This weekend a friend of mine was caught by yet another Facebook social engineering security event. It was a run of the mill phishing attack, and his credentials were compromised and scores of messages were sent out. The messages were simple “It’s you in this video?” with a fake link to Youtube (see image).
This is the type of security related stuff that happens every day, so why am I writing about it? Simply because it happens all the bleeping time. We in the security field sometimes take for granted that people do not know as much as we do, or have access to tools and solutions we use like oxygen.
Most people use social media without much thought, assuming that the site is protecting them. While somewhat true, we all have a responsibility to protect ourselves (and our friends) from these attacks. Always remember this, it is your responsibility to keep yourself secure and protected on the interwebs. The first step is protecting your identity.
None of Us is as Insecure as All of Us
These scams and security attacks all have something in common. Most humans are lazy, busy or otherwise inattentive to their surroundings. Our social media accounts are a safe place, and when we feel safe we let our guards down. Why the hell would someone want to hack my account, I’m not that important after all. Here’s the reality though, they don’t want to hack your social media account, its a means to an end. The majority of people use the same information for all their logins, their email address (firstname.lastname@example.org for example) and because they don’t want to have to remember lots of passwords the reuse them across numerous websites and apps. This is a gold mine for the scammers.
The bad guys put up a legitimate looking Facebook login page with a URL that ‘looks’ legit or not (see the image above) and entice you to go to it and enter your credentials. They collect hundreds of thousands of such user accounts. The bad guys use that data to attack legitimate websites like your other social media accounts, email account and your bank accounts and do what is called a password stuffing attack. This is basically trying all of these stolen credentials trying to get a good login. Right about now you are probably thinking its time to change some of your passwords I hope.
How Do I Manage All of this Security Nonsense Then?
This is where it gets a bit annoying and painful … at first. You need to create a strong random password that is different for every damn account you have. Go read that again, I’ll wait.
Ok, you’re back good. Lets think about it, we have hundreds of user names and passwords, how the hell can we do this and still remember them all? The answer is you can’t. This is where we let the computer or smart phone do the work for us. There are dozens of good, secure and fast password managers out there. I use two for work and personal accounts, LastPass and 1Password. (I am not affiliated with either, I just like them). They both do very similar things, and the important ones are:
- Create strong random passwords for each site or app
- Notify you if you use the same password on different sites
- Notify you if a site has been breached
- Remind you to enable Multi-Factor Authentication (we’ll get into that security subject later… )
- Autofill your credentials so you don’t have to type all those annoying special characters
- Encrypt the data using a password only you know as the key
- Sync across multiple devices and platforms
All of these functions help you to keep your passwords, random, strong, secure and easy to use. Security must be simple and user friendly or users won’t do it, simple as that. Once you pick a tool to use, you now have to start visiting all your sites and change the password and save it in the password manager. Start with your financial accounts, email, and social media accounts. Let the tool create a random password, make it long and complex. I suggest at least 15 characters and 5 special characters and numbers. Don’t worry about it being hard to remember or type, you won’t have to do either! Now that you have your critical accounts done, start hitting all the others you can think of. The whole process may take a couple days, but the more you do the stronger your security is.
Enabling Multi Factor Authentication for Bonus Security Points!
Multi-Factor Authentication (MFA for short) is simply providing another proof of your identity during the login process. Most websites and apps have the option to enable MFA on your account, and some now are starting to require it. This is especially true in the financial sector to protect your bank or investment accounts.
There are dozens of ways to implement MFA, but the most common are sending a code via text message that you need to enter as part of logging in, using an phone application that generates a code, or allows you to ‘authorize’ the login by clicking a button, and some will use the phone itself to ask if you are trying to log in.
These extra steps protect your accounts even if your password is stolen. Using this type of security, if your account is stole or breached, the bad guy cant login or change your password without having the extra step of authentication. I strongly recommend enabling this whenever it is available! Also, for the love of <insert favorite deity name here> have a strong PIN/Password on your phone in case its lost. As your phone is your digital life, protect it. We lock our homes, our cars, and anything else that is critical to us – don’t forget your phone!
Security is a Verb, Not a Noun
These are all simple things you can do to protect yourself, your accounts, and ultimately your money from the simplest of security attacks by keeping your credentials protected. Changing passwords regularly – even if you don’t have to is a good practice to get into and these tools make it simple. You should also practice safe clicking – look at the URLs links will take you to. Before clicking anything hover your mouse over the link and see if it is a real website or a fraud. If you’re not sure, reach out to the sender via a different manner and ask them. The account data you save will be your own.