So it turns out I’m an expert on dietary fads, slimming tablets, erectile disfunction pills and just about a thousand other niche shady industries. Well at least according to my Twitter profile, I am. Suffice to say I am not a guru on all things to all people - I’m just a victim of password theft. But it got me thinking about data security.
We live in an ‘always on’ constantly connected world where we are what we say we are on social media channels. If somebody sinister gets hold of your passwords, the damage they can do personally or professionally is startling.
Character restrictions don’t lesson the impact, sure these days we can communicate in emojis alone, so 140 characters is more than enough to leave a trail of destruction.
It could have been much worse. It could have been a malicious ‘phishing’ breach where thieves steal more than just identity - but also siphon off personal or business bank accounts or install ransomware and blackmail victims, who must pay out to regain access to their business critical files.
Such incidents are more common than you think. One of my contacts recently told me of an incident at his work, where email passwords were cracked and thieves impersonated a CEO to instruct a CFO to transfer significant funds out of the business account.
What made it all the more unsettling was that the password crack clearly happened some time in the past and the thieves were calculated, studious and patient, eavesdropping over typical interactions between the two senior executives and waiting for the opportune time to strike.
Using the right tone, writing style, mannerisms and abbreviations as the CEO they then emailed the CFO at just the right time, with just the right message, for just the right amount, so as to pass under the radar and avoid suspicion. They had clearly done their homework.
That they were caught in just the nick of time owed more to accident rather than design. If they hadn’t been caught, no doubt the ruse would have continued unabated, again and again, until the breach was rumbled.
In view of this, I did a bit of research to uncover best practice in digital security. Most of the advice is obvious, however for many (myself included) it’s obvious only in retrospect. My advice is to be proactive and nip this in the bud, now.
- First off, ensure your computer and operating systems are up to date with the most recent patches, upgrades and anti-virus software.
- Always be on the look out for suspicious links, and always make sure you're actually on an authentic and verified website before you enter login information. By that I mean, beware of typo-squatting or cybersquatting. Typo-squatting (which is also known as URL hijacking) is a form of cybersquatting that targets users who accidentally type a website address into their web browser incorrectly. When users make a typographical error while entering the website address, they may be led to an alternative website owned by a malicious cybersquatter.
- Beware of short urls. Before you click on shortened URLs, find out where they lead by pasting them into a URL lengthening service, such as URL Expanders for Internet Explorer and URL Expanders for Firefox.
- If possible, always use a two-factor authentication. After all, the more doors you lock behind you, the better.
- The most obvious quick fix of all right now is to change your passwords and make them stronger and guess-proof.
I’ve linked Twitter’s two-factor authentication feature below. Follow the link, the advice and learn from my mistake.
Safe surfing everybody.
https://blog.twitter.com/2013/getting-started-with-login-verification
