A client of ours recently reported their email account was hacked. Without going into any specific details of this, here are some words of advice:
Wifi Networks
When using free wifi networks, often there is no encryption between you and the network. That means you can only rely on encryption end-to-end, such as if you open a banking website or app. Any website that’s only HTTP is sent in the clear.
Shockingly, email passwords may also be sent in the clear. If you are using POP or IMAP, and aren’t using SSL then your password is plain and clear for anyone to see on the network, or to catch out of the air. SSL is the best way to combat this, and ultimately an awareness of the insecurity of using open wifi networks.
MITM Attack
This type of hack is based on a rogue wifi point, appearing as though it’s genuine. The sole purpose is to capture passwords and details as you login to email and websites. Sometimes difficult to spot, but always no-password required, making it very easy to gain access.
Phishing Attack
Phishing is the act of spoofing an email, making it look like it’s from Microsoft, Paypal, your bank or another service provider, and then including a link to ‘reset your account’ or similar. When you click the link, you are taken to a website which looks like the genuine one, but isn’t. As soon as you type your password, you get a message ‘oops your password is incorrect’ and you think ‘silly me – try again’. Of course, you’ve now confirmed at least 1 if not 2 of your passwords to a hacker.
The best way to avoid this is to check the links in the email, by hovering over them to see exactly where they will take you – BEFORE you click.
You can check your awareness of phishing websites by taking this quiz: https://www.opendns.com/phishing-quiz/
Brute Force and Dictionary attacks
Hackers might try to guess your password. Well they’ll use a computer to do it, increasing attempts from several per minute to several thousand per second. Starting with a, b, c… then aa, ab, ac, … so in this case, having a longer password will help a lot. To increase the speed, they may start with words in the dictionary, rather than random character sequences, so it’s important to either change words or combine several e.g. DogBikeField1984 – you can check your password strength at https://howsecureismypassword.net/ to see how long it would take an attacker to guess your password.
Password recycling
This is the practice of using the same password on several websites. It’s pretty unlikely your bank will get hacked. It’s much more likely your local cycling club website will get hacked – but if you’ve used the same email address and password in both places – guess what? Hackers now have your banking password.
Best advice is to use random passwords as much as possible, and use a password manager like www.lastpass.com to store your passwords for you. Just don’t forget the master password!
2FA / MFA
2-factor Authentication or Multi-factor authentication makes hacking a lot harder. It is based on the premise that you need more than just 1 thing to access an account, typically 2 of the 3 categories of ‘something you know’ i.e. password / mother’s maiden name, ‘something you have’ i.e. a token or card, and ‘something you are’ i.e. biometrics like finger-print or iris scanning.
Think about using a cash point – they have been 2FA for years, since you must ‘have’ a card and ‘know’ the PIN number. A number of websites are now using or allowing 2FA with mobile-phone apps which generate a one-time code, unique to you and linked to your login. Apple and Itunes is probably the most well known of these, although Google accounts do allow you to make use of 2FA also.
Old Kit
Make sure old hardware is disposed of correctly. Regardless of any Data Protection / GDPR requirements, the convenient ‘remember my password’ feature of your browser stores passwords in an easily readable format. Ensure tech is properly securely wiped before you give or throw it away.
Eset Endpoint Security
Our favourite security software includes Antivirus, Anti-malware and a firewall to help protect you against compromised computers, whether that be on your own network or on a public wifi network. We strongly suggest you protect yourself, both PC and Mac.