We use the Internet for everything. We pay our bills, manage our bank accounts, do our weekly shop, buy furniture, place bets, share private photos and send messages to our loved ones, all online. Preying on this, more and more hackers are targeting our accounts for criminal purposes. As someone who works with online security, I’m asked all the time how to stay safe, so here’s my quick start guide to how to stay safe on the Internet.
First of all, a common misconception is that these people are sat at a computer, individually targeting you. They’re not. The processes are automated and repeated over thousands of accounts for maximum profits.
One of the most common “hacks” occurs when a website’s database is compromised and hackers gain access to a list of the users’ email addresses and passwords, together. Most modern websites, encrypt the passwords, so they’re not reversible but some, especially more legacy websites, literally have your email and password side-by-side in a table. If hackers get this, they can log in as you on that website and do what they want.
Sounds bad, right? OK, now imagine that you have the same email/password combo on an online store, such as Amazon. The hackers could go to the store, log in as you, change your password so you can’t get in, but then purchase a load of expensive stuff on your card, delivered to them.
Imagine this is the same for your bank, your PayPal, your Amazon, eBay, Gmail, Facebook. The possible consequences are painful to think about.
Now imagine, someone has your Google Photos, your iCloud, your personal and private photos, videos and messages. Feel a little invaded yet?
Step 1 – Install a Password Management Tool
First problem, is remembering all your passwords. It’s too hard. So you share the password across multiple websites. This, is incredibly dangerous. If one site is compromised, they all are. But it is too hard to remember them, right?
Sign up for a password management tool, such as LastPass. LastPass has extensions for Chrome, Edge, Firefox and Safari, so install one on your favourite browser. You can also download apps for iPhones, iPads and Android devices.
Then, when you create a new account on a website or app, it’ll prompt you to save the username/password combo, to your “vault”. Now, you can have different passwords for every account and not have to worry about remembering them. See the LastPass help for more.
Step 2 – Change All Your Passwords
Now you have your password management tool, you have no excuse for not having different passwords. Tedious but important job for you. Go to Google, Amazon, eBay, Facebook, Twitter, Evernote… wherever you have a username and password and change the password to something new, storing in LastPass as you go.
Focus on the critical ones first, any with your card details on, private info etc. Gradually, they’ll all be updated and even if one of them is compromised, the others are still safe.
Step 3 – Setup Multi-Factor Authentication
Most of the more secure websites, again Google, Amazon, eBay, PayPal and so on, all support an extra security step using Multi-Factor Authentication. Sometimes known as 2FA (two-factor authentication) or simply MFA.
You’ll commonly see this in the same area of the website that allows you to change your password. “Enable 2FA” or “Enable MFA” for example.
MFA adds an extra step, once you log in, that proves you are who you say you are.
Sometimes, this involves ading your mobile number to the account and every time you log in, the site will send you a text message with a short code. Enter this code to continue. By doing so, if a hacker has your email/password but not your actual mobile phone, they can’t get any further.
Some sites, use a virtual Authenticator app, such as the Microsoft Authenticator app. Free to install on iOS/Android, you install this on a mobile phone and when you setup MFA on an account, it’ll ask you to scan a QR code, which will link the app. From this point, whenever you log in, the site will ask you for a 6 digit code, which you find in the App on your phone. Without the phone, you can’t log in, a great addition to your arsenal when trying to stay safe on the Internet.
See https://www.microsoft.com/en-us/account/authenticator for more.
Step 4 – Scan the Dark Web
When usernames/passwords are compromised, they are commonly shared / sold on the dark-web for others to use for criminal purposes.
Many services allow you to scan the dark-web for your email address and any passwords that are found. When an account is found, you can simply reset your password on that service and keep your accounts secure.
I use ClearScore for monitoring my credit score. Weirdly, they also provide a service called, “Protect” which does exactly this and sends regular alerts. See https://help.clearscore.com/hc/en-us/articles/360011626720-What-is-ClearScore-Protect-
There are other services, including https://haveibeenpwned.com/ which can provide you with instant results. Try it now…
Quick Tips to Stay Safe on the Internet
- Never repeat a password on a different website or app
- Do not write down passwords, in Evernote, sticky notes etc.
- Sharing passwords is also a big no.
- When an account is compromised you should change the password to something new and check if anything malicious happened. Orders taking place that shouldn’t, for example. Don’t just close the account.
- Your phone is more important than anything here. Make sure you have a secure pin / password / code, not just swipe to unlock.
Chances are, if your Facebook starts sending weird messages, it’s not your username/password but an “app” that you have granted access to your Facebook details. Go through the apps that you have granted access to and delete / remove any you don’t use. See Facebook Settings and the Stay safe on Facebook guide
- If your Instagram gets compromised, just change your password and log out any devices currently logged in, via the Instagram website. Don’t delete and start again. You’ll lose all your photos, followers, comments, likes etc.
- Twitter hacked? Change your password, then check any connected apps here – https://twitter.com/settings/account