The security and privacy of your electronic personal information and documents lies almost entirely in how you manage your passwords and devices. In this blog, I dispel the myths and explain how to secure your electronic records by adopting five simple behaviours. But first, how does hacking occur?
How ‘hacking’ actually happens
Hacking is not easy – today’s mobile phones, cloud services and home computers have more than enough protection to deter hackers. Major government departments get hacked because one country or another throw huge resources at the task. But for individuals, ‘Hacking’ of personal accounts almost always works this way: the hacker sends out thousands of random emails prompting people to log in to a very common website – such as facebook. The email is a notification of some kind, with a link for you to log in. They use common services because that is more likely to be effective – because people are not going to log in to an account that they don’t have. The first burst of emails drawing people in is not even targeted at any particular country – it is just a random selection of characters to make up an email address, such as ‘Ann@gmail.com, Anne@gmail.com, Annie@gmail.com, Ann54@gmail.com etc. (Apologies to those who actually own these emails). The target receives the email, sees a notification that there is something for them at facebook, clicks on the link, and they arrive at a facebook page, but need to log-in. They enter their email address and password, and then something goes wrong, they get a strange error, they then enter Facebook in their browser or use a Facebook app, and everything is back to normal, they are in their Facebook account. The person forgets all about the momentary glitch. However in that moment, they have actually clicked on a fake facebook page, and entered their email and password into fields that are collected by the hacker. The page looks like facebook, but has a slightly different or hidden URL. The user lands at an error page, and tries another method, that takes them to their facebook account in the usual way. In that brief moment, they have given away their password.
From here, the hacker might do a few different things. They have access to the user’s facebook, so they might use that to farm for more targets – this is where people find rogue messages sent from their facebook account to friends. They usually find out, because a friend messages them saying ‘hey, I think you have been hacked’. These messages might be farming for more passwords, or they may use the ‘trust’ of a message between facebook users to lure people to click on a link that induces malware on someone’s computer that might give the hacker access, or ability to lock up that computer for ransom (ransomware). This is harder to do for mobile phone users, as mobile phones do not load software from a click on a link on the Internet.
Alternatively, the hacker might use the email and password combination that they have to access a more valuable account – their first choice will be your email – and that is pretty easy, because your email address usually also reveals your email host. If a hacker gets into your email, they can wreak all kinds of havoc – this is a very serious situation indeed. Firstly, they can see your emails, and learn what accounts you have. They can try using the email and password combination that they have for you, and enter those into a bank account to access your account. Even if they don’t have the password for that bank account, if they can access your email, they may well be able to initiate a password reset on the account, which works via your email, which they have access to. Hence, if you ever get a message that one of your passwords is being reset – ‘is that you?’ – and it isn’t – you can be confident that someone is working on hacking you. Increasingly, such accounts also require a code sent to you by text message – this second or third form of verification improves your online safety significantly, so you should switch on this ‘two factor’ or ‘three factor’ authentication whenever possible. So how do you protect yourself from these kinds of online attacks?
From this we learn safety measure number one: use a different password for everything – particularly email and bank accounts.
Don’t give your passwords away
Most hacking occurs because the user in-advertently gave away their password – by being phished. Safety measure number one is: be alert to these bogus messages. Even if they occasionally get you, you need to change the password for that one account as quickly as possible – because having followed rule number one, you haven’t compromised any of your other passwords, have you? Interestingly, these hacks are more focussed on getting big numbers of passwords than actually breaking into your other accounts – at least in the short term – you can see this, because the most common thing the hacker does is post even more invites to their phishing trap to your friends.
Using Safe Passwords
The second rule is: use a complex password that is not easy to guess, and a different password for as many accounts as possible. Passwords need to be a nonsensical jumble of upper and lowercase characters, numbers, and some special characters such as punctuation. Everyone knows that, but it is hard to remember all those passwords. The safest thing to do is to memorise all those completely random passwords – it’s good for your mental health. Alternatively, use a password manager. There are many 3rd party password managers, but you may want to look for one that works across both a mobile or cell phone and a computer. Google’s browser Chrome has a version built in – as do Samsung phones – wherein it offers to memorise your passwords in the browser. The Chrome one offers the benefit that it will work across mobile devices and a computer if you are using Chrome as your browser. However, if you can’t access a site, you will have to ask for your password to be reset – which is usually done through your email – more about that issue late. Another choice is a password ‘system’ known only to you, such as combination of characters and numbers that differ for each account in a pattern that is very obscure, but one you know – this is not as secure as random passwords. Alternatively, you could record your random passwords somewhere very secure. Again, not recommended, but you could use a password protected Excel file, and keep that in a synchronised app such as your email or Evernote. For Google and Chrome users, within your Google account is a ‘Privacy Checkup’ (which may also give you notifications on an Android phone). This will display a list of online accounts that you have which may have compromised security. For instance, if your passwords are stored in Google Chrome and a Google Partner has been breached, it will list which of your accounts have compromised passwords – and it is vital that you change the passwords for all of these accounts immediately. Finally, never, ever keep your passwords on paper, if you have a little black book of passwords at home, burn it to a cinder now!
Is the device you are using secure?
Another way that people access passwords is by accessing your device. For example, a computer terminal at an airport or hotel may have something dodgy going on, such as malware that picks up your passwords. Malware can find it’s way on to personal computers as well, usually by opening unsafe links or installing unsafe software. Generally, sensible attention to warnings, and a current and secure operating system will resist this. A third-party virus checker can also help. Malware and viruses also target mobile phone / cell phone operating systems, so be attentive to keeping those up to date.
As a rule, portable devices comprise a significant security risk – so information and documents should only be saved on these if the device as a high level of security, such as password protection or requires a finger-print for access. Portable devices can be lost or stolen, so they certainly should never be the only place that important items are kept. Ideally, computers should only be used to access data, with the data itself stored more securely, either on a server or usb device at home that is physically protected by being locked away, or in the cloud. Portable USB drives should be kept locked away and used for temporary access only, as they are insufficiently reliable as your main digital storage facility.
Two (or more) Factor Authentication
Being required to authenticate certain account creations or logins by receiving an email or text message can be irritating, but this two-factor authentication adds considerably to your information security – provided you have used different passwords for different accounts. However, if you have used the same password for your email and for an online account, this protection can be easily compromised, so once again, it comes down to good password practice.
Biometrics – question marks remain
Fingerprints and face recognition are being increasingly used to protect devices – the main advantage of which is that these are fast and easy to use, and don’t require you to remember a password. But the jury is out on how secure these are – there is an argument that anything physical is also unchangeable, and potentially can be copied. If someone duplicates your fingerprint, you can’t change it like you can a password. At the extreme of biometric identifiers is your DNA – but how secure is that? All someone needs is a strand of your hair. Random passwords may be more secure.
What about Cloud Storage – is that safe?
Is your content safe from hacking in the cloud? One argument supporting this is that cloud service providers are far better equipped to have the latest security systems. However. there are also some risks. For instance, users of Gdrive have a single password for all Google services. If this is compromised, the outcome could be tragic – so it is vital to have a complex password and to keep that secured.
Another consideration regarding storing files in the cloud is privacy. If you are a Gmail user, gmail scans the text in all your emails, and uses this for targeting advertising. It seems that Google also uses this to prioritise items that come up in a Google search – a much debated and subtle influence on both your product choices, but possibly also your perspective on other matters such as news and politics. Attached pdf documents are also scanned, as are most documents stored in Google Drive, so you can search for any words that appear in an attached email. If your photos are in Google cloud (or backed up that way from an Android photo), you have the handy facility of being able to search for a photo using a word that describes the content of the photo. If you took a photo of a receipt and keep that in Google photos, you may be able to search for it using the store name that is in the image. If you took a photo of a donkey, and that is saved as image5392134.jpg, you can find it in Google Photos with the search term ‘donkey’. How else that information is used is open to your imagination. If you have location services switched on, Google or Apple know where you are and where you have been at every moment. The bottom line is, secure the important things like your passwords and access to confidential or financial information, and chill about the rest, scream out loud ‘I’ve got nothing to hide!’.
And the third consideration is continuity of service. Unless you are a paying customer of Google, such as by paying for a premium service or extra data storage, Google makes no promises at all about continuity of service or access for you. For paying customers, there is some loose and ambiguous reference to continuity of service, but nothing specific. Hence it is recommended you have a secure local copy of all the files that you keep in the cloud. Finally, no email or cloud service is infinite – so once you go down that track, you may need to pay for extra capacity, use more than one account, or archive old content to a local backup.
Data Breaches
Hackers are far more interested in gaining access to tens of thousands of emails and passwords than they are in hacking individuals. For this reason, their efforts go into accessing major organisations that have huge memberships, and then reselling that information – often on the ‘dark web’. The best way to protect from these is the ensure that you use unique passwords for every online account and change your password as soon as you hear of a data breach. If you can access a breached account quickly, and change your password right away, you are likely to be a step ahead of the hackers, and no harm will be done. In Australia, businesses and organisations are legally required to tell members of a breach or suspected breach, under the Notifiable Data Breach legislation. This is managed by the Office of The Australian Information Commissioner. In practice, the NDB law is filled with loopholes, such as excepting international organisations and state government departments. They do not disclose any information about breaches and if you alert them to a breach, they advise you that their inquiries are confidential – meaning that they might find out that you were the victim of a breach, but unless the business or organisation where the breach occurred informs you, you are no better off. There have been plenty of breaches reported in the media in Australia that have not complied with the NDB. However, there is a website that claims to track breaches, and at which you can search to see if your email address has been found in breached data ‘;-- have I been pwned?
More about Privacy in Australia
The issue of the privacy of your information is different to that of security but overlaps it because privacy also covers how an organisation protects your information from being mis-used, which can happen irrespective of a hack – whether that be a breach by one of their own staff, or the businesses only way of using your information. In Australia there is both legislation (The Privacy Act) and regulations (The Australian Privacy Principles) to protect the privacy of your information stored with a business or organisation. Small businesses are exempt from these, but large organisations need to protect your personal information. They are required to provide you with information (usually on their website) as to who to contact regarding privacy concerns. They are obliged to be able to tell you what personal information they hold about you, and to amend that or delete that at your request, unless they have a need to keep it for the purpose of providing you with a service. There are special restrictions on sensitive information such as health, financial or information relating to beliefs – requiring them to only collect and store such information as necessary, and to inform you of your privacy rights with regards to this information. There are similar regulations in Europe, the General Data Protection Regulations – in fact the GDPR is stricter and more extensive, so you will often see big companies promoting that they comply with those. Most American privacy legislation is state based, so it varies, with California having privacy laws comparable to Australia and Europe. For this reason, many people take an interest in where their data is stored. International databases stored in Europe offer the benefit of GDPR protection. Amazon Web Services sometimes offer you the ability to choose where your data is stored and it is stated that it is compliant with the GDPR as do Google and Facebook. The key point is, look for confirmation of compliance with The Australian Privacy Act and the Australian Privacy Principles, or the GDPR for International data storage.
If you are interested to know what Facebook knows about you, in Facebook, go to your Settings & Privacy, click on Settings, then Your Facebook Information, and then select Off-Facebook Activity. You will be emailed when it is ready, and it can be accessed as a download from a Facebook notification.
So what is best practice?
All-up, the rules are simple:
1. Don’t log in to sites using the links provided in an email – unless you are very confident of the legitimacy of the message and link;
2. Use different passwords for each account – particularly email and banking accounts;
3. Use complex passwords that are unpredictable – and don’t write these down – use a password manager if necessary;
4. Don’t access your accounts from public devices such as Internet cafes or terminals in an airport;
5. Keep your personal electronic records somewhere secure – so if that is locally on PC or USB drive, that needs to be kept secure and backed up. If that USB drive is not kept in a safe or secured some other way, you would be better-off keeping that information on a cloud server.