Blog: Consumer Advice
Locking down your cyber life in lockdown
Today the NCSC refreshed their advice for online shoppers, so I thought it’d be handy to review and advise on other aspects of consumer security hygiene.
More than ever, we’re reliant on technology, so now that we’re in various stages of lockdown it’s a great time to have a look at your home and personal security.
How about tackling one simple task per night or one per week?
I regularly deliver cyber security awareness training and it surprises me how people are nervous about doing the most basic of tasks such as changing their home router admin or wireless password – because they just don’t know how to get started!
This could be the perfect time for everyone to do their own Home Security Review – and here’s how.
Review your risks
The most common attacks usually involve phishing via email, social media or telephone. These attacks rely on users divulging information or passwords. Check out the examples from Age UK.
People who re-use passwords across accounts are also at risk of those comprised passwords simply being sprayed around other accounts in the hope of a hit. In a survey by NCSC less than half of the individuals involved always used a strong, separate password for their main email account
Then there are risks presented by 3rd parties you trust with your data. For example; Ticketmaster, Boots UK and Tesco have all been compromised in some way – resulting in their users having their credentials potentially exposed. Its important to be aware of these events so you can take actions to protect, detect and recover accordingly.
At home, it’s about protecting your family, yourself and your data from malicious individuals who may want to steal it or use you to compromise others. The easiest way to protect everything is to look at critical areas such as your router (the door) – your passwords (the keys into your cyber life) and the maintenance of the devices that hold them (e.g. your phone).
Your wireless router. An open door?
This provides the cyber door into your home, your devices, your accounts and even your children
Whichever internet service provider you are with – you will have been supplied a router with a password printed on it. If you read the installation instructions (who actually does that) you’ll have noticed that the ISP strongly recommends that you change the wireless password and likely also the router admin password.
Why is this a problem? The wireless passwords supplied on your router usually aren’t strong enough to resist hacking attempts. By making them longer and more complex, you make it unfeasible to crack the password.
Check Google and look at how you change these passwords for your specific router. For example
“How do I change the wireless password on my XXX router”
It’s a bit of a faff to then enter the new wireless password on your wireless devices, but you only have to do it once.
Your Wi-Fi router also has an administration password too. This is almost always ‘admin’ or ‘password’ or something way too simple.
Whilst you’re changing your wireless password, change the admin password too
To change your router’s password:
- Enter your router’s IP address into your selected web browser.
- Log in with the default username and password (usually printed on the bottom of your router)
- Go to settings.
- Select Change Router Password or a similar option.
- Enter the new password.
- Save the new settings.
You are far more secure than when you started and have already made it more difficult for the attackers to compromise your home router without really, really trying.
Your passwords and pin codes are extremely important, you should treat them as very private secrets.
Passwords are keys to locks (just online). Imagine if somebody stole your house keys you’d get your locks changed ASAP.
It’s no different online, except you won’t always know if your keys have been stolen.
If you give your password to someone, or its easily guessable, or they get it via other means they could read all of your personal correspondence, potentially hijack your email account and send correspondence to others pretending to be you or simply access all of your accounts. They could even change the passwords and lock you out of your own accounts.
So what can you do?
Use a password manager. They can create strong passwords for many applications and they are stored inside the manager.
If that’s not your thing (and it really should be) make sure you identify your critical accounts and take extra care when protecting them. Use stronger passwords and set two factor authentication.
- Main Email Account/GoogleID/AppleID – this is what you use to prove your you – it’s critical
- Banking – ££££ – Its where the money is
- Social Media – just because this is where lots of dodgy people are lurking and we openly give information away
Most people have a primary email account that will be contacted to verify your identity and allow you to change your password for things like Amazon, Facebook or Ebay.
Please protect this with a stronger password and 2 FA. In the event of any other accounts being compromised this one should still be secure enabling you to get your cyber life back.
Two Factor Authentication or Two-Step Verification
Both provide an added layer of protection however Two Factor Authentication, also known as 2FA is deemed to be more secure.
Authentication can be provided via three different factors – something you are, have, or know.
Two step verification in its simplest form requires a username, password and something like a passcode to be entered at the login page. This method of authentication only requires something you know.
Two step authentication will require username and password, but then will also require a fingerprint or passcode from a pre-registered device. This requires something you know as well as proof its you or have access to the authorised device (something you have)
If you only do one thing set up 2FA on your primary accounts
Additional information could be found here.
Let’s be honest most people manage their lives from their phone. It provides direct access to your accounts and secrets! So let’s secure it!
Dependent on the age of the device a 4 digit pin can be cracked in seconds. Look to increase this to 8 digits. Try not to use Date of Birth or other obvious numerical values that could be guessed.
It’s not just the physical device you need to secure, please make sure you have a password set with your mobile phone provider too. Many attackers still use telephone phishing attacks and may simply call organisations up pretending to be you. Imagine losing control of your phone completely and being unable to get it back! SIM Swap attacks are very simply but can also be easily prevented
Now all of the above has been done its critical to maintain it.
Make sure you set an alert or check in regularly with www.haveibeenpwned.com
Apply patches as and when they’re provided. Vendors release these to fix vulnerabilities that have been found. It’s not just about emojis – it’s about security.
Set notifications on applications so you are notified when other users login. Netflix is a great example of this as it’s often shared with friends and family. It’s not ideal though.
- Don’t rush the above. Make a cuppa, sit down with your laptop, your phone, a pen and a piece of paper.
- Take the time to think about your accounts, new passwords and codes, then get on and do it.
- Take your time and don’t get frustrated if you get stuck. Reach out to a friend, colleague or forum, there are thousands of people out there to help.
- You could create one of those fun challenges for your kids or your partner to complete for them to get access to the new codes afterwards 😉
- Take security seriously but you can make it fun and engaging too.