10 Ways To Reduce Hack Risk – Part 2
Posted by Tamara Hogan Apr 2 2012, 12:01 am in CHASE ME, hack attack, tamara hogan, TEMPT ME
This post is Part Two of Friday’s post, “Ten Ways to Reduce Your Hack Risk Part 1.” Part One focused on passwords, click risk, and protecting your computer from viruses, malware and other digital gremlins. Today, the rest of the list…
6. Open online accounts only as needed. Everyplace we do business online, we leave personal data behind. The more places we leave our data, the more places there are for it to be stolen from. How many of us received an email from Zappos.com recently, informing us that their customer database had been hacked? How many of us received a similar email from TJ Maxx a couple of years ago, notifying customers that their credit card numbers may have been compromised? Every online account you create is potential hacking vector. To reduce your risk, only create accounts as needed. Consider shopping as a guest, especially if you don’t think you’ll be a repeat customer. Don’t store your credit card number with your account if you don’t have to. Provide the absolute minimum amount of data the form or website requires. Delete accounts you no longer need or use.
To further mitigate your risk, consider using one credit card for online shopping, and another for your real-world activity. That way, if the credit card you use for online shopping is compromised and you have to cancel your account, you’re not dead in the water credit card-wise.
7. Use extreme care accessing the internet over public wi-fi. Public wi-fi, a staple of convenience at coffee shops, airports and hotels, isn’t necessarily as secure as you might think. It’s a fairly straightforward matter for an unscrupulous person to compromise a legit wi-fi network, or to create a new, fake wi-fi hotspot, (video, 5:00) which people then unwittingly use. For those who use tablets or smart phones…have you ever thought about how many unknown wi-fi networks you connect to on a daily basis? We simply have no way of knowing how secure these networks are. Carefully assess convenience vs. risk here. Just because we CAN pay our mortgage while we’re at the coffee shop doesn’t necessarily mean it’s necessarily safe or smart to do so. You greatly reduce your risk by issuing such transactions from places where you have more control more over the network – like, at your house.
I consider any work I do over public wi-fi to be insecure. I don’t access financial accounts, key in a credit card number, and try not to key in passwords unless I’m accessing the internet through a VPN tunnel, which creates a virtual private network and encrypts your data. If you need to access critical accounts from public wi-fi, seriously consider using VPN software. It provides a lot of protection for very little cost.
8. Cloud security is a field in its infancy. Use care. Technically, there’s nothing magical or supernaturally safe about “the cloud.” While it’s very convenient to be able to store and access your data from anywhere you can log on to the internet, the cloud is still a server farm in some company’s basement, with access controlled by programs, policies, processes and people – some of which can be circumvented or breached. While some cloud-based services encrypt your data as a matter of course, this is not necessarily a widespread practice. Also remember that, depending on your method of access, you might be retrieving your cloud-stored data using a potentially insecure wi-fi network, which increases your risk.
9. About mobile devices and tablets… If you’ve been keeping up with the news, you’ve heard the accusations that Rupert Murdoch’s News Corp. hacked the cell phones and voice mail of British politicians, celebrities, crime victims, and members of the royal family. First line of defense for our mobile digital devices? Physical control. Put some thought into what a thief might be able to do with your mobile device and its apps should you lose your smartphone, or if your iPad is stolen. Ensure your mobile devices and your voice mail are password protected to the fullest possible extent.
Viruses and malware can be downloaded to smart phones and tablets, too. Many of the same protection packages we use for desktops, laptops and netbooks are available in tablet and smart phone versions. Pay a visit to your friendly neighborhood App Store. Load up.
The most recent volume of 2600: The Hackers Quarterly was all abuzz about QR code hacks—you know, those odd-looking black and white squares you swipe your smart phone across, taking you…where? QR codes take you a website, and unless you can translate pixel, you can’t know if you’re being taken to a malicious one until it’s too late and your device is compromised. Again, check your friendly App Store for QR code scanners if you’re concerned about this risk. Being I have an extremely low tolerance for being marketed to, this isn’t a risk I’ll personally incur, but YMMV.
10. Social media – there are several of layers of potential risk to watch out for when using social media tools:
Information you knowingly share with other users, subject to your privacy settings: You might be surprised at how many people use some variation of a pet’s or child’s name as their password. Guess what one of the most common subjects people talk about on social media is? Kids and pets. Some of the information hackers use to crack passwords or phish you is unwittingly supplied by users themselves. One way to reduce this risk is to be a lot less specific about what you share on social media. Don’t mention family members’ names, upcoming vacations, your child’s activity schedule, or other absences from home. One current phishing scam targets grandparents who unwittingly reveal their grandchildrens’ names on Facebook. Pretty soon grandma or grandpa gets a panicky, static-filled phone call from someone claiming to be their grandchild, in desperate need of funds because they’ve been mugged, robbed or need bail money, FAST. Grandma or grandpa, perhaps hard of hearing, doesn’t want to admit to not recognizing their own grandchild’s voice, and sends the scammer money via Western Union or other wire transfer serivce. As older users migrate to social media tools in increasing numbers, this scam is on the rise.
Information you may unknowingly share with other users: Pictures taken with phones that have onboard GPS or location capabilities sometimes have that information embedded in the picture’s digital file structure—and it’s a fairly simple matter for others to retrieve it if they want to. In addition, there’s a new generation of ambient social media tools and apps that uses your phone’s onboard GPS capabilities to broadcast your current location to other users of the tool who share similar interests, which I personally find creepy as hell. It probably surprises no one to learn that I keep my smart phone’s location tracking, GPS and wireless capabilities turned off until I explicitly need them.
Information that the company who developed the social media tool collects, stores and uses, now and into the future: With Facebook’s recent IPO filing, and Google’s change in how they manage their user privacy settings, people are becoming more aware of how companies collect, manage, store, and use our personal data. How are our activities tracked while we’re using their services? How will they use that data? Do they sell it to marketers? To data aggregators? Is personally identifiable information removed or not? What do their Privacy Policies and their Terms and Conditions or Terms of Service say they can do with our data? (You know, those tiny-print, endlessly scrolling documents o’ 6 point legalese that most of us don’t bother to read before blithely clicking the “I Accept” button?) For how long?
Just what are we agreeing to with that one tiny click?
RTFM, dudes. Read the Terms of Service, read Privacy Policies, read the user guides that come with the products you buy. Though the federal government isn’t quite as asleep at the wheel on this issue now as they were even six months ago, the manner in which companies collect and use customer information is still largely unregulated. In the absence of any law, we have to protect our own interests. As always, knowledge is power.
Companies don’t provide free coupons or programs or games out of the goodness of their hearts. We pay for these things with personal data. Every time we click on “Like”, click on a coupon, follow an ad, go to a website, issue a search, or register for a grocery store discount card with an email address, it’s tracked, aggregated, and cross-referenced (Facebook Is Using You). Chances are good that if you’re not paying to use a product or service, YOU are the product being sold. Personal data is the coin of exchange.
Some – most – companies are scrupulous about how they use the data they collect, but despite any public relations message you might hear about how much a company “cares about your privacy,” it’s prudent to take these messages with a massive grain of salt. No database is 100% safe 100% of the time. Companies can and do get hacked. Some companies build their security infrastructure on the cheap. Companies release programs with known and unknown bugs, every single day, and despite people’s best intentions, some of those bugs can create security gaps large enough to drive a semi trailer through. Some companies’ day-to-day practices don’t conform with their stated policies. Some hackers seek employment at these very companies, exploiting vulnerabilities from the inside while their buddies do the same from the outside.
Most people don’t have the skills or motivation to hack you—but unquestionably, there are some who do, and for the most part, it’s nothing personal. Hackers are increasingly organized, hosting their own conferences and gatherings, publishing their own magazines, and learning from each other in dedicated online communities. Some hackers seek bragging rights, others intellectual challenge, some want publicity, some have a political point to make or axe to grind, and still others are in it strictly for the money. There’s an active black market for stolen passwords, credit cards, and social security numbers.
Yes, one person’s prudent is another person’s paranoid, but believe me when I say that people who have been hacked, stalked, been victims of crimes, or had their identities stolen take it very personally indeed. These individuals, of necessity, have a very different relationship with personal data than people who haven’t had these experiences.
Whatever your level of risk or concern, I hope this post provided you with some new information you can use to manage your risks more effectively.
Questions? Comments? Fire away! What are you concerned about? What actions have you taken to reduce your digital risk? Are there areas you think you need to punch up?
The second book in Tammy’s Underbelly Chronicles series, CHASE ME, releases June 5, 2012 and is available for pre-order now! Follow Tammy on Twitter at @tamarahogan1, and visit her relaunched website, www.tamarahogan.com.
Amazon | B&N |