When it comes to cyber crime, we assume that most security breaches are carried out by highly technical hackers, breaking carefully crafted defences until they get to our info. But actually there are lots of ways attackers could grab your password info, and even the most vigilant can be caught out – your password alone just isn’t secure enough.
From phishing scams to dodgy free Wi-Fi connections, it’s surprisingly easy to inadvertently give away your data, but what can you do to protect yourself, and how can you add an extra level of security if you are a service provider or website owner ?
There are a few different ways of giving up your password – here are three of the most common:
1. Phishing scams – These are emails often pretending to be from a trusted source like your boss or bank, and contain a link asking you to log into your account or provide password details. These emails contain enough of your data to make them look genuine so it’s important to be extra careful before you click – make sure you recognise the sender and hover your mouse over the link itself to see whether the URL looks legit.
2. Using free Wi-Fi hotspots – We recently talked about the information you’re giving away when you use Wi-Fi hotspots, and how they’re often not particularly secure, maybe even giving other people using the hotspot an opportunity to tap into your info. If it can wait then do it when you get home, and if it can’t steer clear of any sites using sensitive info.
3. Non-Secure Websites – If you do need to use a site that has a login – and this applies whether it’s a hotspot or not – make sure the URL address bar has ‘HTTPS’ at the start with a closed padlock icon, and preferably has the company name displayed in green too; otherwise the info you’re sending won’t be encrypted and any old loon could read it.
If you reuse passwords across multiple accounts and services – which, if we’re all being honest, most of us do – it means, if one of your accounts is compromised, someone could potentially get into the other accounts that use it too.
So, as a user, what can you do to proactively protect yourself against things like this; and if you’re in charge of a website, how can you help protect your users from unauthorised access to their data?
There are several ways of doing this, but two-factor authentication (2FA) is now widely believed to be one of the best ways of adding a second level of security to your accounts. 2FA will ask you to provide your password as well as another method of identification; this could be a code sent to your mobile phone or something you have on you like a USB key – in a not-so-distant future, it would even make sense to use something like our fingerprints!
One of the drawbacks of SMS-based 2FA is that it can take a while to come through if you’re out of signal or abroad. The Google Authenticator app is a type of 2FA that gets around this by working through the app that you have on your phone. By scanning a QR code on your account into your phone, your app and your account become linked. The app then continuously generates codes that expire after a short period of time and, as it’s constantly happening, you can get a code even if you’re not connected to the internet.
When you log into your account you then enter the code that’s displayed on your app at that time. The account checks it’s the right one for that timeframe and matches up with your app, granting you access.
Users should consider enabling 2FA for as many of your accounts as possible, such as blogs or Facebook – you can check which of your accounts offer 2FA. It might seem like a bit of a faff but it’s worth the time.
If you run a website or have a login on your site, it’s probably a good idea to consider building this feature into your service.
Two factor authentication is available for all MyUKFast users and the Google Authenticator option is live too. To enable it go to MyUKFast > My Account > Security and select the 2FA method you wish to use.