Hackers are constantly seeking additional unsuspecting victims, making the number of incidences of identity theft even more ubiquitous as the number of consumers who fall prey to their schemes rises daily.
Breaching the data of the IRS, health insurance companies and retailers is no longer surprising. Preventing these cyber criminals from stealing even more personal data can be easily accomplished if consumers are pro-active.
These following ten recommendations can help consumers combat hackers and avoid them from infiltrating their laptops, networks and social media accounts.
The easiest way to avoid being hacked is to configure your computers and mobile devices to install software updates automatically, said Lenny Zeltser, vice president of products at Minerva, an Israeli-based provider of endpoint security solutions. Hackers can penetrate your defenses by taking advantage of the bugs in your software, allowing them to install malware when you view an email attachment or interact with an otherwise innocuous website.
"As software vendors learn of such vulnerabilities, they release updates to patch the problem sometimes every month or sometimes more sporadically," he said. "Check the settings of your system to ensure that they allow such updates to be installed once they become available and check the settings of the individual applications, because some of them have individual settings for enabling this functionality. With your operating system and programs configured to update themselves, you will exercise preventative hygiene to strengthen your anti-hacker defenses."
The most pro-active method to prevent a hack from occurring is by utilizing two-factor authentication. The process involves using your password and another step, such as a text message PIN that is sent to your smartphone, said Dan Lohrmann, chief security officer at Security Mentor, a Pacific Grove, Calif.-based provider of security awareness training.
"The best part of this process is that it is offered for free from most online companies, but sadly less than 10% of users take advantage of this service," he said.While Facebook calls it login approvals, Google and Microsoft call it two-step verification and Twitter names the process login verification. The process takes a few minutes to set up.
"Two-factor authentication is the best thing you can do to protect your accounts online," Lohrmann said. "Even if your password is stolen or compromised in a breach, the hackers will not be able to access your account. Besides your social media and email accounts, ask your bank and insurance companies if two-factor authentication is available."
Hackers will use every single available method to break into your system. One of the most common methods is to exploit known holes in commonly used software.
Similar to operating systems, most vendors provide patches for their applications, but they may not be provided automatically, said Nathan Wenzler, chief security strategist at AsTech, a San Francisco-based security consulting company."It's important that you check with the software makers regularly to see if there are any fixes available for the programs you use," he said. "If you don't need a particular program, it's best to simply uninstall it. This takes a potential avenue of attack away from a hacker and is one less thing you have to remember to patch."
Emails remain a common strategy for attackers to trick a user into clicking on a link or downloading a file that allows them to get access to the user's personal information, install ransomware or malware or even take control of the system entirely, said Wenzler. These phishing emails of this nature are crafted to look like legitimate messages and can mimic a national company or brand. When you pay closer attention, there are obvious clues that the email is not genuine.
"Look for misspellings, poor grammar usage, incorrect fonts, mismatched names or unusual domain names for either the link in the message or in the sender's email address," he said. "Never click on these links or download any files, and when in doubt, contact the company directly to verify if they did, in fact, send that message."
This commonly talked about tactic works, because a cyber criminal can load malicious software on a handful of USB thumb drives and drop them on the ground near an employee entrance or other office entry point, said Wenzler. An unsuspecting user could pick it up and plug it in to their computer out of sheer curiosity.
"The trouble is that as soon as it's plugged in, the malware is immediately installed and the attacker can then gain access to the system," he said. "It's never a good idea to plug in a USB flash drive or any other USB device that comes from anywhere you're not sure about."
While more applications and services are being moved to the cloud for faster speed and agility, security and privacy are still major challenges. Instead of applying static controls and logging into every activity in a massive database, security teams should enlist the help of machine learning to detect deviation from normal, baselined behaviors that are known to be good, said Isabelle Dumont, vice president at Lacework, a Mountain View, Calif.-based provider of cloud security solutions.
"Cyberattacks will always generate unusual behaviors," she said. "Baselining behaviors gives security teams an immediate and more accurate, precise and systematic way to detect malicious activity."
The increasing level of consumer technology creates unprecedented conveniences, but simultaneously introduces serious threats to data security, said Stephen Maloney, executive vice president at Acuant, a Los Angeles-based provider of intelligent data capture and authentication solutions. Consumers need to embrace biometrics in order to protect their accounts.
Fingerprint and facial recognition methods are becoming more commonplace and integrated with a number of popular apps."Apple helped break down initial consumer apprehensions related to the use of fingerprints while Facebook and Instagram continue to popularize selfies as part of the cultural norm," he said. "Both have the potential to make a real impact on security."
This extra step should become part of the norm and not seen as an extra step. Biometrics can be paired with multi-factor authentication such as passwords to increase the level of authentication.
Many consumers and organizations still rely heavily on passwords, which are often the only security control which is protecting their systems and sensitive information, said Joseph Carson, chief security scientist at Thycotic, a Washington D.C.-based provider of privileged account management (PAM) solutions. Educating employees and consumers that they need to be accountable for developing a strong, and easy to remember password is critical.
"Passwords should be long with some complexity added," he said. "For most, joining several words and numbers together to make something unique and random works well replacing one or two characters with a $p3ci@l one."Or simply use a password manager that is either free or only requires a nominal cost.
"As the world moves into the cloud, less and less of your data is stored on your computer," said Marcin Kleczynski, CEO of Malwarebytes, a Santa Clara, Calif.-based malware prevention company. "Use long and random passwords for services where your data may be stored. Don't reuse your passwords and use a password manager instead."
Many users have expensive mobile data packages, increasing the odds that they are constantly looking for free public Wi-Fi access to get connected online. Be wary of using public Wi-Fi access points at airports or restaurants and avoid them as much as possible. To avoid those preying eyes, use a virtual private network (VPN) that will ensure your traffic is encrypted and not easily readable by potential hackers.
"Always assume that someone on that network is watching everything you do and accessing your personal data," said Carson.
Examine your emails and social media accounts closely, because more and more often it is a hacker making a seemingly reasonable request. It is not probable that your company contracted out your human resources or healthcare support. Employees don't need to fill in their ID and password on "their website" just to help them, said Chris Roberts, chief security architect at Acalvio, a Santa Clara, Calif.-based provider of advanced threat detection and defense solutions. The same goes with your secure banking website, which did not let its SSL certificate expire.
Too many consumers find themselves on spoof websites which often mimic the authentic website and has a very similar url.
"You are not on the real site and no, you shouldn't download anything," he said. "Let's take the Russian proverb of 'doveryai, no proveryai' ('trust, but verify') and apply it, with a little modification to the world we currently live in."Just because the email appears to be from the government or an authoritative voice with perfect grammar and English does not mean a hacker did not craft it.
"Let's be real," Roberts said. "The FBI's director general is never going to send you a letter explaining how you have to trust the people you are speaking with. The Nigerian explorer who stumbled upon your long lost great uncle's skeletal remains and the accompanying chest of gold in the middle of the jungle, isn't going to call you asking for 50% and can you pay shipping. No, the lonely pen pal dating site friend you recently met who is on active duty orders in Afghanistan doesn't need you to send him money just so he can send you gifts. No, you are not the one millionth visitor to the website and therefore don't need to click the link."
Authenticating emails or websites by simply typing in the address can prevent identity theft and the loss of money."If people actually took an extra 30 to 60 seconds to verify some of these exploits then the bad guys would likely not be sitting in a multi-billion dollar industry," he said.