Hackers are a major pain in the side of industry and private consumers. While that may be true, the term “cyberattack” is used increasingly loosely in the same way that getting “hacked” also appears to apply to leaving your Facebook account logged in.
Real cyberattacks consist of a concerted effort to breach a target’s defenses. They occur almost daily, mostly aimed at businesses with private information to steal, such as credit card numbers, billing addresses or Social Security numbers. Of course, some hackers do perform more petty attacks aimed at individuals often ill-equipped to deal with a hack.
The question on everyone’s mind: what can we do about it? How can we protect ourselves from getting hacked? We all read the usual tips around the internet about using strong passwords or downloading an anti-virus program or app to keep our computer safe. But is that enough? What else can we do?
As it turns out, quite a bit.
Embrace Next Level Password Protection
Creating a strong password is a tip we see with every new account we set up. Along with a slew of other suggestions, such as not sharing your password or updating it every few months, we’re told that’s enough.
But there’s a better way. As many companies have discovered, your password strength is irrelevant if it’s stolen by malware or accidentally handed over on a phishing website. Even strings of over 30 characters long are no match for a simple keylogger, which records the keystrokes a user makes and uploads them to the thief.
What much of the industry has decided on as a solution is the use of two-factor authentication. Through the use of smartphones and authenticators (small devices that generate a random code at each login), we can require an additional unique password at each login that expires shortly after being created.
Using this method for any accounts that allow it will keep cyberattacks from infiltrating your accounts because even if your computer becomes compromised or your password is stolen, the hacker can’t log in without your temporarily generated password.
Obviously this comes with one caveat: if your second device is physically stolen, then it becomes possible to access your account. Also, some services offer the opportunity to “remember” your device so that you aren’t asked for the second password each time. Convenient as this is, it’s a bad idea; avoid it if possible.
WiFi is good; WiFi is life. For some of us, this mantra holds true to an absurd degree. Limited data plans, poor coverage and devices without a plan make the daily use of publicly accessible WiFi highly desirable.
Access is so coveted that many businesses plan their advertising around the idea that they can pull customers in just with the promise of free WiFi access. It may not even matter what the business sells; so long as you can get your internet fix, who cares?
But public WiFi is one of the easiest places to experience a small-scale cyberattack. Hackers are aware of people’s needs and love to set up shop at a café, outside a hotel or anywhere else where free WiFi is available. All they need to do is wait for innocent victims to connect before they initiate their scheme.
Since anyone can connect, there’s no form of security; all a hacker needs to do is run a “sniffer” program to search for devices using the network. They can then send bad data into the victim’s device and gain access to or even control the victim’s machine. From there, it’s just a few steps to stealing a password or accessing the person’s accounts.
So where are we going with this? Despite the danger, the problem is fixed easily by using a Virtual Private Network (VPN). A VPN is a paid service that allows you to connect just about any internet-enabled gadget to a remote server. Doing so creates a secure tunnel protected by encryption between you and the rest of the net.
This prevents data injection or theft; encrypted data is no good to the hacker, and injection also won’t work because their data won’t match the encryption you’re using. If you’re interested, Secure Thoughts has a guide on VPNs for WiFi hotspots; it’s a worthwhile investment if you utilize free access.
Note that some devices may require you to set up a VPN on a router rather than the device because they may not have any interface options.
Prevent Intrusions at Home and Work
Firewalls are an afterthought for most of us, a type of security that comes preinstalled on our router or something we hire the tech guy to set up and then forget about. But other than a VPN, a firewall is really the only thing keeping most intruders out.
A good firewall utilizes both hardware and software to screen for intruders. While the above solution helps protect your IP address, a firewall will protect the actual ports of entry into your device or devices.
Firewalls can also be configured to behave differently depending on the type of traffic they’re dealing with. They can be set up to drop traffic when things get too active (such as during a DDoS attack on servers) or be designed to allow traffic to enter selectively, as with home firewalls (so programs you run can communicate but not programs run without your permission).
One other thing to take note of is the ability to monitor traffic actively. This is perfect if you’re running a network with more than just your device and want to know if any suspicious attempts are being made to breach your defenses.
Mobile Devices: Avoid Third-Party Apps
Malware is a top vector for cyberattacks; it allows the hacker to cause trouble from inside and get access to servers or devices he or she wouldn’t otherwise be able to penetrate. The trick is getting the victim to acquire said malware.
If you’re running an anti-virus app, you might expect everything to run fine. Even if you download a bad file, you can just get rid of it with the app, right?
Surprisingly enough, one place people end up getting malware and being totally oblivious to its nature is through third-party apps. These apps run just like anything you might get from the Google Play Store or the Apple App Store; the problem is the lack of vetting.
Apps from outside the controlled environments aren’t subject to screening for malware and may even bypass detection when installed on your devices. Plus, a little-known fact about mobile devices is that apps function very differently than on traditional PCs; most anti-malware apps can’t actually interfere with other apps that are already running, making removal much harder.
The solution is quite simple: don’t use apps that don’t come from official sources. You run the risk of losing everything, and it just isn’t worth it. Most official apps are free or extraordinarily cheap anyway, and it hardly seems worth losing your device or worse just to save $4.99.
Learn to Identify Fake Sites and Emails
Phishing—we’ve all heard of it. We know the basics of how hackers create real-looking emails or websites to fool us. But you must understand these criminals are doing this as a full-time job. Just being aware of their scams isn’t enough to avoid them.
For instance, what exactly tells you that a website isn’t what it seems to be? Not everyone is familiar with the rules of URLs or even email addresses. It’s actually fairly simple, but it can be easy to get confused. For instance:
- https://google.com/ is the official website for Google
- https://mail.google.com/ is the page for Gmail, but it’s still part of Google’s site
- http://google.mail.com/ is NOT part of Google’s website
- http://google.com.net/ is NOT part of Google’s website
Key elements to pay attention to are what comes after the final dot but before the slash symbol. Each period separates different subsections of the main website, so in the above example of http://google.mail.com/, the actual website is mail.com while the subpage is google (still a part of mail.com).
In the example http://google.com.net/ the actual website is com.net/, but such a page could easily confuse visitors not looking closely enough. Other common tricks include making websites with common misspellings of popular sites, such as faecbook.com (Note: Please don’t tempt fate by trying to visit that page; we can’t verify its safety!)
Email attacks like to utilize similar tricks. Most websites will send emails either from their official website (for instance, @walmart.com) or from a subdomain (@receipts.bankofamerica.com). Unlike website URLs, email address naming conventions are much less consistent.
In some cases, email clients don’t even display the sender’s full address. It may just show up as a name. Cross-reference addresses with emails you’ve already seen to help verify whether an email is coming from a legitimate source or not.
Even if the source does appear legitimate, don’t send any pertinent information over email unless you’re beyond certain the recipient needs that information. Companies never request your login details over email; a good rule of thumb is that all such requests are a hazard to avoid.
One of the sneakier inventions we’ve seen cybercriminals utilize on pages is fake search results. Designed to look like helpful recommendations on a page, these images lure users into clicking links because they assume they’ll be visiting one of the hyperlinks on the search.
In reality, they’re just another attempt to bring you somewhere you don’t want to be. They might even be snuck into a page’s ads so that their positioning looks perfectly normal without the owner knowing.
If you encounter strange search suggestions, ask yourself why. In general, if you don’t get recommendations from Google or pages you’re very familiar with, stay away from them.
No matter what tips we offer, hackers are always thinking of new and creative ways to worm their way into our accounts and devices. What works today may not work tomorrow, so being alert to the latest threats is just as important as knowing how to handle today’s problems.
Stay current, keep up with security blogs, and listen for news about major breaches.
About the Author: Faith MacAnas is a cybersecurity expert and internet technology enthusiast. As a blogger, she writes on numerous topics relating to online security, with a focus on how to protect businesses and private users from the latest risks.