10 Actually Effective Ways to Protect Yourself from Being Hacked

Security is always a trade-off with usability. The only completely secure computer is one turned off, in a safe, in the ground, guarded by barbed-wire and armed personnel. Unfortunately this hypothetical computer is also completely useless.

Computer security may be an entire highly-specialized field, but there are a few very effective ways to protect your devices and data.

Avoid Phishing Attacks:

• Assume Your Business Associates Have Been Hacked
  Businesses without proper systems in place lose their credentials frequently. If you get an email or another message from a business associate asking you to send money via wire transfer or western union, most likely their email account has been hacked and someone is sending email from their account. Never send money via wire transfer or western union.
• Check the sender Email Address, not Just the Sender Name
  Make sure you check the sender email address, and not just the sender’s name. It’s easy to create a fake email account on a free service like yahoo.com or gmail.com and send mail from your boss’ name:
• Don’t click links in Email or Advertisements
  Standard security mantra is to never click a link in an email, even if from someone you know or a company you do business with. Email is trivially easy to forge. Always type in the website manually into your web browser and login from there instead of clicking a link in an email or an advertisement, as these links can send you to a forged website that will capture your login information.
• If you have to click a link in Email or Attachments, don’t sign into Websites:
  Even if you’ve received an email with a link from someone you trust, their account may have been hacked. Thus, if someone has shared a document with you, do not click a link in an email and then sign into your Google, Microsoft, Apple, Facebook etc. account from the website link. Instead, ensure you’re already signed into your Google, Microsoft, Apple, Dropbox etc. account in your browser, and then click the link to confirm the web-page shows you as already signed in. Here’s some examples of fraudulent phishing email scams looking to collect your Google/Gmail or Microsoft/Outlook usernames and passwords, which send you to legitimate-looking fake Google or Microsoft websites, looking to harvest your login name and password:
  
        
  THESE EXAMPLES ARE ALL FAKE WEBSITES – DO NOT SIGN INTO THESE WEBSITES – Instead, open a new browser tab and type in the url/domain for this website by hand, and sign into the official website instead. Then, if you click the email link a second time and it still asks you to sign in, you *know* the login page is fake because you’re already signed into that site on that browser. I.E.type in the URL manually, E.G. https://drive.google.com or https://gmail.com or https://outlook.office365.com or https://onedrive.com

The key takeaways for avoiding phishing attacks are thus:

1. Don’t assume emails or other messages from contacts are legitimate; many email accounts are hacked every day by phishing attacks. The first thing a hacker will do is send legitimate-looking phishing messages from that person’s actual account to everyone on that person’s contact list. Because the hacker has this user’s contact list, they’ll personalize the message, saying “Hey <your name>, this is critically important you do this NOW”, asking you to click a link to reactivate your account or some service you use or open a file they’ve “shared” with you.
2. If someone shares a file/link with you, don’t sign into the website when clicking the shared file link. Instead, make sure you’re already signed into your Google/Microsoft/Dropbox account in your browser *before* clicking on the link. Once you’ve signed into the real account in a separate tab, if clicking on the link doesn’t open the file for you, you know it’s fraudulent and you should email the sender letting them know their account may have been hacked.

• Double-Check the URL Domain Name and the Security Certificate of Websites You Visit. When signing into a site from a link from a message, always check that the domain name matches the site you expect to be logging into, and that the security certificate name matches. Checking the security certificate of the websites you login to is very important, as the certificate verifies that you’re visiting a website owned by the company you think you are. Most browsers have a padlock icon next to the address-bar at the top of the browser that you can click on for more information about the website and it’s security certificate:
  

Use Complex Passwords

Your passwords could definitely use a security increase. Modern desktop password crackers can run at 500 million guesses a second, and a hacker can rent an Amazon cloud cracking array that runs billions of guesses a second for only a few dollars. To see how long it would take a massive cracking array to break your password, check out Steve Gibson’s excellent Password Haystacks website.

Use Made-Up Security Question Answers

Most spouses (and many companies that track your online footsteps through the ads that websites display) will know your “security questions” such as your aunt’s birthday (probably publicly available on Facebook) or favorite vacation spot (search history), etc. The best defense for this using a password management software such as LastPass to make up completely random answers to these questions. LastPass is free for Mac/Windows and works with Internet Explorer, Google Chrome, and Mozilla Firefox Internet browsers.

Use a Password Management Application such as LastPass

LastPass stores all your passwords and important secure information behind a single, strong-password, and will generate extremely complex and difficult to break unique passwords for each website (so that someone who breaks into one does not have access to any others), and will automatically enter those passwords for you so you don’t even have to remember them. LastPass is available on iOS, Android, Windows Phone and Blackberry too for a subscription fee of $12/year. We store all of our passwords and sensitive information in LastPass, and LastPass has been audited by third-parties we trust to verify that the information encrypted in LastPass is not even available to LastPass (LastPass can not read your information or give you your information if you forget your password, as it is directly encrypted on your local computer by your “master password”. The “Master password” is the password you use to unlock your LastPass password vault when you login to your computer).

Use Two-Factor Authentication

Two-factor authentication is important for banking and other sensitive accounts. 2-factor means any requirement where you have to use a 2nd method besides just your password to sign in from a new device or from a different location. Whether it’s typing in a SMS message, clicking a verification email, pressing a button after answering a phone call, clicking a button in an authenticator app, or typing in a rotating random number from a key fob, this is a very effective extra layer of account security, because even if a hacker gains your username and password, they won’t be able to login because they don’t have your other device with them. Most banks as well as Microsoft, Google and Facebook support 2-factor in some form.

Another feature some websites support is image-verification. Image-verification is helpful to avoid these social-engineering (“phishing”) hacking attempts by showing you an image chosen ahead of time by you, so that you know the site is not a site pretending to be the real one. Verizon Wireless and many banks offer this feature, showing you the verification image on the page after you enter your correct password (where you have to enter your 2nd-factor login or PIN code).

Install and Keep an Active Subscription to a Reputable Anti-Virus Program

This applies to Macintosh computers and Android cell phones, too. For a good comparison of Anti-Virus products check out av-comparatives.org

Keep Adobe and Oracle Products Up-To-Date

More than 50% of viruses exploit old versions of Adobe Flash Player, Adobe PDF Reader, or Oracle Java to get into a system. Nearly 10% of Macintosh computers worldwide were infected at the same time during a single Oracle Java virus outbreak.

Encrypt your Physical Devices

Unless they are encrypted and have strong passwords themselves, anyone who has physical access to your devices (and knows what they are doing) is going to be able to break in. Apple iOS 9 and newer has whole-device encryption enabled by default, and if you set a 4-digit passcode it will be strongly encrypted. Windows 10 Professional (a free upgrade from Windows 7 Pro) has a built-in whole-device encryption called BitLocker which can be enabled to encrypt everything on the computer, and thus requiring you to enter the decryption password whenever the computer is turned on. This whole-device encryption is extremely effective at securing physical devices from unauthorized access, and also extremely effective at preventing you from accessing your own device if you forget the password (there is no back-door if you forget the password!), or if the disc gets corrupted. Thus having good, secure, tested backups is even more critical with encrypted devices.

Lock Down Physical Accounts

Preventing access to other accounts such as utilities and cell phone carrier accounts is actually much more difficult, because the security these companies have is often wholly inadequate. If you think you’re being maliciously targeted, often your only option is informing companies of the possibility of attempted unauthorized access and manually changing passwords and security codes. Verizon Wireless is the one of a few exceptions in this area as Verizon now requires unique account passwords with image-verification. If you know your Verizon security image this extra step can greatly reduce the chance you’ll accidentally enter your credentials into a fraudulent website and fall victim to one of these so-called information-harvesting “phishing attacks”.  (So-called because they are “fishing” for your personal information).

Implement a Credit-Freeze

Putting a preemptive credit-freeze in place might sound overly cautious, but it’s also very effective. Though unfreezing can take some time or require a fee, you probably don’t apply for credit all that often. Plus, a freeze is usually cheaper and more secure than using a “credit-monitoring” service.

Keep a Backup Encrypted Off-Site

Okay, so this is # 11, but keeping backups isn’t going to help keep you from getting hacked, but it will keep you from losing everything to ransomware. Remember, if Fortune 500 companies can get hacked, so can you. Keep an off-site backup of your data using an automatic service such as Carbonite or Mozy, and test them periodically to make sure they’re working. If you use a password management app like LastPass, print out your account recovery codes and store them in a safe place.