One of the first questions customers often ask me is, "What simple steps can I take to improve my online identity security posture?"
Keeping your account information secure is the vital first step to good security hygiene. Below are some easy steps that can help keep your accounts safe. Much of the advice applies to both employees in an organization as well as to individuals’ personal online security.
Secure your accounts
- Enable Two-Factor Authentication for all of your accounts that support the feature. What is this?
- Use a device-based one-time password authentication system, not SMS, as your second factor. What does this mean?
- Use a unique and complex password for each of your accounts. Password reuse enables compromised credentials to cause significant damage/loss.
- Use an offline password manager to store and even create account passwords. KeePass is a great example.
- Many services allow you to create one-time passwords for account recovery. You should print these and store them offline in case of emergency.
Avoid being phished
- Never click on links from unknown sources.
- Never use a search engine to locate service websites (bank, utility etc.). Most search engines sell advertisements. These advertisements may be placed by hackers to trick you into entering your information into a fake site that looks like your intended destination.
- Always manually type URLs into your browser.
Take steps to secure your phone
- Ask your phone provider about their security options.
- If possible, disable account changes over the phone, or have your phone number locked to your SIM card.
- Some phone companies will allow you to set a password/PIN on your account that must be provided before making changes online, over the phone, or in person. If you have this option, use it.
- Avoid installing unknown software on your phone, or apps from outside the sanctioned store for your brand of device. Unknown software may include malicious software created to steal your information.
Online email and storage services
- Disable password recovery via SMS.
- Disable all automated password recovery options for maximum security.
- One-time use recovery passwords are fine, but keep them printed and offline.
- Make sure your emails or online storage services do NOT contain any extra information such as passwords, social security numbers, and credit card information or password databases.
- Cryptocurrency has become a hot topic, as well as a volatile financial market. There are many types of digital wallets – you may already use Apple Pay or Android Pay, which are good examples. Securing these is paramount to protecting your digital currency.
- While hardware wallets are best, several have been proven to be susceptible to a specific kind of attack known as Man-In-the-Middle attack. A hardware wallet is a physical device, like a USB drive.
- Hardware wallets are fantastic offline devices, but they are not immune to compromise should they fall into the wrong hands. Always safeguard your device appropriately. An encrypted HDD or USB drive that is kept safely offline is also a viable option.
- Always keep an offline copy of your digital wallet seed and pin (ideally a laminated copy in your safety deposit box or a fireproof safe). Do not store this information online, on your computer, or mobile device.
- Do not store more cryptocurrency than you are willing to lose on a cryptocurrency exchange, a digital wallet, or a wallet app on your phone or browser. These wallets are far more likely to be compromised than an offline device.
Other online services
- Use different email addresses where possible. This limits the ability for hackers to use automated “forgot my password” links.
- Configure two-factor authentication on all accounts that provide the functionality. What did you say this was again?
- Make note of which online services use SMS as a 2FA method. Assume these can be compromised despite your best efforts. Huh?
- Make note of which online services do not allow you to change your email address. It can be critical, especially if you use an email address that you do not personally control such as a corporate account.
In the event of a hack
- If you can still login, disable your account – the service should send you an account change notification or verification email.
- Contact the product customer support and give them as much detail as you can provide regarding the incident.
- In the event anything of value (money, property, etc.) was stolen, you should file an FBI report as quickly as possible. They have resources to coordinate and investigate these reports. Generally the service owner can provide login history information for your account upon request.