We’re spending more time online these days — shopping, video calling friends and family, streaming movies or maybe searching for the best-ever butter tart recipe. And then there are your computer-connected smart devices, like your TV, phone, watch, speakers, virtual assistant…. That’s a bushelful of potential security concerns.
If only you had your personal cyber expert on call to answer your questions. You don’t, so we asked one for you: Daniel Tobok, CEO of Cytelligence in Toronto. The internationally recognized cybersecurity and digital forensics expert talked to Renaissance about staying safe online.
Who wants your information and why?
“Most people still think it’s some guy in a basement trying to break in,” says Tobok. “It’s [actually] all automated, with the power to do millions of computations per day.”
While there are some lone wolf cyber criminals, it’s usually organized groups that routinely try attacks. (This is separate from foreign countries that engage in cyber warfare, like Russia and China, for the purposes of espionage or stealing intellectual property.) Hackers look for personal information (your name, date of birth, address, phone number, social insurance number, health-card number, logins, etc.) and financial details (bank, credit card and payment information).
What can they do with it?
Cyber criminals can:
- Apply for loans or credit cards under your name, make purchases or create counterfeit cards
- Sell your information to entities on the dark web, or underground websites that are only accessible via specialized browsers — these entities will then try to spam or scam you, or engage in identity fraud
- Encrypt all your data and then demand a ransom to return it to you
Think about how you safeguard what belongs to you
You may have the sturdiest locks, alarms for your car and home, and a safe for your jewelry. But you may not be protecting one of the most valuable things you own — your personal information.
Start with passwords. Are yours foolproof? It’s hard to create a highly-secure-yet-easy-to-remember password, so many people fall back on familiar terms, including family names, pet names, birthdays or anniversaries. That’s like hiding your spare house keys under the doormat: pretty obvious.
As Tobok points out, it doesn’t take bad actors much effort to get on your social media and discover the names of your kids, or find out that your cat is called Fluffy. And consider this: The United Kingdom’s National Cyber Security Centre analyzed passwords of accounts that were breached globally. Among the top 10 were 12345, 123456, 1234567, 12345678 and 123456789 — you get the idea. Others on the list: 111111, password and abc123. “Weak passwords account for about 38 per cent of all attacks into private information,” says Tobok.
Weak passwords account for about 38% of all attacks into private information.
The solution is to use a combination of words. Or think of a phrase that means something to you (a song or movie title, for example) and use only the initials so the result isn’t a common word. Use upper and lowercase letters, and add a numeral or symbol, like an exclamation point.
Bots — software applications that run automated tasks over and over — can try thousands of combinations per second, using every word in the dictionary and pretty much every name. And while you can’t make your code impossible to crack, you can make it harder. And that counts.
“Threat actors budget how much time they want to spend trying to hack; maybe 10 minutes per account,” says Tobok. “Having symbols, numbers, capitals and all those variations makes it a lot more difficult for the system to read it. What makes something secure is how long it will take [to discover it].”
Trying to remember a whole lot of passwords is difficult to impossible, so many people use the same passwords (or a core one with minor variations) across multiple devices and accounts. Don’t. The problem is obvious: If a hacker gets your password and it’s your one and only, they have access to everything connected to you. That’s another reason not to employ the same passwords used by people close to you, such as a spouse or child.
Keep track of what goes with what
So you’ve mixed it up with your passwords. That’s great. Now, with all the ones you accumulate, how on earth will you remember them? One solution: a password manager. This virtual vault stores all your passwords and usernames; it might be part of your operating system or a downloaded app.
You can also store your passwords in the Notes app on your phone or, if you prefer a low-tech solution, on a piece of paper. “Paper is more secure than electronic,” says Tobok. Just don’t carry that piece of paper in your wallet. Tobok adds that you can also store that master list on your computer in a PDF, which is tough to decrypt.
Paper is more secure than electronic.
Go for extra layers of security
Protecting your passwords is a biggie, but it’s not the only cyber consideration. Another security safeguard you can add is multifactor authentication. Think of it as an extra layer of security, like having to present two pieces of ID. It means you have to use more than one way to log in to or access something, such as your pass code and a fingerprint on your smartphone.
Tobok calls multifactor authentication a critical security step. Not using this safeguard increases your vchances of a problem by about 90 per cent, he says. Any time you’re presented with the choice of multifactor authentication on a site or device, take it.
Beware of public Wi-Fi
Say you’re running errands and realize that your Visa bill is due. You pop into the coffee shop on the corner, order a latte and use the café’s public Wi-Fi to log on to your bank account, make some transfers and pay your balance. One less chore to do when you get home, right?
Bad idea, says Tobok. Don’t use public Wi-Fi to do online banking or anything else confidential, because chances are that business offering you free Wi-Fi isn’t using the strongest security measures.
If you want to save your data and use public Wi-Fi to stream sports or play a YouTube clip, go for it. But recognize that other things you do online can be easily compromised. Tobok adds that you might encounter nefarious Wi-Fi options that look legit but aren’t — the name may be almost identical to a safe option and look official, but it’s designed by fraudsters to swipe your information.
Is antivirus software worth it?
You’d think antivirus software was a must, right? Well, yes and no, says Tobok. These tools are designed to scan for malware signatures and keep malicious software off your system, but many threat actors use non-signature viruses so they can slip through.
Tobok says popular antivirus software programs, such as Kaspersky and McAfee, do their jobs. And that can help when surfing fishy websites or clicking on pop-ups. But don’t get a false sense of security. Antivirus software is better than nothing, but it won’t protect you 100 per cent.
Shush, not in front of Alexa
You’re talking to a friend about a trip to Vancouver, or that 85-inch HDTV on your wish list. Then the next time you’re online, you see an ad for a Vancouver hotel or a door-crasher special on that TV. Coincidence?
While algorithms can predict what we’re interested in, Tobok says it’s not nuts to assume that our smartphones are listening to us. Can someone eavesdrop on you through your iPhone? Should you turn your devices off when you’re having sensitive face-to-face conversations? “I believe so,” says Tobok.
Does the same advice go for tech like Amazon Alexa, Amazon Echo and Google Assistant? These tools respond to our requests and, through machine learning, start to understand our habits, says Tobok. Unlike a vacuum you turn on and off when the carpets need a cleaning, these devices are on 24-7. “Your privacy and preferences are exposed,” he says.
You may think you have nothing to hide, but how would you feel if someone went through your trash and found receipts for medication you bought or a personal note you wrote? “If you think that’s OK, then Alexa on,” says Tobok. “But I think that’s a little too close for comfort.”
Still not convinced? Last year, Forbes reported that university researchers from Tokyo and Michigan discovered they could hack into virtual assistants by aiming a laser at them, even from long distances. The light essentially mimics a voice and makes the assistants carry out commands.
Here’s the thing: The research was backed by the Defense Advanced Research Projects Agency (DARPA) in the United States‚ better known as the Pentagon’s research arm. So is Big Brother watching? Probably. Just because you’re paranoid doesn’t mean someone isn’t out to get you.
Gone phishing
Cyber criminals like to keep you dangling with a strategy called phishing in order to get at your personal or financial information. Don’t bite on that hook. Here’s what you need to know about phishing and its variants.
- Phishing Any effort to steal your information by casting a wide net. Phishing messages can be emails, text messages, social media direct messages or phone calls. The messages seem above board, but the entities behind them aren’t.
- Smishing A phishing attempt through SMS (a.k.a. text message).
- Spear phishing Targeted phishing, in which the message looks like it is coming from a source you know. One common one: The sender asks you to do a favour and buy some gift cards for them.
- Whaling A phishing attempt against someone in a senior position, like a business executive or a government official.
- Spoofing Using a fake website to get you to reveal your personal information. It may look legit, but it’s bogus.
There’s no foolproof way to stop phishing attempts, which means you have to be extra-careful to avoid getting scammed. First, whenever you’re asked to provide your information, double-check if you have any suspicions. For instance, your financial institution would never ask you to share account details via an email. So if you get that kind of request, call your bank.
Next, don’t click on links or open attachments if you’re not confident of the sender. Take a close look at the name on an email or website. It can look right, but be a bit off: Maybe there’s a slight difference in the spelling, the URL or the address domain.
Last, don’t respond to threatening messages, such as those that claim to be from Canada Revenue Agency or another governmental organization, or to too-good-to-be-true offers, such as those promising you a free trip.
Phishing is getting more sophisticated, so you need to ramp up your radar too. When in doubt, delete.
7 ways to be cyber-safe on the road
When you travel, you take all sorts of precautions to protect your money and valuables. But what about protecting your information? The Government of Canada shares these tips to stay secure when you go on holiday.
- Before you leave, back up the files on the device(s) you’re taking to the cloud or another device.
- Be wary when using public Wi-Fi at hotels, airports and coffee shops. These are highly unsecure networks available to everyone. At the very least, avoid transmitting any information you wouldn’t want intercepted or disclosed.
- Practise the same caution if using shared or public computers. They can have keyloggers, which are applications or devices that capture any information you enter.
- Be careful when allowing apps or users to access your devices via Bluetooth. As the government warns, “Some devices allow for automatic connection, meaning that other Bluetooth networks can connect to your device without authorization.” You may want to disable your Bluetooth networking while you’re away.
- Don’t charge your phone on computers or devices connected to hotel docking stations, or on anything else that’s outside your control.
- Have the software, hardware and storage media you need so you don’t have to purchase it while away.
- Your device may have an option that will delete your data if a password is entered incorrectly a certain number of times. Consider enabling it — that way, if your device is misplaced or stolen, your losses may be limited.
For the complete list, go to travel.gc.ca/travelling/health-safety/cyber-safe.
Getting rid of old tech
- Transfer files to your new computer or the cloud, or save them to an external storage device.
- Sign out of online accounts from the device you’re discarding, and un-pair your computer from Bluetooth devices (such as your mouse, keyboard or monitor).
- Sending files to the digital trash bin isn’t enough. Erase your hard drive and reset it to factory settings, which makes your data inaccessible.
- To make sure nobody can get at data on your memory card or SIM card, be thorough with your disposal. Shred, crush, mangle or otherwise destroy it.