Connect with us

Expert Speak

How to Get Your Passwords in Good Order for 2019

Published

on

Written by Tomas Foltyn, security writer at ESET

Many of us entered 2019 with a boatload of New Year’s resolutions. Doing more exercise, fixing unhealthy eating habits and saving more money are all highly respectable goals in their own right, but could it be that they don’t go far enough in an era with countless apps and sites that scream for letting them help you reach your personal goals, which apparently also implies – you guessed it – reach your New Year’s resolutions?

Now, you may want to add a few more weighty and yet fairly effortless habits on top of those well-worn choices. Here are a handful of tips for ‘exercises’ that will do good for your cyber-fitness.

I won’t pass up on stubborn passwords
Passwords have a bad rap, and deservedly so: they suffer from weaknesses, both in terms of security and convenience, that make them a less-than-ideal method of authentication. However, much of what the Internet offers is dependent on your signing up for this or that online service, and the available form of authentication almost universally happens to be the username/password combination.

As the keys that open online accounts (not to speak of many devices), passwords are often rightly thought of as the first – alas, often the only – line of defense that protects your virtual and real assets from intruders. However, passwords don’t offer much in the way of protection unless, in the first place, they’re strong and unique to each device and account.

But what constitutes a strong password? A passphrase! Done right, typical passphrases are generallyboth more secure and more user-friendly than typical passwords. The longer the passphrase and the more words it packs the better, with seven words providing for a solid start. With each extra character (not to mention words), the number of possible combinations rises exponentially, which makes simple brute-force password-cracking attacks far less likely to succeed, if not well-nigh impossible (assuming, of course, that the service in question does not impose limitations on password input length – something that is, sadly, still far too common).

I’ll have no sympathy for the passphrase-cracker
Another caveat is that it’s better to refrain from phrases that have made it into the everyday lexicon. Entire books, famous quotes, or lyrics – sing, ‘Pleased to meet you, hope you guess my name’ as a bit of an extreme example that is not to be taken literally – already tend to be part of the fodder of password-cracking tools. The individual words should be in random order and, ideally, sprinkled with special characters and character substitution, all the while retaining a hidden meaning and memorability to its creator. For practical guidance about creating your passphrases, you may want to refer to this short video tutorial or to this article.

Then, of course, there is the need for each passphrase to be distinct for each account, so that a leak of one of your passphrases doesn’t reverberate through your other and possibly more valuable accounts. Alas, the dangerous practice of password recycling is ubiquitous, and attackers can exploit it hands-down with an automated technique known as ‘credential stuffing’.

It’s quite likely that you use too many online accounts to remember a distinct passphrase for each of them. In which case, it’s worth considering a reputable password vault/manager that encrypts your password storage and takes away much of the pain that password management involves. Of course, such a tool can also generate randomized and complex passwords and passphrases for you.

While then you should need to remember only one master password that, ultimately, opens all your online accounts, the pressure will be on the sturdiness and uniqueness of this one key to your digital kingdom – so it’s back to the suggestions above.

I won’t skip the second step
Another trouble with passwords/passphrases may arise when they are not only the first, but actually the only line of defense for your account security. When that barrier crumbles – commonly through a phishing attack or by attackers somehow working out your login details – an extra authentication factor that does not rely on ‘something you know’ may very well foil your adversaries.

Two-factor authentication (2FA), or multi-factor authentication (MFA), is an excellent way of boosting the security of your accounts, especially when coupled with hardware keys or dedicated apps, and less so with SMS-borne 2FA.  Although many online services provide 2FA options, few require its use. However, the adoption of 2FA has been on the rise and it’s never been easier to jump on the practice. Regardless if its implementation, signing up for 2FA wherever you can is well worth the little extra effort, as it can help in various scenarios, including when you never fell prey to a cyberattack compromising any of your passwords.

In fact, it’s quite probable that some of your authentication details will be, or have already been, stolen and posted online or made available for sale on underground marketplaces. The source of these password leaks include the many security breaches that have blighted online services, retailers, hotel chains and the like.

Additionally, the targeted entity may have protected the users’ passwords with weak hashing and salting functions, or even stored the passwords in plain text. Worse still, the service provider, let alone you, may not know until quite a while later that hackers pilfered the often poorly secured data, or purchased them on the dark web, so you had no shot at taking any ad-hoc defensive measures. Again, this is also where that extra authentication factor will usually thwart any account-takeover attempts.

In fact, go ahead and see for yourself on Have I Been Pwned? whether any of your online accounts may have been part of a known breach. Aside from the almost 5.7 billion compromised accounts that the site indexes, it also has a cache of more than half a billion publicly leaked or stolen passwords in clear text that have been revealed in past breaches, so you can check yours against the database, too.

I’ll use fewer passwords
Surely a mistake, right? Well, it may sound counterintuitive, but fixing your passwords may also imply needing fewer of them in the first place. More precisely, it means cutting ties with the services you no longer use, so that you needn’t ‘look after’ your accounts with them. We all have set up accounts that we no longer use. Indeed, we may have racked up quite a few of them over the years, including some we barely remember. However, the adage ‘the internet never forgets’ fits here too, and forgetting is something you shouldn’t do, either.

The trouble with unused accounts is that each of them – even if only a vestige of your much younger self – is a potential source of danger. The service may suffer a breach exposing your password or may be sold to new owners whose intentions might not exactly be honest. Or, if miscreants take over your account, they might be able to use it to break into one of your highly valued accounts, be it by gathering private information about you, or through your failing to use a unique password for each account. Or they can just as well use it to spew out spam.

But what doesn’t exist can’t be taken over, can it? Feel no remorse: just dispatch those accounts to a better place and never look back. There are even services that promise to scale back your online footprint in bulk; that is, without you having to recall or comb through and then manually shut down each inactive account. Using a service just to help kill online accounts may not be for everybody, however, as essentially you need to take the developers of such tools at their word.

While you’re cutting the clutter, consider severing ties also with third-party apps and services that are associated with your accounts on social and other major sites, especially the apps that you no longer use. These apps, too, can be misused as other entry points for illicit data collection or even worse. To pull the plug on their access to your account and data, navigate to the privacy and/or security settings of your online service(s) of choice; from there, it usually takes only a click or two.

Next up
Staying safe online isn’t going to become any easier this year, so we’ll be back in a few days with more tips for beefing up your personal online security. Next time, we’ll focus mainly on a couple of easy ways to boost the security of your wireless network.

Click to comment

Leave a Reply

Expert Speak

Watch Out for These Scams Targeting Amazon Customers

Published

on

Written by Amer Owaida, Security Writer at ESET

Amazon is the largest online marketplace in the world boasting over US$386 billion in revenue in 2020 with 200 million subscribers to its Amazon Prime service just in the United States. And that’s just a fraction of the whole customer base that it serves around the globe year-round. Of course, such a huge customer pool attracts cybercriminals who are looking to make a bank by scamming unsuspecting victims with a variety of tricks that they have in their arsenal of scammery.

Fake order phishing email
As with any major service, Amazon is no stranger to being spoofed or impersonated by enterprising fraudsters who are looking to dupe people out of their personal information or to access credentials to their accounts. The emails you may receive can take on various forms, however, they usually impersonate a common Amazon dispatch email, that regular customers have encountered many times over. For example, you might receive one confirming a purchase that you didn’t make and tries to trick you into clicking on various links that look like contact information to Amazon’s customer service.

These links can then redirect to something looking like the official Amazon login page, however, when you try to sign in you will have divulged your credentials to the scammer. Alternatively, by clicking on the link or attachment in the email you may download a malicious payload to your device that will attempt to download keylogging software that will try to harvest your credentials to any services you use.

Generally speaking, unless the fraudster behind the scam did an immaculate job with the counterfeit email there are several warning signs that will give it away as an attempt at phishing. If the email contains, typos, grammar mistakes, or an attachment it is most assuredly a scam. When checking out a link that you’ve received in an email, by hovering your cursor over it, check whether the address is something.amazon.com where something is one of many valid Amazon subdomains – for example, pay.amazon.com or www.amazon.com. If you suspect that you’re being phished you should contact Amazon directly, since it takes these issues seriously.

Gift card scams
Gift card fraud is another perennial problem that you can encounter. The con-artists may utilize different strategies to dupe their victims, however, the ultimate goal remains the same – trick them into purchasing and sending Amazon gift cards. Popular tactics usually include evoking a sense of urgency or pressure in order to make victims act quickly rather than give deep thought to the contents of the message or phone call.

Victims may receive unsolicited email messages or phone calls about a pressing issue involving their social security numbers or benefits and to resolve it they’ll have to pay a penalty using gift cards. Alternatively, victims may be told that a family member is in trouble and needs financial help. There are multiple scenarios at play where fraudsters can also impersonate Amazon itself, claim to be someone from the management of the victim’s employer, you name it.

However, fortunately, most of these scams can be uncovered quite easily if you keep a cool head. Government officials will never ask you to pay a fine or penalty with a gift card, so you can be 100% sure that if you get such a request it’s a scam. As for the rest of the scenarios, to verify the claims you just need to call your family member to see if they’re in trouble or the person from your company that requested the gift cards. And of course, it goes without saying that you should contact all of the aforementioned people or institutions through the verified official channels.

Payment scams
Payment scams come in many shapes and sizes, and while the form may differ, in the end, the scammers behind them are after only one thing – the contents of your bank account. There are multiple ways that this can occur. One tactic that is often utilized is trying to convince you to pay outside Amazon’s secure platform. The crooks will try to lure you in various ways by offering a discounted price, for example, however, if you relent, the most probable outcome is that you’ll both lose your money and won’t get the product.

And additionally, you won’t be able to lodge a complaint with Amazon since you paid the fraudulent charges outside the confines of their platform. Other flavors of payment scams to watch out for include paying to claim a prize that you’ve supposedly won or to a seller whose identity you can’t verify, and avoid offers that seem too good to be true or that you find suspicious.

The obvious advice, in this case, is to stick to Amazon’s platform for all orders and payments. Even the company itself warns against sending money outside the confines of its platform: “Don’t send money (by cash, wire transfer, Western Union, PayPal, MoneyGram, or other means, including by Amazon Payments) to a seller who claims that Amazon or Amazon Payments will guarantee the transaction, refund your funds if you’re not satisfied with the purchase, or hold your funds in escrow.”

Dodgy phone calls
Sometimes scammers will resort to more “analog” means to try and hoodwink their victims – fake support calls. The content of the calls might vary, however, they often sound like a pre-recorded message impersonating Amazon claiming it has registered something wrong with your account, something that would pique your interest – a fishy purchase, lost package, etc.

According to a warning issued by the United States Federal Trade Commission, the message will then either inform you to press 1 to speak to a customer support agent or give you a number to call back. If you engage in conversation, the scammers will most likely try to wheedle sensitive data out of you like your personal information or your payment data.

The most sensible thing to do, before going into full-blown panic mode, is to check if there is anything suspicious going on by contacting Amazon through the direct channels listed on the support section of their website. The company does acknowledge that in some cases it may make outbound calls but it will never ask customers to reveal any sensitive personal information in order to verify their identity.

In summary
When it comes to online shopping and its related activities the saying “trust but verify” remains as true as ever. To sum it up, most of the scams can be avoided if you remain vigilant, curious, and keep your wits about you. If you receive any unsolicited emails be extra careful to verify their provenance and never divulge personal sensitive information to anyone claiming to be a “customer support representative or agent”.

Continue Reading

Expert Speak

Create a Ring of Security Around Your Home

Published

on

With an app and a couple of gadgets, technology can provide peace of mind in the toughest of times – whether you’re at home or away, says Mohammad Meraj Hoda, vice president of Business Development – Middle East & Africa at Ring

Over the last year, we have learned that there’s no such thing as a predictable routine. Even as UAE authorities do their utmost to prevent the spread of the coronavirus, once-mundane everyday schedules can easily be disrupted by abrupt school closures, sudden quarantines or even an endless procession of deliveries of all kinds. At times when it can all get a bit too much, an extra layer of security can offer peace of mind.

But when you can’t bring in new household help with visa and travel restrictions, technology can do your bidding instead. Indeed, technology is now so far advanced that with a couple of installs and a few quick tweaks, you can protect your home inside and out. With a video doorbell, indoor cameras around the house, and an app, you can create a ring of security around your home within a few minutes.

When you choose a single brand of products, such as Ring, the appliances can easily work together, and best of all, everything can be monitored from your smartphone – even if you happen to be elsewhere physically. As UAE residents have become more alert to visitors and the risks accompanying them, convenience and safety are more important than ever. This is where Ring’s bouquet of products can help.

Video Doorbells Help Everyone
Since they were first created in 2013, video doorbells have proved their worth repeatedly in many different situations around the world. From a bear trying to open a car door to meteors flying through the skies, they have captured a number of untoward and unwanted visitors around the world. Products such as the Ring Video Doorbell 3 are activated by motion around your front door and begin recording events within their line of sight. Because Ring video doorbells connect to the internet via your home Wi-Fi system, this video feed can be set to be livestreamed straight to your phone, or you can access it later.

Even if you are at home, there is no need to go to the door. You can see who your visitors are from your smartphone. With the Ring Video Doorbell 3, you simply tap on the alert to check who’s at the door and even communicate with them. Even if you are at home, you can safely keep your distance from visitors, and if necessary, ask them to leave packages at your door.

Indoor Cameras Offer Peace of Mind
Meanwhile, for family-focused people who are away in the office or at an event outside the home (perhaps even in another emirate!), an indoor camera provides the assurance that no untoward incidents have taken place at home. Perhaps you want to chat with those who are at home, verify if your teenage kids are getting to their homework, or if your cat has been playing up while you’re away. A quick check is easy with a compact indoor camera such as Ring’s new Indoor Cam, which slots unobtrusively into small spaces around the home.

This clever new device makes it easy to speak with older family members or see if school children have reached home. Between the indoor cameras and the outdoor doorbell camera, you can easily keep an eye on every corner of your home from anywhere. In addition, with Ring’s Protect Plan, it’s easy to add an extra layer of security to your home.

Although life has become more challenging on so many fronts, technology can help the stresses of living through these strange times. A little planning and a few moments’ work can go a long way to securing peace of mind for everyone at home.

Continue Reading

Expert Speak

One in Six People Use Pet’s Name as Password, Says ESET

Published

on

Written by Amer Owaida, Security Writer at ESET

(more…)

Continue Reading
Advertisement
Advertisement
Advertisement
Advertisement

Latest Reviews

Follow us on Facebook

%d bloggers like this: