Disclaimer: None of the content contained herein is intended to constitute advice of any kind, and is for general informational purposes only.
Anytime we’re in possession of sensitive information, including but not limited to credit card numbers, bank account information, social security numbers, and any sort of personal information that someone would not want shared, it is imperative not to physically write down that information. It’s easy to say that we’ll remember to shred it. But it’s been proven that memory is not inherently reliable, no matter a person’s age. So don’t write it down.
Physical records can be misplaced and pose liability.
Digital records, likewise, must be secured. Never send sensitive information over text message, email, or posted in a Note taking app or some other recording medium. These are easily compromised. Only secure applications designed for the intake of such information, such as invoicing apps (e.g. Housecall Pro), finance apps (e.g. Quickbooks), and password managers should be utilized. And even then, such apps must be from reliable sources to be secure.
Furthermore, it’s imperative to keep a passcode on any device that will be housing sensitive information. If a device does not have a passcode or password in place, there’s little effort to retrieve the information if stolen. iPhone are automatically secured with encryption when a passcode is utilized. On Android, encryption often needs to be manually turned on in the device’s settings. Encryption is what helps to keep a device’s data from being easily retrieved if stolen.
Passwords are the first barrier to entry, or ‘attack vector,’ for would be attackers. Best practices have evolved over the years. Ever seen a password strength indicator? You’re trying to make a password for a website, and it keeps saying it isn’t strong enough? Those often use a standard that doesn’t guarantee a strong password, only a slightly more complex one. The creator of that system has come to regret it.
In fact, greater complexity does not equal greater strength. Adding special characters, numbers, and capital and/or lower case letters does not in itself guarantee significant additional safety. The tools employed by attackers can breach such passwords. Now, randomization is key.
Randomization takes human choice out of the equation and is, by nature, truly random. This mean that even typing ‘random’ numbers, letters, and symbols on a keyboard is not sufficient. By making a selection, randomization is lost. Therefore, password generators, such as those available with password managers, are employed to generate strong, truly random passwords.
In the absence of a randomized password generator with numbers and characters, a randomized word generator may also prove effective. A password like ‘denial contrary encourage’ may not make sense, but it’s at the very least more memorable than ‘fIY@v4T9Tp$0.’
Also be aware that randomized generators freely available online may log passwords, and accordingly render their security effectively useless.
Hackers & Data Breach
There is a difference between hackers and what are colloquially referred to as ‘script kiddies.’
Hackers are skilled and come in many forms. They may be white hat, black hat, or gray hat.
A white hat hacker works for the good of others, helping to find vulnerabilities before an attacker.
A black hat hacker has malicious purpose. Whether that’s disrupting normal operations, retrieving and exploiting personal data, or any other criminal objective.
A gray hat hacker is an in between, often with good intentions, but operating with morally questionable, even unlawful, practices in order to accomplish their goals.
Hackers can develop their own tools in order to breach a target.
A script kiddie, by contrast, is not skilled enough to develop their own tools and rely on those created by hackers. Many tools are readily available, and make expert hacking unnecessary in some cases, such as circumventing weak passwords.
Data breaches may be conducted by either a hacker or a script kiddie, especially if an organization’s passwords don’t follow proper standards. Often, however, companies with large cyber security budgets like big banking institutions or big technology companies have dedicated teams and advanced security infrastructure to keep attackers at bay. It’s the users with poor passwords that are readily accessible. Think back to celebrity data breaches, where photos were stolen from iCloud. It’s not necessarily that Apple’s iCloud was insecure, but that the celebrity’s password protecting that iCloud account was insufficient.
One of the core differences between and HTTP connection and HTTPS connection is the security protocol. An HTTP connection may be intercepted and read by an attacker, or otherwise exploited. This is why it is inadvisable to submit any sensitive information, such as financial information or personal details, over an HTTP connection. An HTTP connection may also be vulnerable to a man-in-the-middle attack where a destination website is changed to be an attacker’s website that will collect sensitive information.
HTTP and HTTPS are seen in your browser’s (e.g. Internet Explorer/Edge, Chrome, Firefox, Safari) address bar, HTTPS may sometimes be indicated by a lock icon or a green ‘secure’ indicator to left of the web address. This is because HTTPS is delivered on an encrypted, or ‘secure’ connection. However, an address being HTTPS does not in and of itself make a site inherently secure or legitimate.
Phishing entails obtaining sensitive information through human contact, rather than hacking or employing scripts. Phishing attempts may be conducted over phone call, text message, email, social media, or some other form of contact. Often, phishers will impersonate a trusted person, organization, or website in order to get the target to reveal information. These methods can be incredibly clever. Others may seem more obvious, such as posing as the IRS and demanding payment with gift cards.
Many phishers will use web addresses and emails that look similar, but aren’t the real thing. For instance, email@example.com isn’t the real address from our organization. There’s a ‘1’ instead of the ‘I.’ But it is one that an attacker could use, and may go unnoticed. This same strategy may be employed with websites, instead of contingencynedia.org. There’s an ‘n’ where the ‘m’ should be! The website may be designed to look and function nearly identically to the real thing.
Phishers may also employ ‘spoofing,’ or falsifying information, such as a phone number, email address, or location when contacting targets. This may appear without any apparent errors.
On top of that, phishing may be employed alongside an account breach, where the phisher has obtained access to a family member or friend’s account (e.g. email, social media, cell phone carrier), and sends out messages sharing something ‘funny’ or ‘urgent’ that will steal information.
It requires a lot of due diligence to keep a phishing attempt from a successful one, including not trusting every source that claims to have authority, and not clicking on links in messages or on websites without due care. Even using an HTTPS connection and strong passwords won’t prevent a phishing attack.