Blog

Online Security Basics for Normal People

I had to have the talk with my parents the other day. Not that talk. The security talk.

Like most people they do most of their banking online and I was strongly recommending they do everything possible to secure their accounts.

It seems hard for a day to go by without news of a new cyberattack on a company and how it costs them millions. In most cases, those attacks could have been prevented with a few simple steps.

Yes, setting up additional security can be a pain and yes, sometimes it will slow down your login procedure.

But ask yourself, would you rather spend an extra thirty seconds to log in or deal with discovering your retirement account is empty?

Okay… How?

Most of the services, accounts, apps. etc. that you use today have what’s called multi-factor authentication (sometimes referred to as two step authentication). This simply means that when you log into your account, a secondary step of some sort is required to authenticate the login procedure. Sometimes this can be a text message. Other times it could be an app on your phone that generates a pin, or it could even be a USB stick (really secure!).

Does MFA really work?

In short, according to Microsoft and Google it works.

Microsoft states “One simple action you can take to prevent 99.9 percent of attacks on your accounts”.

Google for their part have stated:

“Our research shows that simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during our investigation.”

That last part, 66% for targeted attacks means that should you be unlucky enough for somebody to want to actively get into your accounts you’re more vulnerable. However, there also ways to minimize this. The most common vulnerability I’m aware of is phishing. Phishing is when someone sends you an email that looks just like an official email and asks you to do something like reset your password. When you do, they have your password.

One way to prevent this is to never click on email links. Maybe a little unrealistic. You can also check the sender’s email address and make sure it looks like:

[email protected]

Sometimes, thanks to email marketing, these emails might look like

email+marketing@marketing.safe-domain.com

That’s okay. As long as what precedes .com is “safe-domain.com”.

NOT email+marketing@marketing.similar-to-safe-domain.com

NOT email@safe-domain.other-domain.com

The latter two are some sort of attacks.

If you’re ever in doubt, just trigger a password reset for the account in question on your own from the actual website and reset your password or just use Google to go into the account.

How severe is this problem?

Alexander Weinert is the Director of Identity Security at Microsoft stated that among cloud users, only 11% use multi-factor authentication!

This gentleman also reported that over 1.2 million Microsoft Enterprise accounts get compromised each month!

IBM and the Ponemon Institute’s 2020 Cost of Data Breach Report stated that the average data breach cost $3.86 million in 2020.

How to set up MFA on your accounts

The process for setting up MFA on your accounts varies by account. The steps are different for Google, Microsoft, your bank, my bank etc.

Having said that, after logging into your account, look for account settings, security settings, multi-factor authentication, two step authentication or terms in that spirit. At worst, you can contact their support team. They should be eager to help you prevent their company name from appearing on the next “company got hacked!” news story.

If you’re given a choice, choose to use an authentication app on your phone instead of text messages. Text messages are not that secure but having text message MFA is exponentially better than nothing at all!

When you set up MFA most accounts will give you backup codes or some other means of authentication. Ask yourself, what happens if you lose your phone and can’t get into your bank. So you should always have a second method to get in whenever possible. Also, never lose your phone.

Which accounts should you secure?

Any account that offers MFA!

But in terms of priority, ask yourself “if somebody logged into my ___ account how much damage could they do?” and go in that order.

One often forgotten aspect of this is the email account associated with your bank etc. That email is the master key. The first thing you should do is secure any (all) email accounts with access to your sensitive accounts by following the steps above.

Don’t forget to secure your phone!

In most cases, your phone is the multi-factor in multi-factor authentication. So be sure to set a pin on your phone.

Whether you use text messages or an app on your phone to generate a pin, if somebody gets a hold of your phone you’re in trouble.

It shocks me to learn when people don’t have a pin on their phones! In most cases, if I have your phone, chances are, I can get into your bank accounts thanks to apps, email etc.

So set a pin! And not just a 4 digit pin. A 4 digit pin has a mere 10,000 combinations. Using a 6 digit pin will bring this number to 999,999 combinations.

It costs you 2 seconds to enter an additional 2 digits each time you unlock your phone to go from 10,000 to nearly a million combinations!

Next steps

1. Set a 6 digit pin on your phone(s)
2. Set up MFA on your email accounts (Google “setup MFA Gmail” or “setup MFA Microsoft”)
3. Next time you log into your Facebook account, bank account etc., ask yourself “do I have MFA set up on this?”
4. If not set it up!

Final words

Yes, setting up additional security isn’t fun. Yes, taking an extra 10-30 seconds to log into each account isn’t wonderful. But think, everytime you log into an account and mentally sigh at having to take extra steps to log in, let it serve as a reminder that your accounts are 99% more secure and that you’re more secure than nearly 90% of all Microsoft Enterprise users!

Thoughts, questions, need help? Contact me.