Online security: Time to get serious

Henry Man

It’s 2021. Our personal and work lives depend on the Internet everyday. It’s time to protect our online accounts and personal identity.

Cybercrime is a rapidly growing threat to society. We depend on the Internet and online accounts in the digital era – whether Instagram, Internet banking, or important accounts that powers a business (i.e. WordPress, Square, MYOB, Gmail, etc.).

According to Cybint and My TechDecisions:

  • There is a hacker attack every 39 seconds
  • 21 per cent of online users are a victim of account hacking
  • 11 per cent have been a victim of data theft (i.e. financial and social security numbers)
  • 300 per cent increase in reported cybercrimes since COVID-19, according to the FBI
  • 43 per cent of cyber attacks target small businesses

Password managers

Password managers like LastPass and 1Password are essentially vaults for storing all account passwords and notes. Importantly, they can create an unique, complex password chain for each online account to keep you secure – and for free.

According to Business Insider, experts believe passwords should be regularly changed at least once every three months, or only when there is a security breach as long as you have a strong and difficult-to-crack password.

So, when it is time to change, password managers relieve the biggest hassle – figuring out what the password should be, then remembering it (often unsecure). Security.org gives a good indication of how secure your current passwords are.

Password managers are protected by 256-bit encryption, so it’s drastically safer than keeping precious passwords inside a notes app.

All you need to create and remember is a long, secure password to gain access to your entire password manager vault. This should be a password made up from the first letters of a sentence, with a mix of sentence and block caps, plus numbers and punctuation marks.

Conversely, using passwords that clearly spell out a word (i.e. Editor) and easy to guess numbers (i.e. 365) – especially in organisations – is simply reckless and irresponsible.

Two-factor authentication (2FA)

2FA or multi-factor authentication is an additional step to verify that you are the owner of an online account when signing in. It is an extra layer of protection that significantly decreases the risk of unknown actors breaching access into your accounts and systems.

While not bulletproof, 2FA apps like Google Authenticator and the superior Authy generate one-time access codes that you need to enter when signing in – in addition to your password. When turned on, the 2FA step is required when online services recognise that you’re signing in from an unfamiliar device or web browser.

Other 2FA forms can also be possible, including a push notification on your smartphone, emailing a code, or texting a code. The latter two are less secure as cybercriminals may already have access to your emails or have ported your phone number to their own devices. However, if some online accounts give you no choice, having some form of 2FA activated is always better than nothing.

According to a study by Google with researchers from the New York University and the University of California, using authenticator code apps prevents 99 per cent of bulk attacks and 90 per cent of targeted attacks.

However, if you’re more conscious of your personal and work online security, using a physical security key from Yubico is recommended. It’s a USB stick that is proven to prevent 100 per cent of attacks. Instead of entering a code, the security key must be plugged into the device trying to sign in – via USB-C, Lightning, or tapped using NFC – to verify that you’re the owner of the account.

Virtual private networks (VPN)

Free public Wi-Fi networks have allowed easy access to the Internet beyond homes and offices. However, they are highly vulnerable to cybercriminals spying on your online activity and personal data without knowing it. Whether at a cafe or in a hotel room, VPNs encrypt your Internet traffic by routing it through a tunnel to the VPN provider’s servers.

When activated, your device will appear to come from that server, masking your identity, activity and location to the Internet service provider (ISP) and any would-be cybercriminal. VPNs allow you to freely use the Internet, log into your private accounts, and more without knowing a third-party would be able to see what you’re doing.

However, be aware that free VPNs cannot be trusted. ExpressVPN, NordVPN, and Surfshark – among plenty more others – are good options, and while you need to pay a small subscription fee, it could potentially be live-saving when travelling outside. At home, VPNs are also used for accessing content like video streaming shows from other regions.

The rule of thumb is to not connect to public Wi-Fi networks in the first place (whenever possible).

Scams, spams and more

Email, SMS, phone call, and website scams are alarmingly on the rise – often purporting to be from real companies. If you receive such communication that your account has been hacked or are owing money, you should investigate from official sources first. Check your accounts, contact your bank, or social security provider.

If you believe an email or SMS is suspicious, threatening or unusual, do not click on any link. They are likely phishing attacks. This may also potentially expose you to viruses or ransomware on your computer or smartphone.

Here are a few further tips to stay safe in the digital era:

  • Add a recovery email and phone number for online accounts (where possible)
  • Immediately change your password if you notice unusual activity or receive a suspicious message about your online account (generate a secure password from a password manager)
  • Regularly check the trusted devices and log in activity on all accounts to make sure no one else has access (including your password manager)
  • Don’t use real answers to security questions; keep them varied (remember them in password managers)

Images by Jan Antonin Kolar (left) and WebFactory Ltd (right) via Unsplash

  • Do not post any words or images online that contain personal sensitive information (i.e. financial details, flight ticket, etc.)
  • Consider having multiple emails to sign-up for different online accounts; if one is compromised, not all accounts will be vulnerable, too
  • Don’t click on any advertisements on websites; they may be malicious (web search for the product yourself)
  • Delete all spam emails that you consider ‘spam’ (often filtered in spam or junk inboxes)
  • Keep your device software up-to-date with the latest security patches
  • Install anti-virus software (for businesses and organisations)
  • Use a sticky note or dedicated product to cover your computer’s webcam
  • Make sure your home broadband router has a secure, hard to guess password

The Australian Cyber Security Centre (ACSC) provides further information on how to stay safe online for individuals, businesses, and governments.