Around 11 a.m. on New Year’s Eve day, a Facebook friend in India sent an urgent message: My website had been hacked. Sure enough, when I went to my site and right-clicked my mouse to view the “source code” (the gibberish that shows what’s going on behind the scenes), I discovered that in addition to being a journalist and social media teacher, I was now also a purveyor of erectile dysfunction products.
As his night ticked down toward midnight, a man I know through techie forums and whose expertise I respect spent half an hour guiding me through the many steps of a website cleanse.
The irony wasn’t lost on me. Though a putative Internet maven, I fell into the clutches of a cyber-criminal who was clever enough to use my website to earn himself some money. Yet not once did I think, “How could this have happened to me?” Precisely because I am technologically savvy, I know that no one’s data is completely safe on the Internet.
The Myth of the Strong Password
The new realities of Internet security are hitting our generation especially hard. After all, we were the ones who pioneered computer use — something today’s cool-kid Web 3.0 culture tends to forget. Our confidence in the medium is understandable.
Since the early days of ecommerce, vendors have gone to great lengths to assure us that our personal information is safe. At first we relied on just any old password, but recently we’ve been waking up to the importance of stronger passwords. Many sites now give instant feedback as to how “strong” our password is. Then, of course, there are all those security questions.
When we do hear about a breach, it’s often one that’s impacted a corporation or the result of a “naïve” person who’s done something foolish. Most of us feel pretty confident that it would never happen to us.
Invasion of the Identity Snatchers
The world of cyber-security underwent a game-change last summer, when not one but two top tech writers were spectacularly hacked. Mat Honan, a writer for Wired, was cyber-attacked by a 19-year-old who wanted his highly coveted three-letter Twitter handle @Mat.
To get it, the kid (who goes by “Phobia”) and a friend wiped out Honan’s entire digital life — in about an hour. It started with a call to the Apple Help Desk, and Phobia was able to give just enough data to convince the agent that he was Honan. That one password gave him the keys to the castle.
As Honan described in Wired, “First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.”
Honan also thought he had lost every picture he had of his one-year-old daughter, since he hadn’t been backing up his hard drive. Ultimately he was able to recover some of his passwords (from his cloud backup, Dropbox, on his wife’s laptop) and then his data. But it was an expensive lesson: He wound up spending $1,690 for the entire recovery.
Something similar happened to New York Times tech writer David Pogue a month later. His hackers were able to reset Pogue’s Apple password by answering security questions online. The model of Pogue’s first car? His current car? Where he was when the new millennium began? The answers to the first two questions were found on a Google search (Pogue has written about his cars). As for Y2K? They made a good guess. Where are most people on New Year’s Eve? A party. Once into his account, the hackers wreaked havoc with his address book and locked Pogue out of his kitchen iMac.
Internet Security 101
So if some of the world’s savviest tech folks can get hacked, anyone can. Recently the servers at computer-genius incubator M.I.T., whose “T” stands for technology — were hacked and shut down. And yet there are steps we can all take to lessen the likelihood that some evil sleazeball (or bored 10th-grader) will crack our codes and steal everything from our photos to our cash to our identities.
To improve online safety, both online companies and users need to step up their vigilance. (See below on what companies could be doing.) As for us, here are seven things we can do — today — to better protect ourselves and keep hackers’ paws off our personal life.
1. Create strong passwords. It’s still your best defense, though good passwords are most effective in the context of a larger strategy (see below). They should be at least 10 digits long, use a mix of upper- and lower-case letters, numbers and symbols — and you should never use the same password for more than one website.
You can also use an automated password manager, which generates baffling strings of characters, all controlled by one strong password that you create. Because you will need to remember this password — as well any other complicated passwords, you should devise a system that’s intuitive for you (but not obvious).
Don’t use your name or initials, even if you substitute 3 for E or 1 for i. Write down the passwords and keep them in a safe place, like a locked drawer or, if you need them while away from home, your wallet. Should you lose your wallet, immediately change your passwords, something you should do every few months anyway.
2. Rethink answers to security questions. Between Facebook, LinkedIn, whitepages.com, classmates.com and ancestory.com, a lot of your personal data is out there. Hackers use these sites to get past your security questions. Stay one step ahead by outsmarting them. Your hometown? Pick a place that’s meaningful to you, like where you got engaged. Or use something unrelated, like the name of your favorite old TV show.
3. Opt for double-verification when available. Google has pioneered this. To access Gmail and other Google accounts on any device for the first time, users need their own password plus a onetime password that Google sends to the cell phone number on record. Yes, this system could be cracked, especially if you’ve lost your phone, but it’s a step in the right direction. (See below for more information.)
4. Set up a dedicated password-recovery email. Some sites request a second email address where they can send a new password should you lose yours. Create an address just for this purpose. Do not use your name or initials — hackers know that people tend to use some variation of their name for email addresses.
5. Protect your Wi-Fi with a password. An unsecured network is like an unlocked house. But a secure Wi-Fi network is like a firewall around your personal data. Should a hacker get into it, he can use your Wi-Fi to control your computer and send spam, break into your bank account or even steal important password information from sites you visit. So follow the rules in No. 1 and create a strong password known to just you and your chosen users.
When using any public Wi-Fi — from Starbucks to your hotel — always log out of accounts when you’re done. Another level of security is something called a VPN (virtual private network), which will make your information even more secure from criminals. Lifehacker.com offers more information and easy-to-follow directions for choosing a VPN.
6. Don’t click on unfamiliar links. We all get them — from unsuspecting friends whose accounts have been compromised. Most of us know to never click on them, but spammers are getting more clever. A good rule of thumb: If a “friend” sends a link with no personal note, you can be sure it’s bogus. Clicking on it will turn your email into a spamming machine by getting into your address book and sending the link to people you know. At their worst, these links can crash your hard drive. What to do? Just delete, and never be tempted to click. And when you do get one, contact the sender, who’ll need to change his password.
7. Always back up your data. To avoid losing your photos, documents, music and programs (to a hacker or a crash), get an external hard drive, ideally one that automatically backs up your data every day or at least weekly. You can also store your files in the “cloud,” through options like Dropbox, Apple’s iCloud or Rackspace.
Cloud computing or cloud storage is great — but what if you don’t have access to the Web, or experience a service interruption? This is where “redundancy,” or multiple backup systems, come into play. If you have a lot of important or irreplaceable data, you might even consider keeping an external drive in a safe deposit box (away from fire or theft) and back it up every month or so.
Currently, the onus of online security falls mainly on the user/customer. Companies encourage us to trust them with our information, yet many incidents where our data is lost or compromised occur because companies’ security procedures are so easy to outsmart.
One solution is for consumers to insist on a two- or even three-step verification process. For instance, if you’re trying to change your password on your credit card account, to confirm you’re you, companies should ask you about recent purchases, something a hacker isn’t likely to know. Mat Honan suggests that if a company doesn’t provide protection, you just stop using it and find another with better security.
Changing banks or your favorite online stores isn’t easy. Still, a phone call or email to the websites you use most, inquiring about their security procedures, alerts them that consumers are aware of the issues. When you encounter a new ecommerce site that requires only a simple password, either don’t let them store it or find a vendor who does ask for a 10-digit password and provides questions for you to answer as well.
If you’re thinking, “I don’t need to do this because no one would want my data,” think again. Your personal identity is priceless, and you don’t want someone stealing it. As the criminals say, “It’s not personal; it’s business.”