By Adam King - Security Consultant at PGI Cyber
As a security guy, the most common question I find myself being asked is, “how do I stay safe online?” In this second article, I will cover some other methods to keep safe online.
If we drill down to the basic level, a recovery question is a type of password. The answer to the question is supposed to be a secret which only you know the answer to, however, the questions posed by almost every organisation are often very insecure – it is almost certain that close friends and family will know your mother’s maiden name or your first school. My advice for these questions is to use something which isn’t the correct answer, or something which is - in a sense, a password.
You may get a confused response when telling a customer assistant over the phone that your mother’s maiden name is Trombone123, however it is safe to assume that nobody else will think to give this answer when attempting to gain access to your personal information. By using this method, even if an attacker were to find out the required information from the likes of Facebook and Ancestry.com, they will be unable to use this information against you.
Account Privacy and Security Settings
Leading on from recovery questions, it is important to recognise where this sensitive information may be in the public domain. For most users, the answer to this will likely be social media sites. Luckily for you, it is a very simple process to go to your privacy settings and remove this information or replace it with fake details – there is nothing wrong with leaving a few red herrings for the bad guys.
Enabling two-factor authentication is also highly recommended for applications which support this functionality. By doing this, you must login using a username and password, and also a security code which is sent to your mobile device, ensuring that nobody can access your account without physical access to your phone.
Finally, a lot of online applications will allow you to configure alerts via text or e-mail when your account is accessed. Receiving one of these alerts may start ringing alarm bells, and as such you may encourage you to change your password or contact the organisation to verify where this login has come from.
Last but not least, phishing e-mails are a common cause of losing personal information to a malicious party. Most of us will receive these e-mails daily, however a lot of them will be filtered as spam and you may never see them.
It is important to think about the content of e-mails requesting personal information. Why would an organisation initiate contact with you and ask that you prove who you are? They are the ones who have made contact and should therefore be the ones to prove authenticity.
Verify the source of e-mails. Ensure that you have checked, double checked and triple checked the domain (after the @ symbol), for example firstname.lastname@example.org has a spelling mistake which could be missed. If there are mistakes in the e-mail address, it cannot be trusted.
Given time, forward these e-mails to an appropriate handler. Many companies have teams that will investigate scams, and in some cases will distribute e-mails to all customers warning them of phishing attacks or will contact e-mail providers to block these messages.
Your free Global Geopolitical Dashboard
PGI’s Risk Portal tool provides daily intelligence feeds, country threat assessments and analytical insights, enabling clients to track, understand and navigate geopolitical threats.
The Risk Portal gives users up-to-date information and analysis on global affairs.
The Risk Portal allows users to visualise information in a unique and instantly understandable way. Mapping filters enable the visualisation of incidents by threat category, time period, perpetrator and target type.
Risk Portal users can upgrade their accounts to include the Report Builder and Country Profile Generator features. The Report Builder allows users to select information, data and images from the Risk Portal and create bespoke reports and emails.
Subscribers to PGI’s Bespoke services receive tailored analysis on specific sectors and geographies of interest, delivered at a frequency they determine.
Subscribe to our Cyber Bytes Newsletter
Keep yourself in the loop with PGI by signing up to our Weekly Cyber Bytes email. You will receive updates, tips and narrative around what has been happening in the world of information security.