[This is Part 2 of 3 in an ongoing series addressing security measures and precautions that help prevent domain and data theft. You can read the previous article here]
In the last article we covered the hazards of unsecured connections and how to avoid letting your domains and other data slip through your fingers while browsing sensitive areas. This time we’ll go over some of the most simple, but fearless attacks and the best ways to prevent them.
Phishing, Guessing, Plain Bold Social Engineering Attacks and How to Prevent Them
Phishing – Don’t always believe you received an email from a colleague, admin, or relative as email spoofing (falsified header info) is easily accomplished. Thieves will portray themselves as a trusting party like your registrar account rep, relative, your dog, etc. to acquire any sort of sensitive information from you: access permissions, transfer requests, database editing requests, passwords, usernames, middle names, PayPal requests, credit card details, mother’s maiden name, and pretty much any information used for default “forgot password” questions. Avoid these schemes and set up a security net that will have thieves guessing for weeks.
Don’t Share Your Information – This is the easiest way of thwarting attacks. People are often fast and loose with sharing their login credentials with people they may know or those appearing to be someone in a position of power. You should never put yourself in a circumstance where you have to email, text, write, or tell someone your password. There’s never a reason to give your login info to a company employee requesting it. An employee in the correct power structure of an organization will already have access to your account without your password.
Share Access Instead of Passwords – There are countless times when you need someone on your team, family, etc. to access accounts for you. In this event, rather than sharing the same account or straight up sending them your password, invite them to create their own account and share access with them. You can usually set security measures to prevent them from accessing sensitive areas or how they login, which limits the threat.
Share by Other Means – In the domain industry we’re often regulated to communicate with individuals over virtual mediums across vast distances. I never recommend sharing login credentials with another person, but if you absolutely must share a password with someone, you can stifle basic attacks by using the following:
Create a Cipher – Create a set method for shifting the characters around in your password that only you and the receiver know. E.g. Password becomes WORDSApS
Steganography Programs – This trick conceals information in plain sight within another message, video, or picture. There’s several programs out there that will disguise your password for you as a meme or video. Just make sure to use a reputable one and still use a cipher.
Self-Destructing Mediums – If you have to do this on a regular basis, try combining tactics. Use a cipher, a steganography program, and send them over a secure medium like Cyber Dust where messages are automatically destroyed 30 seconds after they’re read. This is the most “Mission Impossible” style way of sending your info.
Password Sharing Programs – There are several secure password managers out there and most of them allow you to share encrypted passwords with another user. Note that Google Chrome’s password storing function does not count as a safe means for safeguarding your login credentials.
In Person or Over the Phone – This is the most secure way of transmitting sensitive data. If the person isn’t geographically located near you, try calling them up over the phone and telling them.
Share Username Separately – Always share your username with the receiver via a different medium. It takes two pieces of information for someone to access your account. Splitting these up makes it twice as difficult for criminals.
Call Public Company Numbers – If you’ve received a call, voicemail, email, or text warning you of fraudulent activities with one of your accounts don’t promptly respond. Take an extra precaution by calling their organization’s publicly listed customer service number and explain that you’ve been contacted. They’ll usually have a record of it and can patch you to the correct department trying to reach you. This way you’re not responding to a criminal that’s posing as one of your account reps. You’d be surprised at how often this happens and by automated calling systems.
Guessing – One of the easiest ways a criminal can penetrate your accounts is simply guessing your password and security questions.
Strength – Make your passwords as long as possible (or at least 8 characters in length) and include letters, numbers, and special characters. Password managers and several free online locations can automatically generate new ones for you, just be sure they’re trustworthy.
Worst Passwords – Don’t use the following: relatives’ names, birthdays, cars, “1234,” “password,” superheros, sports, “salt,” “qwerty,” or anything else easily found online or guessed.
Physical Location – Writing your most sensitive information on paper is the best way to safeguard it, but thieves don’t have to guess your password if it’s on a sticky-note on your monitor or sitting in a drawer next to your computer labeled “logins.”
Variety – Don’t use the same passwords for everything. There are copious sites that have not updated from past SSL Heartbleed events, have broken authentication, injection flaws, and other basic security misconfiguration problems or even leave themselves open to attack with passwords that are easy to guess or have less than honest employees. Once a thief has your email and password, they’re going to try it everywhere else that’s connected to you.
Two-Step Verification – Sometimes called multi-factor authentication, enabling this wherever possible will eliminate the threat of using your password against you. If your registrar doesn’t have this, consider transferring your domains before someone else does.
Random and Various Security Answers – Use fake information for alternate security questions. Get creative and think up cars, pets, and people who don’t exist as answers.
Social Engineering – Were you afraid when you thought someone could guess your password? Most of the time they don’t actually need it. A true hacker only requires a handful of information: your email address, name, physical address, phone number, and last 4 digits of your credit card number (you know, the one that’s printed on all your bills in the mail, grocery receipts you throw away, the 16-year-old delivery boy checks when you order chinese food or pizza). Sans credit card numbers, everything else can be found online in minutes. A 19-year-old hacker only needed a Wired senior staff writer’s email and physical address to start the infiltration process on his Amazon, Apple, Twitter, and Google accounts. The former owner of Twitter handle @N was taken over by simple social engineering tactics. Don’t just react to intrusions and hacking attempts when they occur, be proactively safe.
Various Emails – Just as you have separate keys for your car and home, your username and account emails should vary. Try not to have any overlap in the following types of accounts: domains and other digital assets, financial, social, services & e-commerce, backup email recovery (this one is essential), and random. 6 different emails can be laborious in nature at the very start, but it’s worth the effort. If you want to cut out the hassle and be extra safe, try using email masking services, like Blur, that will generate random ones and store them for you.
Gmail Recovery Email – People usually gloss over this one, but it’s essential that you create one and don’t link it to anything else. Ever.
Hacked Email – Once someone gains access to your email, they’ll also have access to anything connected to it and contained in it.
Custom Email Addresses – Don’t use custom email addresses for sensitive data unless your domain is at a secure registrar immune from common social engineering attacks. If you still decide to use them, set TTL times to take as long as possible and turn notifications on.
Delete Old Messages – Destroy old emails that may have your password or other sensitive data.
Forwarding and Login Activity – Occasionally check if your email is forwarding to another account and monitor past logged in devices and location information. The truly clever crooks will never let you know they’ve gained access to your account.
Special Account Notes – For important accounts, call their customer service center and ask them to place a note on your account stating not to give out information or reset your password under any circumstances. Some of the most important sites include your main registrars, Amazon, and Apple. All of these companies take a plethora of security precautions to keep your information safe, but it never hurts to add extra security for that stray employee that’s tired or about to quit. For registrars, try to request that they wait an extra allotment of days before initiating transfers.
Notifications – How often are you alerted, if at all, when you transfer a domain, make a large transaction, or change your password? If you have to guess, check that all your important accounts communicate important updates to you.
Credit Cards – Using credit cards is unavoidable in our common lives. The only way around its security risks is masking the number and changing it periodically every couple years.
PayPal is a good third-party payment processor, but changing your credit card number is the best method. Ultimately we’re trying to protect our domains and assets, not our credit card numbers. Credit card payments are easily reversed (unless you’re using a debit card, which is the worst idea known to man) while stolen domains are not.
Stolen Computer or Phone – Forget about hackers Googling your public information or using your phone’s accelerometer to read the vibrations in your keyboard strokes. Did you just leave your laptop alone at a crowded Starbucks to use the restroom?
Remote Wiping – Almost all devices have a system in place for remote wiping, you just have to set it up. Some devices even have an option to wipe itself after a predefined number of attempts.
Secure Mobile Device Data – Always encrypt and password protect sensitive data. Locking your phone might be a bit laborious in the long run, so at least lock the areas on your phone with access to sensitive information. The Google Authenticator app isn’t any good for two-step verification if someone can easily access it.
Whether you’re a high-profile executive or a fast food worker, we’re all at risk in these scenarios. Even those with less publicity or insignificant assets are future potential victims. Intelligent criminals buy, sell, and trade your information to be used at a later date. Small amounts of sensitive information being leaked now could affect your future security. Furthermore, leaving yourself open to easy attacks only encourages miscreants to continue their delinquent conduct. Don’t feed black market activities. Think long-term and have a strategy.
Stay tuned for Part III of this series next week where I will address incognito malicious applications.