In the past couple of months, I have spoken with several clients that have experienced serious security breaches. One client lost $15,000 when it was transferred from her checking account to someone else’s account. Another person’s AOL email account was hacked by a stranger. The hacker sent messages from the compromised account to the victim’s financial advisor and attorney requesting that they cut checks and mail them to an address in Ohio. Several other friends, family and clients reported that their email accounts were hacked and they had spammed everyone in their address book. While the missing money is still being investigated by the bank and law enforcement authorities, the other infractions were enabled by users’ lack of attention to basic security precautions. The owner of the AOL account admitted that he had used the same simple password for close to a decade, acknowledged the error of his ways, but was dumbfounded that someone had actually hacked their way in and attempted to steal from him. These are not stories I read about on the internet. They are friends, family and clients right here in my community.
I encounter simple passwords on a daily basis. Things like password123 or kenspassword provide a minor speed bump for a determined hacker that wants access to sensitive information. I discussed creating complex passwords in a blog entry last year and encourage you to read it.
So how do hackers obtain passwords and access accounts? While some passwords are easily guessed, others are hacked using “brute force” methods – software that repeatedly guesses passwords until an account is unlocked. Still others are found written down on a sticky note and “hidden” on your computer monitor or desk for the world (and cleaning people) to see.
Sure, there are the “typical” ways that passwords are obtained by unauthorized users. But how safe are you when accessing your accounts on public networks, such as free wi-fi in coffee shops and bookstores? There are a variety of free tools available on the internet that allow snoopers to monitor wireless channels, watching what their neighbors are viewing and collecting passwords, account names and a whole host of other useful information. As illustrated in this recent PC World article, it’s easier than ever for even a novice to gather very damaging information over public wi-fi.
So how do you defend against these criminals? Here are a few pointers:
- Never log into your accounts on public wi-fi unless the website is SECURE**. This includes all email accounts, online banking, Amazon, or any other service that might store your credit card numbers. Also, beware of logging into your email account over public wi-fi, especially since your email account can be used to reset passwords for other accounts. This also includes using MS Outlook. If Outlook is not set up to use a secure connection, then your password is being transmitted in clear text, meaning that the kid in the corner of the coffee shop has access to your email account. (Yes… even if you don’t have to enter a password to get your Outlook email, one is being sent to your mail servers behind the curtains).
- Make sure that your connection stays encrypted for the entire session, not just when you log in. Various websites and email services allow you to tweak this setting. For example, Gmail includes a Browser Connection option, “Always use https”.
- If you have access to a VPN at work, log in to that before surfing the web on a public network.
- BYOD (bring your own device). If you are frequently on the go and need access to the internet, pick up a portable hot spot. I just got one from Verizon for $0 upfront and $20/month. This way, I always have access to the internet and can connect up to 10 devices.
- When in doubt, just wait until you get back home or to the office to conduct your banking, check email or buy that latest book from Amazon.
As a side note, I NEVER conduct financial transactions on someone else’s internet connection (coffee shops, hotels, or cousin Tommy’s house). I also NEVER check my email on someone else’s computer. You never know what malware or keylogger is lurking on someone else’s machine.
** How do you tell if a website is SECURE? The address (URL) is preceded with https://. If it is http:// (without the “s”), then you might as well stand up in the middle of the coffee shop and announce your login credentials. A SECURE connection (https://) indicates that a lot is going on behind the scenes. Your browser has verified that the website is who it says it is (yes, this is really Bank of America, not Vladmir’s fake banking site). It also indicates that anything you transmit across the internet, such as passwords, user names, and credit card numbers are encrypted, or scrambled. Thus, even if Poindexter intercepts the information, it is worthless to him.
Just one more thing: If you are using wireless at home and have not set up security on the connection, then everyone on your street can enjoy a free ride on your high speed connection. Not only that, but your data is subject to the same snooping vulnerabilities described above. Your wireless router should be set up with WPA or WPA2 security at a minimum. Wireless router manufacturers have made it easier than ever to complete your initial setup, so it’s worth taking the time to do it right or call someone that can help you.
So take a few minutes to assess your online habits and IT security, whether you’re surfing from the office, from home or on public wireless. If all of this is just too much to digest, give us a call and we can help you navigate these dangerous waters before you surf.
Stay safe out there!