A few months back I had another chat to Today Tonight, a national prime time current affairs program I’ve previously appeared on in relation to call centre scammers taking over unsuspecting victim’s PCs. This time it was about the security of internet banking which gave me a chance to collate some good practices, many of which didn’t go to air but I kept hold of with the intention of sharing in the context of the video.
Firstly, for background, here’s the story that went to air:
The victims covered in the story obviously succumbed to different scams of varying sophistication but most of the time, some very simple practices will protect you from online criminals.
Here’s my top tips broken into a few different categories. I’ll keep them brief with the expectation that some people may need a little help on the more technical items, but at least they’re a starting point to have a discussion with a technology savvy friend.
Protecting your PC
- Always run antivirus software on your PC. If you don’t have it or are reluctant to spend cash on it, Microsoft’s Security Essentials is both free and excellent.
- Always make sure your antivirus is up to date. New viruses are continuously being identified and antivirus manufacturers regularly push out updates to protect you from the new nasties. Make sure you PC is automatically taking these.
- Ensure Windows update is running and automatically taking any critical updates. All software contains security risks of varying degrees, it’s just a matter of whether they’ve been discovered yet or not. When risks are discovered in software such as Windows, fixes are quickly produced and updates deployed; make sure you’re automatically taking them.
- Also ensure software such as Flash and Adobe reader (for PDFs) are automatically updating. It’s not just the operating system you need to maintain, a whole host of other software on your PC needs regular updates and provides the potential to “self heal” by automatically taking these.
- Uninstall Java. I wrote about this in more detail last week so refer to that post but in short, uninstall it and if you really need it for a particular site, consider running it in a separate browser just for that specific purpose and disabling it in your primary browser.
Safer online banking
- Use a unique, strong password. This means not one you’ve used before, not one with the kids names in it and not one that doesn’t contain a mix of lowercase, uppercase, numbers and punctuation. Make it as long and as random as possible.
- Use a password manager like 1Password. I’ve written about this in detail before, but if you’re trying to remember your passwords, you’re doing it wrong! Strong, unique passwords are not memorable across all your online accounts.
- Where available, use 2 factor authentication. Your password is one factor – it’s “something you know”. A second factor is commonly “something you have” which is usually either a key-fob or your mobile phone (validated by sending you an SMS). If your bank supports it, use it.
- Use a credit enquiry alert service. Companies like Veda in Australia will let you know every time there’s a credit enquiry against your name which is a great early warning system if someone is attempting to steal your identity. It’s only $60 here and a similar price in other countries for comparable services – do it!
- Don’t ever do your banking from someone else’s PC. This includes friends (you never know how sloppy their security practices are) and definitely not from a public terminal such as an internet cafe. When you have no idea what’s happening in the machine, expect that it can monitor everything you do.
- Use a mobile banking app. The iPhone in particular has proven extremely resilient to malware and most major banks have a dedicated app for the device. I disparaged Android in the video as compared to its Apple counterpart, it has a rather sordid malware history. Mind you, that’s not any different to getting malware on your PC, they both offer the freedom to install untrusted software (and require more due diligence) which is where they differ to iOS.
- Make sure your mobile PIN is different to your banking app PIN. If you do use a mobile app, many of them offer the convenience of a simple PIN rather than relying on a complex password (there are other security mitigations as a result of this). Don’t use the same PIN you use to unlock your phone to then access your banking app.
Avoiding social engineering
- Expect online criminals to target you using social engineering practices. Many times attacks are successful because the attacker has simply asked for the information they want. Often this will be by phishing emails asking you to login to a malicious site but it may also come through social media.
- Never follow links to your online bank. Always type the address of the bank into your browser or follow a bookmark. Many phishing scams are very well orchestrated and whether the link is in an email, on a website or even SMS’d to you, never trust it. Have a look at my recent story on a Facebook data mining scam to see how well these attacks can be put together.
- 83% of successful social engineering attacks are coming via phone or in person. We’ve come to expect phishing attempts via email but in Verizon’s 2012 data breach report they actually found 46% of attacks coming by phone and another 37% occurring in-person. We’re not naturally as suspicious of these channels, but we should be.
- Never provide personal details over the phone to someone who calls you. Even if they know what you assume to be private information about you, always get a number to call them back on and ensure the number features on the bank’s website or simply call the bank and ask for the department that contacted you. Real banks don’t mind.
- Never, ever, allow remote control of your PC by anyone you don’t know and trust. I’ve written about (and captured on video) a series of attempts by scammers to gain access to my PC by calling me and purporting to be from Microsoft. This does not happen – never allow it.
- Remember that attacks are often chained by compromising multiple accounts. Be conscious of any anomalies you see in any of your accounts, even those you may consider to be unrelated to your banking activities. Last year we saw technology journalist Mat Honan have a series of separate accounts hacked and ultimately his hardware wiped when attackers gained access to his Apple account.
- Protect your home network from both known and unknown parties. Always ensure wireless networks are protected with WPA2 encryption and a strong password. Don’t grant access to friends or family unless it’s really required – you don’t know what risks their devices may unnecessarily introduce to your private network without their knowledge.
- Don’t forget about security in the offline world. Practices such as “dumpster diving” where an attacker looks for sensitive information thrown into the trash are often the gateway to online attacks. Always securely dispose of printed material such as bank statements or any other pieces of information you would not wish to be made publicly available.