- Technology and Cyber Risk
This article is a part of Risk Update 2.
This is the first article in a series looking at personal security, practical tips for staying safe online and managing your digital identity. In this series we will cover how to protect your accounts online (the subject of this article), avoiding scams and safeguarding your devices and data.
Why We Need to Act
The last few years have seen some incredible data and privacy breaches. Facebook’s woes come readily to mind with repeated appearances before the US courts following the controversy in the 2016 US election and the Cambridge Analytica breach, but they aren’t the only ones in the spotlight.
Last year Marriott International lost 500 million accounts, Under Armour 150 million and Equifax 143 million. Unfortunately, 2019 has not fared much better. 540 million Facebook accounts were lost by companies with poor security practices who used Facebook to authorise their users. Canva, the online graphics platform reported a breach of over 140 million accounts following a hack on their systems in May.
It may seem like the rate of breaches is increasing, certainly this is part of the story. The observed increase can also be attributed to the increasing adoption of mandatory data breach reporting legislation by governments across the world. The USA, EU, Canada and Australia all have mandatory data breach reporting laws that cover intentional (e.g. attackers stealing data from a database) and unintentional (e.g. mistakenly giving personal information to the wrong person) data loss. So then, it’s not simply that more breaches occur, it’s also because we are being made aware of breaches that may have otherwise gone unnoticed.
According to the Office of the Australian Information Commissioner (OAIC), there were over 950 notifiable breaches between July 2018 – June 2019 , averaging almost 80 breaches per month. In most cases, contact information was stolen, but financial, health and Tax File Numbers were also lost in breaches. Reading the statistics, it might feel like the only options are to remove yourself from the internet and delete all your accounts in attempt to protect your personal information or resign yourself to the ‘fact’ that losing your data is the cost of entry in the connected world. Whether you’re a digital native or someone who doesn’t consider themselves particularly ‘tech-savvy’ and finds it all a bit overwhelming, the tips and suggestions in this series will provide you with some pragmatic options to help you stay safe online and improve the way you manage your digital identity.
Protecting Your Accounts and Privacy
Two-Factor Authentication (2FA)
One of the best ways to secure your account is to add an additional step or ‘factor’ when logging into your accounts. The most common version of this is to use a ‘token’ to generate a six or eight digit code that you use after logging in with your username and password. These token generators could be a physical tag, provided by your bank or employer, or a ‘soft token’.
In the last few years, the rising popularity and convenience of digital or ‘soft tokens’ which make use of an app on your smartphone, has made them the ideal way to manage 2FA for personal accounts. Password managers and apps like the Google or Microsoft Authenticator make managing multiple tokens easy and remove the need to carry multiple physical token generators on keyrings or in backpacks. They have the added benefits of being less likely to be lost (assuming of course that you aren’t prone to losing your phone) and are often protected by biometric security you use to unlock your phone.
Digital tokens are quite easy to set up, in most cases by scanning a QR Code using your phone’s camera and entering the code generated by the app is all that’s required to get setup. Most services offering 2FA also provide instruction on how to set up 2FA using popular apps like Google or Microsoft Authenticator.
One note of warning regarding 2FA. Many services now offer account confirmation and 2FA by sending a text message to your phone, and while it can be a convenient way to get a token code, it is vulnerable to an attack called sim jacking where an attacker clones your sim card to receive text messages sent to your number. Attackers use this method in combination with stolen credentials to steal the 2FA code from a text message and log in. We would recommend using a digital or soft token like those mentioned above in conjunction with a password manager rather than text message confirmations to protect your accounts.
Most of us have a few ‘go-to’ passwords we use to manage our online lives and if we’re particularly creative, maybe even a separate password for work. Often, these passwords are based on information that makes them easy to remember, anniversaries, the names of loved ones or a favourite sports team. The downside to this approach is twofold.
Firstly, if we had a fairly benign conversation about your family, your interests or what you got up to on the weekend I’d have a fairly good list of things to try. To make matters worse, these days it isn’t necessary to have the conversation, Facebook, Instagram, LinkedIn and Twitter are all far easier and faster places to get that information and you won’t even know I’m poking around.
Secondly, remembering passwords is painful at the best of times, which is why we tend to make them memorable. It’s also why we tend to reuse them over and over. Even if you have five or six passwords of varying complexity for social media, e-commerce, online banking or work, the stark reality is that even having 10 or 15 passwords is insufficient for safely navigating the modern internet. But who has the brainpower to remember all those passwords?
The best place to start is a password manager. Password managers provide a simple and convenient way to manage your passwords online and offline, working on the principle that it’s easier to remember a single complex password than hundreds of passwords for every site and account you have. Password managers have the added benefits of encrypting your data, are available on all your devices and are more difficult to break into than the notebook you keep in the top drawer of your desk.
This all sounds good, but how do password managers actually work and how do you try one? Most modern browsers provide basic password manager functionality, suggesting complex random passwords and automatically filling them in when returning to log into the site.
Chrome, Firefox and Safari all provide these features and provide a syncing service to keep the browsers on your devices up to date with your current passwords. Safari on iOS goes a step further, allowing these passwords to be accessed when signing into your mobile apps. Although not always enabled by default, Google offers a similar service with Chrome and Android.
Top 10 list of most common passwords from the UK National Cyber Security Centre (NCSC) survey, which analysed passwords belonging to accounts worldwide that had been breached.
1. 123456 2. 123456789 3. qwerty 4. password 5. 111111 6. 12345678 7. Abc123 8. 1234567 9. Password1 10. 12345
Taking things up a notch, there are stand-alone password managers that provide a device-independent way of managing passwords and usually include 2FA soft token integration. These services are excellent if you work across multiple platforms, devices or browsers or if you need a way to securely share passwords in your organisation for shared services or administrative accounts. These services typically integrate with your browser via an extension and can automatically fill in your account details when you log into a site. They may be cloud hosted or available as an app for your device.
There are several options around to choose from that range from free to a few dollars a month, the main difference being the level of customer support available, user experience and extended features like integrating with services like haveibeenpwned.com to actively check and advise you if your accounts have been exposed in a data breach.
Finding a service that’s right for you will depend on your budget and how comfortable you are managing and configuring the service. The free services are often open-source projects and require some fiddling to get started, while premium services like 1Password, LastPass or Dashlane are easy to use and provide customer support but come with a premium price tag.
Monitoring for Compromise
Services like haveibeenpwned.com and Google’s new Password Checkup Extension provide a service that can help you stay informed about the safety of your accounts by notifying you of suspected breaches. Sometimes having the information and taking steps to secure your account is the difference between losing your account and saving it.
This was illustrated recently with the release of the Disney+ streaming service, which attracted attention in its first week for gaining 10 million new signups far eclipsing the launches of Netflix, Hulu and others. Disney+ also made headlines in its first week for an alleged ‘hack’ and accounts being sold on the dark web for as low as $3. Bad press aside, the reality is that these account thefts weren’t caused because Disney leaked the information, but rather that customers of the service reused passwords that had been leaked previously from other sites allowing attackers to commandeer the accounts and sell them.
Staying safe online is more than just being organised. To a large extent it is a mindset and a willingness to take proactive steps. Thankfully the last few years have yielded several great tools that can help keep us safe without compromising on convenience too much.
In the next article, we will be covering techniques to avoid scams and targeted phishing attacks, and we’ll look at steps you can take to protect your devices. The whole series will be published on our website as each article is released.