HOW WE NOT TO GET HACKED
This post will discuss different steps you can and should take to better protect yourself and your digital / virtual assets, how not to get hacked. I also think I have a rather simple solution to this problem which can be implemented immediately.
Yesterday I posted about how Naoki Hiroshima's had to hand over his rather valuable Twitter account name @N in order to gain access to his Godaddy account and email id. His case is not isolated. Mat Honan from the Wired was targeted last year. I would like to present a possible solution to this.
I am starting this thread to bounce some ideas on how can we better protect ourselves from preventing such hacks and what the IT companies can do to make the hacker's job more difficult.
Two Factor Authentication - For account related changes
Since we have already started using two factor authentication for logging into sites (if not then you should start right away), why not use the same before allowing any account specific changes whether online or via the support staff?
If the hacker gains access to my account by cracking my passwords, then he will still need the six digit code generated by my Google Authenticator app or the code sent to me via SMS before he can edit my password, email, DOB, credit card number or any other account specific information.
Or the hacker might gain access to my account by fooling the support staff by impersonating me, but in this case as well, the support staff should ask for the six digit code sent to my registered mobile number as an additional security along with my name, address and last 4 digits of my credit card number which can be gained with little trouble as we saw in the above cases.
The hacker can have access to my accounts by changing the passwords using his communication skills over the phone line with the support staff, but he still needs my cell phone to enter the code. The support staff will ask for the code that was just sent to the account holder's cell phone and without that nothing can be changed or no information will be divulged. The moment I receive an email telling me that a change is being initiated or an SMS asking me to enter the code without me generating it, I will know I am being targeted and can take action immediately. So this means that the hacker can't even change my password or issue a new password (not even temporary password) without identifying himself as the true owner using the six digit code.
Many people are yet to implement the two factor authentication. For them, we can do two things. First is spread the word and urge them to use it be sending mails and educating them. This is a job for the companies who are using 2 step authentication. Second, even if they are not using two factor authentication, a system should be placed where they will need to verify themselves by entering / speaking the 6 digit code that was sent their registered mobile number. Idea is simple. It will be spontaneous and hacker will not have access to it.
So what happens if I lose my phone? To start with, most smartphones have a "wipe your phone" system which can be initiated using the online app that both Android and iOS platforms support. I can also deactivate the SIM card by calling my customer support. Google Authenticator also supports a backup phone.
So what do you think? Can this work in a way that will stop hackers or at the very least make his job more difficult? I think it will work really well. I am trying to get some input from others on this by sharing this post with them. If any of you have contacts, then please spread the word and let's try and make this happen. The sooner this happen the better it will be.
What we learned from the Naoki Hiroshima case: Please add to the list by commenting below.
· Always use two factor authentication everywhere possible. Here is a general list of services. I will try and find more and create a more "always updated" list for my new resource section I am about to launch.
· Don't use custom @yourdomainname for services such as ecommerce sites, social networking sites and others. Use gmail, yahoo or other instead. Don't use Google Apps email address to log into various websites. You can use the nicer custom domain email for messaging purposes.
· Use a longer TTL for the MX record, just in case.
· Always use WHOIS protection for all domains that you own. It will cost a little but well worth it.
· Don't let PayPal release any details on your credit cards, including the last four digits, via phone. You can do this, the hacker in case of Hiroshima said, by calling PayPal and asking them to add a note to your account stating that they shouldn't release any details by phone. See if you can do the same with other companies too like Amazon, Apple etc.,
· Save all the numbers and emails IDs of all the support staff for all the services that you use. It's surprising but many people don't have them on their phones when they need it. It's easy to find them on their site but it will take few minutes which can mean the difference between losing your precious accounts / data and protecting them.
· If possible don't let companies like Godaddy or Paypal or any company for that matter, store your credit card information on their files. It will be a bit of a trouble having to enter your details every time you make a purchase, but it will also safeguard your purchases.
· Don't use the same webhost to host all your sites. Don't put all your eggs in the same basket. If one is comprised, at least you have others. Read this story please.
· Always take backups of your websites, smartphone etc. at regular intervals. Cases of sites being hacked are more common.
· Never use common passwords for everything. Use a different password for each email id at the least. And it needs to be strong.
· Restrict access to your social networking profiles to those who are not your friends.
· Always use private browsing or Incognito mode when using publicly accessible computers.
· Don't use the same email prefix for all the mail ids like firstsecond@gmail.com, firstsecond@yahoo.com and so on. Have some variations in your email id names.
· Use different recovery addresses for each id.
· Don't let every third party app or service under the sun access to your accounts. Do an annual analysis and remove those that you no longer use. Why? Because they are targets and if their site is comprised, your data is comprised. In 2011 PSN network was hacked and details were used for creating fraudulent charges and what not. The same could be used to comprise your virtual assets.
Source : http://nipun-frendshipspot.blogspot.com/