10 ways to keep your internet identity safe from hackers
We’re high up in the Gherkin in the City of London and Garry Sidaway, director of security strategy at Integralis, a firm which advises government agencies, pharmaceutical and financial services multinationals, is giving my computer a security MOT. “You don’t have anti-virus software, I see,” he says, a trace of mockery in his voice. “That’s your first mistake.”
According to Sidaway, while most of us are much more aware of the risks now (“My mum shreds her documents even if she doesn’t know why,” he says), we should all be raising the bar. He thinks we Britons are an overly trusting lot. Sitting ducks for an armada of hackers, who are every bit as focused on stealing our data as we are relaxed about storing it. “The criminal gangs know exactly which kind of data they want and where it is likely to be,” he explains. “Conversely we’re not sure what they’re after.”
So what are they after, I ask? “We are seeing a wide variety of attacks – everything from opportunists trying to extract passwords through phishing [emails which purport to be from legitimate sources and attempt to get us to click on an infected link] to highly organised crime units targeting businesses and government systems in an effort to steal intellectual property and information related to critical infrastructure.”
The government estimates that the total cost of cybercrime in the UK is £27bn a year. The majority (£21bn) is committed against businesses, which face high levels of intellectual property theft and industrial espionage.
Enabled by the sharing culture on social media – and with ever more sophisticated malicious software known as malware at their disposal – cybercriminals have become far more adept at crafting attacks and targeting individuals and organisations. Phishing emails purporting to be from friends, often reflecting our interests – perhaps gleaned from social media sites – or from trusted organisations such as your bank or HM Revenue & Customs encourage us to click on infected links or attachments containing malware. (A recent example of the latter was malware disguised as a security warning from Microsoft’s digital crimes unit.) “We have a level of trust in certain organisations and criminals exploit that trust,” says Sidaway.
Typically, these so-called “man-in-the-middle” attacks install colourfully named Trojans (pieces of malware, essentially) such as Zeus, SpyEye or Citadel on computers, which have the effect of compromising, for example, online banking transactions. “Everything you then do on your compromised laptop is subverted through a hacking site which means when you [communicate] with your bank, you are going through a man in the middle. Initially, man-in-the-middle attacks were passwords used in authentication – the criminal would wait until you had finished to start using the credentials they’d just gathered. This is why banks brought in one-time passwords or codes,” he says.
“But more recent malware will perform a man-in-the-middle attack to obtain the user’s session (a session is created after a user logs in successfully and the browser and the bank’s website use this to continue the interaction) and fake the logout requests. Once the user thinks they’ve logged out, the attacker can make payments using the existing session without the victim seeing any changes to their balance until the next time they log on. This is partly why banks have rolled out card readers to help prevent payments to new payees.” He adds: “It’s a constant game of cat and mouse.”
TWENTY COMMANDMENTS: THE DOS AND DON’TS OF ONLINE SAFETY
1. Never click on a link you did not expect to receive
The golden rule. The main way criminals infect PCs with malware is by luring users to click on a link or open an attachment. “Sometimes phishing emails contain obvious spelling mistakes and poor grammar and are easy to spot,” says Sidaway of Integralis. “However, targeted attacks and well-executed mass mailings can be almost indistinguishable [from genuine emails].” Social media has helped criminals profile individuals, allowing them to be much more easily targeted, he adds. “They can see what you’re interested in or what you [post] about and send you crafted messages, inviting you to click on something. Don’t.”
2. Use different passwords on different sites
With individuals typically having anything up to 100 online accounts, the tendency has become to share one or two passwords across accounts or use very simple ones, such as loved ones’ names, first pets or favourite sports teams. Indeed, research by Ofcom last month revealed that over half of UK adults (55%) use the same passwords for most, if not all, websites they visit, while one in four (26%) use birthdays or names as passwords. Any word found in the dictionary is easily crackable. Instead, says Sian John, online security consultant at Symantec, have one memorable phrase or a line from a favourite song or poem. For example: “The Observer is a Sunday newspaper” becomes “toiasn”. Add numerals and a special character thus: “T0!asn”. Now for every site you log on to, add the first and last letter of that site to the start and end of the phrase, so the password for Amazon would be “AT0!asnn”. At first glance, unguessable. But for you, still memorable.”
3. Never reuse your main email password
A hacker who has cracked your main email password has the keys to your [virtual] kingdom. Passwords from the other sites you visit can be reset via your main email account. A criminal can trawl through your emails and find a treasure trove of personal data: from banking to passport details, including your date of birth, all of which enables ID fraud. Identity theft is estimated to cost the UK almost £2bn a year.
4. Use anti-virus software
German security institute AV-Test found that in 2010 there were 49m new strains of malware, meaning that anti-virus software manufacturers are engaged in constant game of “whack-a-mole”. Sometimes their reaction times are slow – US security firm Imperva tested 40 anti-virus packages and found that the initial detection rate of a new virus was only 5%. Much like flu viruses and vaccine design, it takes the software designers a while to catch up with the hackers. Last year AV-Test published the results of a 22-month study of 27 different anti-virus suites and top-scoring packages were Bitdefender, Kaspersky and F-Secure. Meanwhile, security expert Brian Krebs published the results of a study of 42 packages which showed on average a 25% detection rate of malware – so they are not the entire answer, just a useful part of it.
5. If in doubt, block
Just say no to social media invitations (such as Facebook-friend or LinkedIn connection requests) from people you don’t know. It’s the cyber equivalent of inviting the twitchy guy who looks at you at the bus stop into your home.
6. Think before you tweet and how you share information
Again, the principal risk is ID fraud. Trawling for personal details is the modern day equivalent of “dumpster-diving”, in which strong-stomached thieves would trawl through bins searching for personal documents, says Symantec‘s John. “Many of the same people who have learned to shred documents like bank statements will happily post the same information on social media. Once that information is out there, you don’t necessarily have control of how other people use it.” She suggests a basic rule: “If you aren’t willing to stand at Hyde Park Corner and say it, don’t put it on social media.”
7. If you have a “wipe your phone” feature, you should set it up
Features such as Find My iPhone, Android Lost or BlackBerry Protect allow you to remotely to erase all your personal data, should your device be lost or stolen. “Absolutely, set it up,” advises Derek Halliday of mobile security specialist Lookout. “In the case where your phone is gone for good, having a wipe feature can protect your information from falling into the wrong hands. Even if you didn’t have the foresight to sign up, many wipes your phone features can be implemented after the fact.”
8. Only shop online on secure sites
Before entering your card details, always ensure that the locked padlock or unbroken key symbol is showing in your browser, cautions industry advisory body Financial Fraud Action UK. Additionally, the beginning of the online retailer’s internet address will change from “http” to “https” to indicate a connection is secure. Be wary of sites that change back to http once you’ve logged on.
9. Don’t assume banks will pay you back
Banks must refund a customer if he or she has been the victim of fraud, unless they can prove that the customer has acted “fraudulently” or been “grossly negligent”. Yet as with any case of fraud, the matter is always determined on an individual basis. “Anecdotally, a customer who has been a victim of a phishing scam by unwittingly providing a fraudster with their account details and passwords only to be later defrauded could be refunded,” explains Michelle Whiteman, spokesperson for the Payments Council, an industry body. “However, were they to fall victim to the same fraud in the future, after their bank had educated them about how to stay safe, it is possible a subsequent refund won’t be so straightforward. Under payment services regulations, the onus is on the payment-service provider to prove that the customer was negligent, not vice versa. Credit card protection is provided under the Consumer Credit Act and offers similar protection.”
10. Ignore pop-ups can contain malicious software which can trick a user into verifying something. “[But if and when you do], a download will be performed in the background, which will install malware,” says Sidaway. “This is known as a drive-by download. Always ignore pop-ups offering things like site surveys on e-commerce sites, as they are sometimes where the malcode is.”