NEWS - HMS TECH TRAINING AND SUPPORT

Over the last couple of months, some people have experienced a worrying number of security warnings and problems regarding logins and passwords.  A couple have had their accounts hacked.   I believe this could be due to the largest ever leak, or breach, earlier this year of data from multiple sources, consisting of billions of user IDs and passwords.  All these account credentials are now available on the dark web for purchase and can be used to try to log in to the accounts listed.

The question is, if we assume that hackers/criminals/scammers have access to our email address details (commonly used as usernames) and some passwords, what can we do to protect ourselves from them?

Check whether your email address (username) and password is on a publicly available list by:

1.      Going to the password settings on your device either in Settings, Passwords on your phone or tablet, or in your browser (Edge, Safari, Chrome, Firefox etc) on your computer, and checking the security recommendations.  As an example of how to do this (I don’t have room here to describe every option in detail, so please contact me if you need help) on your iPhone:

a.      Tap Settings

b.     Passwords, enter the security information to view passwords

c.      Tap Security Recommendations

d.     Take note of the security recommendations provided

Urgent action needs to be taken when it says, “This password has appeared in a data leak”.  I recommend changing the password as soon as possible (again if you need help please contact me).  Alternatively, or if you don’t save passwords on your device or in your browser, there is another way to check if you’re on the leaked lists.  Visit Have I Been Pwned: Check if your email has been compromised in a data breach and type your email into the space provided.  If it is, then go to the passwords section of the site to check whether they have also been compromised.  To find out more about HaveIBeenPwned and those who created this useful site (and why you can trust them) read their FAQs. Have I Been Pwned: FAQs  They help governments and are recommended by security experts such as Malwarebytes.

2.      When creating a new password:

a.      Avoid using personal information as part of a password

b.     Always include a combination of letters, numbers and symbols using at least 16 characters

c.      Don’t use the same password for multiple accounts.  This risks a cybercriminal being able to access more than one account from only one data breach.

d.     Avoid using a single word found in a dictionary.  Using three words joined together is a good tip.

e.      Randomise letters, numbers and symbols rather than using a logical sequence.

f.        If you store your passwords online ensure the password manager used is encrypted and you can access the account using a secure backup method (ie changing the account credentials online using two-factor authentication) even if you lose your master password.

Ensure you have two-factor authentication (2FA) set on any account that allows it.  Especially accounts that you use for email, logging in to any account that holds financial information or that stores your card details.  These can include Microsoft, Google, Apple, BT, Sky, Yahoo, banks and retailers.  There may be more, each person has differing accounts.  This means that no one can log into your account/s without first typing in or using a verification method via your phone, authentication app or email account.

When paying for something online, set up and use a digital wallet such as Apple Pay or Paypal.  It’s more secure than entering your card details on a website, it also negates the need to save your card details in your web browser (Edge, Safari, Chrome, Firefox etc) for ease of use.  Of the two payment systems, Apple Pay is more secure as it uses encryption linked to biometric authentication (Face ID or Touch ID) to protect your payment information – the card details are not visible online at any time during the transaction.  Using Paypal can be a little clunky as you must move away from the store’s checkout to the Paypal site to complete the transaction, but again, providing your Paypal login is remembered by your device and secured using biometric authentication (Face ID or Touch ID), all information processed is secure.  There’s the added benefit that Paypal is accepted at a larger number of checkouts and Paypal monitors transactions to help prevent identity theft, fraud and phishing.

In the past I have written about other security recommendations and actions to take when online.  The internet as a whole and public wifi connections are easily compromised if you know how and have intent to steal, defraud or collect data for nefarious purposes.  So, what can you do to stay safe?

Phishing emails are rife.  If you receive an email purporting to be from a bank, retailer, delivery service, utility company, online service provider or even a friend you’re not expecting to hear from, treat it with the utmost suspicion.  Do not click on any links in emails you do not trust implicitly.  Instead use your browser (Edge, Safari, Chrome, Firefox etc) and go to the website of the organisation concerned to login or look for the information suggested in the email.  Contact the individual you’ve heard from, using a different method, ie text, Whatsapp or phone,  to check if they sent the email.   If fear is used as a prompt to action, or any sort of urgency to act is suggested by the email, be even more suspicious – fear is used as a tool by scammers to persuade you to act without taking time to think through the message content or check its veracity.

If you have need to make a purchase online without using an online wallet or are entering personal information – look for the padlock to the left of the web address in the address bar at the top of the window.

Have you ever been tempted to join the free wifi at an airport, a hotel, café or public space where it’s offered?  In the past we thought nothing of it, except perhaps to enjoy the convenience.  Nowadays however, we must assume that someone is sitting on their computer looking for devices that join the wifi, using specialist software they can potentially access your device’s data or monitor the data being sent from that device to the internet access point.  To avoid this risk:

            

1.      Do not join wifi networks that do not have a password and show without a padlock next to them in the available wifi list on your device.

2.      Do not join wifi networks that have a shared or publicised password, even if the padlock shows.  If everyone knows the password, it’s not secure.

3.      Do use your phone’s personal hotspot if you know you have plenty of data available via your mobile provider.  Check if there’s a limit on how much you can use cheaply when abroad.

4.      Do use a VPN if you have to join an insecure wifi network and there’s no alternative.  If you use a VPN, use a paid for, recognised and trustworthy one, such as Nord VPN.  If have explained and discussed the use of VPNs in previous newsletters, for a good explanation of what a VPN is and how to install one on your device there’s good explanation on MoneySuperMarket.com What is a VPN and how does it work? | MoneySuperMarket whose information I trust, or please do contact me for help.

Most devices, even some Windows PCs, now come with the ability to wipe them of data remotely if they are lost or stolen.  This means that, if your device gets into the hands of a criminal, you can delete all your personal data from it before they stand a chance of getting to it.

If you’re in a public place and are paying using your phone, use biometric authentication in preference to entering your passcode (Face ID or Touch ID).  If someone can see your passcode being entered over your shoulder, there’s more of an incentive to try to steal it. Ditto entering pin codes for a card – tap and pay is far more secure.

Many scams are still enacted by fraudsters via your phone (predominantly landlines where the numbers are publicly available) or on your doorstep.  I have promoted the BBC’s Scam Interceptors programme before and it’s still a great resource of info to help keep you scam-aware and safe.  Here’s a link to their website:  BBC One - Scam Interceptors