be convinced by a call appearing to come from a particular phone number. Even if the voice or even the video calls can look and sound like somebody you know.  
Watch this entirely AI generated YouTube video to see just how convincing AI scams can be: https://bit.ly/4n40owc.

 

  • If a message on your computer claims there is a problem (such as a virus infection) or that you have viewed inappropriate content and gives you phone number to call or asks for money to fix it, DO NOT DO SO. It is a scam.

 

  • When filling in Government forms online (e.g tax, DVLA, passport applications etc) check the web address ends in ‘.gov’ or ‘gov.uk’. There are many web sites initiating government sites that charge high fees to do little more than forward your data to the web site you intended to visit. Be wary of the first few Google and other search engines’ results which are usually adverts, they are, often subtly, marked ‘ad’ ‘advert or ‘sponsored’.

 

  • Always keep backups. Check your machine is backing up regularly. Ideally keep at least one

backup on a device physically disconnected from the computer where hackers can’t reach it. Regularly check the backups.

 

  • If possible use a credit, rather than a debit card. If it is misused, you have at least two weeks warning during which the card company can refund the transaction before any money leaves your bank account. In addition, payments for items costing between £100.01p and £30,000 are covered by section 75 of the Consumer Credit Act (3), In the UK it makes, for a few months, the credit card company jointly liable with the seller for non delivery, faulty goods, breach of contract and consequential loss.

 

  • Use your mobile phone to make contactless card payments with either Google Wallet, Samsung Pay or Apple Pay. It is far more secure than a card because the retailer, and those further up the processing chain do not get  your card details and access is protected by a fingerprint or Apple’s Face ID. Your fingerprint or face print is securely stored on your phone, it is not shared with anyone.

 

  • The safest, and easiest way to bank online is via an app on a phone or tablet. They

are compromised less often than Macs or PC’s, and biometric (e.g. face or fingerprint) authentication is generally more secure on mobile devices. Set your phone / tablet is to locks itself with a PIN / biometric after a short period of not being used.

 

(3)    www.moneysavingexpert.com/reclaim/section75-protect-your-purchases/

Summary

 

Passwords

  • Use strong passwords: at least three randomunrelated words that are at least four letters long, with an uppercase letter, a number, and two symbols at the beginning (minimum 13 characters).

 

  • Never use common phrases, personal information, or words that go together.

 

  • Don’t rely on memory - write passwords down in a secure notebook or password book.

 

  • Use a unique password for every site; never reuse or slightly modify passwords.

 

  • Enable two-step authentication wherever possible for extra security.

 

  • If you’re using a password manager to store your login information, use the one in your web browser (Chrome, Firefox or Edge) switch on all the extra security settings. For example in Chrome this means enabling encryption and requiring your login PIN to retrieve a stored password.

 

 

Defences

  • Use antivirus software, I recommend the paid for versions of Malwarebytes on Apple Macs or Bitdefender Free on PCs (switch off Bitdefender’s marketing in, settings / notifications).

 

  • Avoid public internet connections unless using a VPN, I recommend Mozilla’s VPN.

 

  • Keep software updated, but wait a few months before installing major Operating System updates.

 

Software

  • Only install software from sources you absolutely know and trust.

  • Promptly install software updates.

 

Backups

  • Always keep backups, ideally at least one backup online in the cloud (Google Drive or Microsoft’s OneDrive) and one on a storage device that’s normally kept disconnected from your computer.

 

  • Regularly check your computer is backing up.

 

Payments

  • Use credit rather than debit cards. They give you time to dispute fraudulent transactions before money leaves your bank account.

 

  • Card payments made with your mobile phone using Google Wallet and Apple Pay are far more secure than cards.

 

Scams

·         Criminals are using artificial intelligence (AI) to create very convincing fake emails, texts, and calls (even video calls) Always double-check by calling the person directly or asking questions only they can answer.

 

·         Don’t click / tap on links in emails, texts or other messages. If you think it might be a genuine message visit the web site directly via a Google search to check. If it’s from an individual phone them to check.

 

·         Avoid the ads (marked ‘sponsored’ or ‘ad’) at the top of web searches - many are scams.

 

·         If your computer shows a warning your computer is infected and asks you to call a number or pay money, it’s a scam.

 

·         Hang up on all cold callers. If in doubt call back from another phone (fraudsters may keep the line open) using a phone number you know to be correct. Note: caller ID is easily faked.

 

  • Never ever give somebody else a one-time code generated by an app, security device or received by text message, unless you know and trust them and they are setting up software on your behalf.