Tonight I had read an article on Internet Security pitched towards common Internet users. The idea is that most people have a bank account, an email account, a couple social networking accounts, an investment account, etc. Defense usually concerns loss of account credentials (username and password) and general safety on purchasing products online. I'm not excited about the articles I've read so far because I think they miss tactics that would help avoid incidents. Heres a few ideas that I'd consider 'Extra Credit' but make it a lot harder for attackers:
Use a different strong password for every account. Just do it. Painfully hard, but a lot less is lost if one credential is taken, but the others are fine. Federated login (logging into TripIt with the Facebook button, for instance) can help reduce the number of times a password needs to be typed. This is fine as long as the federation makes sense, that the use of the 'master' account is as safe as the other use is. (ie: using a social network login to access your bank account -- might have no problem putting that password into your phone but may be hard pressed to store the password to bank accounts, transfers, billpay on a phone) Feel free to write these down and keep them with in a wallet or use password management software such as 1Password. Be weary of services like LastPass, which will happily let you recover all the passwords through email. Consider this article on writing secure passwords or trust a password management tool to do it for you.
Consider enhanced login services. Some services offer two factor or text-to-your-phone codes to help prove that you're actually who you say you are through a username and password. Some are as simple as asking personal questions if using an unknown computer. The former is better -- it usually requires an attacker to be operating in 'real time' and raises the difficulty considerably as the combination of username, password, and code is valid for a much shorter time than username and password alone without a second factor system.
Use a secure Internet browser. Not all browsers are maintained the same. Take a look at Pwn 2 Own, a conference event at CanSecWest that features major browsers and devices with prizes for those who break a given system. Firefox and Chrome did well this year (2011). Both of these browsers also offer independent researchers bounties for turning in serious bugs.
Buy stuff online via major retailers or use payment systems with smaller trusted retailers. Lots of major retailers preemptively match prices online, and some larger Internet-only resellers can be trusted to handle credit cards correctly. However, that cool custom made gadget may only be available from a smaller retailer that you trust to send the new toy, but you don't necessarily trust their online store to keep your credit card information. No worries, most of these companies realize this and offer payment via PayPal, Amazon, and Google Checkout (and others, but I don't know them all offhand, and those are the ones I can easily trust). Some of these payment systems offer seller guarantees based on reputation. Amazon even fulfills some of the products from these smaller firms so they arrive faster too.
Things you should already be doing, usually covered in articles like this. Antivirus, even on Mac. (No, I'm serious this time) Automatic updates. Watching for odd activity on accounts, taking action when you notice it. Don't trust emails from anyone claiming to want personal or financial information. When your computer suddenly acts weird, get someone to check it out.
And for gods sake, stop installing video codecs.
0 comments:
Post a Comment