You might have recently gotten a call from someone who claimed that your bank account has been compromised. If you hung up on the person, good for you. Scam cases has continued to rise over the years, making up 27 per cent of crime cases in Singapore last year.
This Safer Internet Day, HackerOne, the leading authority in hacker-powered security, shares tips from hackers on how to keep yourself safe.
How to manage your passwords
Newbie HackerOne hacker, Katie Paxton-Fear aka InsiderPHD, shares her practical approach for managing passwords, which, as she reminds us, can huge mental load to remember and generate:
“I use a password manager (LastPass) to store my passwords—it also generates them for me, which saves me coming up with new ones. I know it sounds super insecure but for some passwords I write down a hint—it’s better to have something written down physically than stored digitally anywhere other than a password manager. Obviously I keep these written password hints in a safe location, always on my person, and keep good physical security measures—not writing what the hint is for or taking pictures of the hint.
Multi-factor authentication can also help add another layer of security so, if a password is compromised, the account does not also become compromised. You have program-specific authentications such as Blizzard Authenticator, but there are also authenticators that can be set up for multiple programs, such as Microsoft Authenticator.
My final piece of advice is to use an algorithm, incorporating the name of a website or service into a password. I used to use this method but now I simply keep all unique passwords in my password manager.”
British hacker, Tom Hudson a.k.a Tomnomnom, follows up with his top tips:
- Use a password manager
- Have a different password for every account – preferably long ones auto-generated by your password manager
- Enable Two Factor Authentication where possible – with a preference for non-SMS based methods where available (e.g. Authy/Google Authenticator)
- Use the ‘notify me’ service on haveibeenpwned.com to help identify when your account details might be compromised
The tech you might want to avoid
Privacy conscious German hacker, Julien Ahrens a.k.a Mr. Tuxracer, says “I personally avoid any app or website that has had major breaches in the past. For example, certain social media sites because they have had breaches or data privacy issues, and more than once.
I also avoid nearly anything related to “IoT”. Everything is connected to the internet today, even your crazy, pink, fluffy toaster, but most of the vendors have no real interest (or budget) for security, only selling their new product. I’ve found an RCE in every IoT product that I have had a look at in the past, and I don’t want to have this in my home.”
Pragmatist Katie adds, “I know a lot of people avoid certain technology but I rely on a spidey sense of cyber danger; I look for red flags, similar to spotting a phishing website: if it seems dodgy, you should trust your instincts. When I do use sites that I suspect don’t take security seriously, I opt to use services like Paypal where I know security is a priority, instead of letting a website save my payment details. As for mobile apps, I keep on top of any apps that use sensitive information, like my location or health information, and if I think they don’t need that information, I simply delete the app from my phone. The only technology I avoid using for anything day-to-day is my hacking tablet! It’s purposefully completely unsafe for bug hunting!
How to secure your smart devices
Hackers prefer to eschew IoT as a notorious security weak spot, but British hacker, James Kettle a.k.a albinowax, advises that anyone who wants to sleep safe in the knowledge they’ve secured their smart fridge, doorbell or TV should follow these rules for smart devices:
- Smart devices are most exposed to attack if attackers end up on your WIFI/LAN, so I lock down my wifi by using a strong, non-default, password
- Use wired connections instead of WiFi where possible
- Isolate smart devices on a different VLAN, however, this is not very easy and may require a fancy router
How to avoid getting scammed on a day-to-day basis
American hacker, Jesse a.k.a Random Deduction, advises:
- Don’t follow links in emails. Instead, go to the site directly.
- If you receive a call/text from a bank or any organisation, tell them you will call them back. Use the number on the back of your card or from the company’s website, not one the potential hacker gave you, to reach out to the organisation directly.
Lisa Jiggetts a.k.a cyberjin adds “things that make me the slightest bit suspicious raise red flags, like weird calls, texts and emails. It’s getting harder these days because the bad guys are really good. I fell for one earlier this year; they spoofed one of my banks’ phone numbers for an old account that I don’t use but, a couple of minutes into the call, alarm bells started ringing. They had already changed my address on my account and I didnt have 2FA set up the time, so I knew that my login credentials were compromised and that’s how they initially got in.
The tech hackers use to stay secure
Indian hacker, Sandeep Sing a.k.a GeekBoy, recommends the Telegram messaging app, which offers multiple features for security and privacy.
Lisa Jiggetts says she tries to keep social media posts minimal, without divulging too much personal info that could be used for a potential attack. “I always check the privacy settings to make sure a new setting wasn’t “snuck in” after an update, and that the settings are set at the most restrictive option. On my phone, I keep bluetooth, Wi-Fi and GPS turned off unless I’m using it. I always use a VPN whether on my phone or laptop. All of my accounts are set use 2FA and I regularly change my passwords and use a password manager.”
Swedish hacker, Fredrik Alexandersson a.k.a Stok, says that he always struggles with remembering passwords, so some kind of password manager is a must. “If it’s Lastpass, 1Password or any other solution, it doesn’t really matter as long as you use it in combination with two-factor authentication. Preferably one that uses any kind of “push” technology so you just have to approve your login on your phone. I’m also a big advocate of using VPN services that care about their customer’s privacy, just like mullvad.net. So always make sure you read up on the Privacy agreement on your VPN (virtual private network) provider so you don’t end up signing a user agreement with a Man in the middle attack like service.”
Jesse adds “whenever possible, enable multi-factor authentication on your accounts. Using a mobile app like Authy or Duo to obtain an authentication code that allows you to log in after you supply your password will stop a huge portion of attacks on the average person.”