Right now, more than ever, you need to secure all your online accounts. It’s long past time to embrace two-factor authentication, stop reusing passwords, and make your online presence hacker-resistant. Because sooner or later, the brewing cyberwar will come for you.
While it’s true that hacking and compromising personal accounts have been a scourge of the internet for years, if not decades, what we’re starting to see dwarfs the threats we’ve lived through so far. Putting politics aside, the ongoing events in Russia and Ukraine sparked the catalyst for a mass cyber attack. And the response from other countries will likely only exacerbate that fact.
In the past year, companies have already felt the brunt of the brewing cyberwar. And don’t think that won’t affect you personally. The FBI says that ransomware hit 649 critical infrastructure organizations in 2021 alone. That list includes energy companies, transportation companies, and banks. The place you store your money may not be immune to a virus that can encrypt all the information about your finances.
2022 isn’t off to a better start either. In the past few weeks, major companies like Microsoft, Samsung, Nvidia, and Okta have fallen victim to intrusions. While that last company may not be a household name, that doesn’t mean it isn’t important. Thousands of businesses rely on Okta to verify user access to internal systems. Think of it as a doorman for essential employees trying to access company assets. And suddenly, hackers had access to potentially everything the “doorman” did.
While Okta says only a few hundred companies may have been caught up in the hack, it’s not naming names. FedEx, T-Mobile, Peloton, Cloudflare, and more depend on Okta to help secure systems. And while Microsoft quickly disclosed when it was breached, Okta was much slower to acknowledge that anything happened at all, let alone the details behind the hack. Sadly, this isn’t the first and probably won’t be the last time a company slowly releases information about a breach that could directly affect you.
While there isn’t much you can do to prevent a company from getting hacked, those breaches can affect you, and your actions can mitigate the consequences. And you can learn from how companies fall pretty to hackers. In the case of Microsoft, Samsung, Nvidia, and Okta, the same set of hackers went after the companies and used similar methods each time. Methods that will work just as well on individual accounts. And yes, your personal accounts are at risk.
Current world events will only make the problem worse. In response to Russia’s actions in Ukraine, several countries (including the U.S.) imposed sanctions. Corporations like Netflix, Pizza Hut, Apple, IKEA, Master Card, Xbox Live, Spotify, and more, have suspended service in Russia. Some of those suspensions prevent product sales, while others discontinue services that may have already been paid for in advance (like a year of Netflix).
Already, the White House is warning companies to expect retaliatory hacking and issued a checklist to shore up defenses. But it isn’t just state-sponsored groups we have to worry about, nor are the only targets likely to be corporations. Individuals turn to hacking as a form of activism (hacktivism) with greater frequency every day. Angry individuals caught up in the crossfire and deprived of paid services like Xbox Live, or Netflix may decide to lash out in anger.
And even when emotions aren’t running high, individuals turn to hacktivism to “right wrongs” or make a profit. Several teenagers were recently arrested and accused of being the group behind the breaches at Microsoft, Samsung, and Okta. The charges insinuate some of the accused made millions of dollars through previous attacks against corporations. The Anonymous group claims to hack individuals, groups, and companies to “right wrongs” and “fight injustice” (not to mention entertainment). After years of dormancy, the decentralized group has returned with a focus on events in Russia and Ukraine.
Ransomware is already a huge problem and often infects individuals as it does corporations, hospitals, and police departments. Generally speaking, ransomware has been a “drive-by” attack, hitting whatever and whoever it can at random. It’s not unlikely to see more targeted attacks in the future to cause damage. This isn’t even a matter of if, so much as when.
And virus and ransomware creators aren’t limited to any particular country. The teenagers accused of masterminding the Microsoft and Okta attack reside in Great Britain. Regardless of where the creators live, everyone from every country can be a victim thanks to the internet.
We can learn many lessons from what companies like Microsoft and Okta are dealing with right now. For one, it’s a lot harder to recover from ransomware or hack than it is to prevent one. The last thing you want is to find all your files stolen or encrypted or to find out your reused password let someone charge your bank to buy stuff on Amazon or steal your funds. Prevention is a worthwhile effort every time.
So don’t wait; you should give every account you have a unique complex password, preferably with a password manager. Follow that with enabling two-factor authentication (2FA) wherever you can. Consider a hardware key as part of that two-factor system. Limit what information you provide to online services so it can’t be stolen. And view every link and email with skepticism.
At Review Geek and our sister site How-To Geek, we have long advocated using Password Managers. Far too many people still use the same password for every online account that calls for one. Worse yet, those passwords continue to be terrible and predictable. In 2021 the most common passwords were:
And when people aren’t using those obvious passwords, they often rely on “keyboard walking” techniques that aren’t complex at all. Such passwords are standard affair in cracking efforts and usually lead to compromised accounts in short order. Using easy-to-crack passwords for all your accounts makes it incredibly easy to break into all your records.
In many cases, hackers don’t even have to put any effort into breaking your password. They already have your email address and password combo, thanks to a breach at one of many companies. If you think that doesn’t apply to you, just put your email address into the HaveIBeenPwned site, and you’ll probably find out you’re wrong.
Hackers use that reuse to their advantage in an attack called credential stuffing. They take your stolen credentials from Facebook and try them at Spotify, Amazon, etc. If they get lucky, they can make purchases or change login details to take over your account. Credential stuffing likely led to the breaches at Microsoft and NVIDIA, and it can happen to you.
Instead, you need to give every account a unique complex password. And while that would be hard to remember, a Password Manager will do that work for you. You only need to remember one master password that unlocks the manager, and then it will fill in the details for you when you visit a site. That makes it MORE convenient than trying to memorize or notate it somewhere the type it in yourself.
You can choose from plenty of Password Managers, and some offer free tiers, though we think paying for a Password Manager can be worth it. Just remember, setting a Password Manager does little good if you don’t change all your previous reused passwords and use the manager to generate unique complex passwords going forward.
If step one to securing your accounts is to give all of them unique complex passwords, step two is turning two-factor authentication (sometimes referred to as two-step authentication or multi-factor authentication) wherever possible.
Typically when you want to access an online service like your bank or Spotify, you provide a username (often in the form of your email) and a password. If you happen to have both, you get access. If a hacker happens to have both, they get in, thanks to credential stuffing or social engineering.
Two-factor authentication seeks to stop the latter case by asking you to provide a second proof of identity. That proof will come through a device you own and keep on your person, like your phone. After you input your password, the service will prompt you for a single-use generated code. You can have the code emailed to you, sent through an SMS (text message), or generated in an app. Of the three, the first two are “better than nothing” but not secure.
Hackers can break into your email to swipe the code, for instance. Or they can convince your phone company to swap your SIM number for one they control, effectively intercepting your text messages. If you use an app, such as Microsoft Authenticator, Google Authenticator, or Authy to provide your code, physically having your phone becomes a barrier to hacking. In theory, it’d take both stealing your password and your phone (and any password for it) to break into your account.
Unfortunately, the choice may not be yours. Some services don’t support two-factor authentication data all, while others will only allow email or SMS options and don’t support app authenticators. But wherever you can, you turn on two-factor authentication and, if possible, pair it with an app. And in some cases, you may even consider using a hardware security key.
If you like the idea of two-factor authentication with a hardware component but don’t want to use your phone as the hardware, you could consider a security key. With a security key, you still get the two-factor authentication benefits of needing both a password and to provide proof of identity, but you don’t have to worry about inputting a generated code.
Instead, you’ll insert the key, and it will handle all of the rest. When that works, it’s often more seamless and can be more convenient than single-use codes. But you may find fewer services that support hardware keys, and getting them to work with your phone or tablet requires spending more on an NFC, Bluetooth, or USB-C version.
Some Operating Systems, like Windows, will even let you unlock your device with a key. And if set up correctly, you could even bypass proving a password at all. As soon as you remove the key and lock the device, it becomes harder to break into the machine.
Hardware security keys can be an excellent option for securing your accounts, but given that more services support code-based two-factor authentication, that may be the better, more convenient way to go. Security is always a balance of weighting protection and convenience. The more you lock down an account, the less convenient it is to use. The more convenient you make it to access an account, the less secure it is.
Every time you sign up for an account online, it asks for a ton of personal data. You might get asked for a real name, address, social security number, email, mother’s maiden name, credit card number, or blood type (that last one is a joke, but just barely).
Sometimes that data is necessary. For instance, Amazon can’t ship you the latest widget you ordered without an address. But does the weather service that frustratingly required an account to see granular data really need a social security number? Absolutely not, and if the request is entirely unreasonable and unavoidable, you should go somewhere else.
Because the more data a company has about you, the more hackers will gain when they inevitably breach its servers. They’ll get names, email addresses, passwords, and more. And your only hope is that the company did a good job segregating the critical stuff and properly encrypting it. But all too often, companies have admitted to storing passwords with bad encryption, or worse, in plain text. Don’t trust companies to do the right thing.
And just because you need to provide data for a one-time use doesn’t mean you have to agree to save it in the company’s servers. When it’s time to pay for something at Amazon, Best Buy, or the local pizza joint, the company will likely offer to store your credit card number for future purchases.
But think about the risk: you save yourself a small amount of hassle and time by avoiding digging out your card and punching your numbers. However, the next time that service gets hacked, the data dump may include your (hopefully encrypted) credit card number. Instead, if you choose not to save your card number to the site, it won’t be in the data trove, and you’re better off.
The less of your data you provide, the less that can be stolen. And fewer sites you give your information to, the fewer places it can be stolen from. You may not be able to avoid it altogether, but the more you limit the data you willingly give up, the better off you are in the long run.
Sometimes the oldest advice remains the truest. Social engineering continues to be one of the most prolific methods to break into accounts, likely in part because it requires no coding knowledge. If a bad actor can trick you into providing your password, they don’t have to worry about infecting your computer or creating ransomware.
Unfortunately, spam calls are still a problem, even with recent efforts to curtail them. And that includes terrible people pretending to be police, large companies, or even family members to trick you into giving data or spending money. No company will ever call you and ask for a security code or confirmation of a password. Nor will Microsoft or Apple contact you out of the blue to help with your computer. Companies will let you come to them; they won’t contact you. The best option is to assume a scam and hang up.
The same goes for emails and links, even if they seem to come from a friend. One of the first things a hacker will do after compromising an email is to message everyone in the contact list in the hopes of compromising more accounts. If you haven’t heard from a friend through email in forever (or ever!), and the vocabulary and spelling don’t match their typical style, assume it’s a scam. Call them and confirm. Don’t click any links; just trash the email.
Unfortunately, you can follow all of this advice and still get caught up with a virus, ransomware, or a hack. There’s only so much you can do, and if a company you trusted fails to secure its servers, you’re out of luck. But the more protected you are, the better. You’ll need to weigh security versus convenience, but at the very least, you should use a password manager and two-factor authentication wherever possible.
Because at this point, it’s not a matter of if someone will try to break into one of your accounts, but when. And locking the doors after the thieves are already inside your home is too late to help.