Today, we would like to present 10 tips that will increase your online security. This is the first article in this series, where we will explain in detail what good practices are online, how to avoid being scammed, and how to maximize your security. The mentioned practices are the result of the work and verification of many experts, not a marketing department like many of these unclear articles on the Internet. Concrete advice and knowledge, completely for free! We encourage you to send the article to your technical and non-technical friends!
1. Use a password manager.
A password manager is a program that is used to generate and store passwords for all your accounts online. To use it, you need to analyze your needs and threats and then decide whether, for example, you choose one that stores your passwords in the cloud or locally on your computer. It is also worth considering whether the solution you choose can be installed on different systems, such as an application on Android and a desktop application on Windows. How does a password manager increase your security? It allows you to generate unique, complex, and random passwords for each of your accounts separately. This makes even if your password is leaked and cracked due to your mistake or the service you use, the rest of your accounts/passwords are safe.
2. Don't change your passwords regularly unless you know the password has leaked.
People are often advised to change passwords frequently as a security measure. However, too frequent password changes can make them less secure because people may be more inclined to use simple or easy-to-guess passwords if they know they will have to change them often. This is particularly important for administrators who manage a large number of users in an organization. It is generally recommended to use strong and unique passwords and only change them when you have reason to suspect they may have been compromised (e.g., data leak). Unnecessarily changing passwords or imposing such a password policy can actually increase the risk to your accounts.
3. Enable two-factor authentication where possible.
Two-factor authentication (also known as 2FA) is an additional layer of security that requires not only a password but also an additional form of verification, such as a code sent by SMS, an authorization code from an application, or a fingerprint. This makes it more difficult to gain access to your account, even if someone knows your password.
Many websites and online services now offer two-factor authentication as an option. Generally, it is worth enabling 2FA where possible, especially for accounts with a high level of confidentiality, such as email, banking, and social media.
4. Consider purchasing a U2F hardware key, which is the most secure form of two-factor authentication.
An U2F hardware key is a small device that can be connected to a computer or mobile device and used as an additional authentication factor. It generates a unique cryptographic key that is used to authenticate your login attempt, making it much more secure than other forms of two-factor authentication that rely on codes sent via SMS or email. If you are particularly concerned about the security of your online accounts, it is worth considering purchasing an U2F hardware key to use as an additional layer of protection. U2F hardware keys are considered the safest form of two-factor authentication because they are resistant to phishing attacks and other forms of online hacking.
5. The second factor in the form of an SMS or code from an authentication app (such as Google Authenticator) does not protect you from phishing.
If you come across a fake page of your bank prepared by a fraudster (e.g., nBank.com instead of mBank.com), after entering your password, the page will likely ask you for the second factor (SMS code). You, thinking that it is the real page, will provide the second factor, and then you will lose access to your account. Good practices to avoid this include carefully checking the domain you are entering or saving it as a bookmark. The best defense against such an attack is to use a U2F key as the second factor, which checks if the domain is correct for the user. If not, the second factor is never provided on a fake page.
6. When using online banking, it is worth choosing one that supports U2F. It is also worth using the bank's application on your phone instead of SMS authentication.
As far as we know, in Poland ING bank supports hardware keys in online banking, for which they deserve great recognition. For other banks, it seems like a good choice to use the bank through the application on your phone. Authenticating transactions from the application is safer than via SMS, but in our opinion, hardware keys are still the best choice.
7. The phone number that calls you or the sender of an SMS message can be faked. Due to the fact that telephone protocols are outdated, there are online services that offer impersonating another number.
This causes the victim's phone to display the calling contact, for example, "mom" or the name of your bank. Here, caution can protect you, not giving out your data. Under no circumstances succumb to intimidation, blackmail, and do not provide your sensitive data. If someone asks you to install remote computer management software, such as AnyDesk, do not do it. If, however, you suspect that it may be an important call, for example, from your bank, disconnect and call from the bank's application or by going to the website of the relevant service. Note! Searching for a service in Google is also not entirely safe because ads are displayed in the top sections of the search engine, which can lead to fake pages.
8. Each of us may be vulnerable to a SIM swap attack. Be aware that the processes of issuing a duplicate SIM card may be imperfect and expose you to the risk of losing your account, for example, in a bank.
The SIM swap attack involves asking a consultant from your mobile network to transfer your number to a new starter. If the process is flawed and does not require the fraudster to go through multi-stage verification, it may happen that your phone number is simply assigned to someone else. In that case, if there are appropriate password recovery methods, such as in the bank's application, and the attacker knows certain information about the victim, they may steal their money. It is also important to remember that if you fall victim to this attack, your phone will lose access to mobile internet and the ability to make calls. In that case, use the nearest possible phone and call your bank's helpline to report being a victim of such an attack. Alternatively, you can launch your bank's application over Wi-Fi and seek help there.
9. Using widely advertised VPNs reduces your privacy.
Most VPN providers will keep logs of your internet activity, including browsing history, IP address, and even the websites you visit. This means that they can potentially share this information with third parties such as advertisers or government agencies, compromising your privacy. Additionally, since you have to pay for a VPN, this information is correlated with your personal data or credit card number. When using the internet, such information is harder or not available to service providers if you use public Wi-Fi. VPNs can increase your security in certain cases, such as when using an unencrypted service. In the case of using a web browser, this information about encryption is provided to us by the green padlock symbol.
10. Using public Wi-Fi networks is generally safe.
Despite many Internet media outlets claiming that it is necessary to use a VPN to be safe, it is not true. Most modern applications use HTTPS and free or paid certificates, as well as the HSTS header, which make your connection through an untrusted channel secure. There are some threats, but they are not as significant as VPN advertisements claim. If you want to read more about this, we recommend an article by an in-house IT specialist on this topic. We also recommend an article by Informatyk Zakladowy on this topic:
https://informatykzakladowy.pl/czy-korzystanie-z-publicznego-wi-fi-jest-bezpieczne/
