With the introduction of General Data Protection Regulation (GDPR), keeping your data safe and secure has become massively important to businesses. Failure to look after data means companies can now be fined significant sums when they are found to be negligent.
Companies that are serious about data protection will be categorising information and applying encryption at various stages, making sure they follow Payment Card Industry best practices if they are a commerce shop. As an engineer working on product, it’s important to try to think like an attacker and limit what they would be able to do in case they managed to compromise a system. In security jargon, you are attempting to minimise the attack vectors and reduce the attack surface.
You can apply this same mentality to the data you manage day-to-day and help keep your details safe. This post shows some of the things you can do to reduce the chances of your data ending up in hackers hands. If you have friends or family who sometimes need a bit of help with technology, you can make sure they’re following some of the guidance here. It may seem obvious to you, but it isn’t to everyone.
Modern day hackers
Who are the people performing system hacks? Why do they always wear a hood and a mask, sitting around in gloomy rooms with the Matrix on their screens?
A computer hacker is any skilled computer expert that uses their technical knowledge to overcome a problem. While “hacker” can refer to any skilled computer programmer, the term has become associated in popular culture with a “security hacker”, someone who, with their technical knowledge, uses bugs or exploits to break into computer systems.
The fact is, cyber crime is big business and hackers are now using sophisticated techniques that require deep understanding both of computer networking and how systems are built. Hackers are often organised, skilled engineers and have significant resources to attempt hacks. They often rent cloud computing power to run their attacks — it can be a full time job.
In the end, many attacks are attempted for profit. This could be from compromising and reselling information, attempting to purchase goods fraudulently, spending e-vouchers for goods or blackmailing the company that has been hacked. There are also hacks that are purely damaging and malicious in nature (e.g. the Sony Pictures attack) or mischievous/exploratory, but the hackers we all need to defend against are organised and methodical, motivated by profit, who want to exploit your information and are prepared to invest time, effort and money to achieve this. These are commonly referred to as Black Hat Hackers — for this article I’ll just refer to them as hackers.
What is a data breach?
You may hear about data breaches in the news, but what does it mean? From TechTarget…
A data breach is a confirmed incident in which sensitive, confidential or otherwise protected data has been accessed and/or disclosed in an unauthorized fashion
In other words, an attacker has managed to extract data, such as emails and passwords, address information, payment card data or any other sensitive information held about you from a company. This can take many shapes and forms, and really does depend on who the attacker is and the level of access they have to systems.
Consider a hacker working from a remote location who manages to gain access to the main databases of a company and take a copy of their data. Even worse, the data is held in plain text, unencrypted, so they can now immediately start using it. That’s a bad state of affairs.
Another example might be a disgruntled employee working for a company who has access to data and decides to copy and sell — another bad state to be in. They have insider knowledge of how systems work and how to gain access to useful information
The final example (and one that concerns us for this article) is an attacker who doesn’t have access to any of the main systems and tries to go in through the front door. Using brute force or credential stuffing attacks, they try to gain access to the main parts of a site by using the login pages, then extract data held in profile pages or other parts of the site. They do this using automated tools that can try many different combinations of credentials per second.
This type of attack is very common and is one that most companies providing a login page will have to defend against
These are all different types of attacks from different threat actors — there’s not much you can do about the first two, which are the responsibility of the company, but you can certainly help protect yourself against the third.
Passwords and authentication
Most websites will expect you to sign in at some point, and that is usually an email and password combination. This is probably the most common attack vector that malicious hackers will try and exploit, so it’s important to understand what the risk is here.
Imagine there’s a website that hasn’t been paying close attention to it’s security and has allowed a set of emails and passwords to be breached. That’s bad news for that website but also for the users who have been breached, as one of the things an attacker will do is run a set of credentials from one breach against other common sites like Amazon, Facebook etc.
People have the habit of using the same email and password on multiple sites, so if one is breached they’re all breached. Even if the attacker didn’t manage to access a working password from the first breach, they may try brute forcing against a mail address by attempting many combinations of common passwords. There are a set of frequently used passwords that appear in data breaches, and attackers will go after these first when they have a set of emails to work against — with a large set of data, there’s a decent chance they will figure out passwords on a percentage of the credentials.
People use common passwords and the same set of credentials because it’s easier for them to remember — they always know what their login is regardless of the site they’re on. But what’s easier for you is easier for an attacker. Thankfully, this is where a password manager comes into play.
A password manager looks after your email and password combinations and allows you to generate passwords that are sufficiently strong and random that will cause problems for an attacker. I don’t know any of my passwords as they are impossible to remember, I can only use a password manager to access sites.
- Always use a different password for every web site you use. Never use the same email/password combination
- Use a password that is generated for you by a password manager
- Use a password manager on your home, work and mobile devices, and synchronise your password database between all the devices. No matter where you were when you created the password, you’ll have access to it on any device
There are a number of free and paid for services for password management — if you’re a bit tech savvy then you can get up and running with the free versions but paid versions are easier to start using and take care of the data synchronisation between devices. They’re not expensive in the grand scheme of things and the protection they offer is well worth the outlay.
If we all use a password manager, we make credential attacks much harder.
Multi-Factor Authentication (MFA)
MFA is an option on a number of sites — whenever someone attempts to log on using an email/password combination, a notification is sent to the registered mobile device and you then enter some details sent to the device or otherwise respond to the notification. Hackers attempting to brute force accounts by using credential combinations won’t have the device, so they are missing a part of the data needed to log on.
MFA can be thought of as something you know (your password), something you have (a mobile device, for a device code) and/or something you are (bio-metrics, scanned into your device at challenge time)
If a site supports MFA, you should consider switching it on — it doesn’t impact your daily usage once you are logged in to a site, and closes down brute force attacks against your credentials on that particular site.
Using a password manager will help manage the attack vector against one part of your data, but your email address is the other commonly used piece of information that you input and share in many places, which will be stored in tens or hundreds of company databases around the world. Hopefully, those companies are applying best-practices, encrypting data and making it difficult for an attacker to harvest plain-text details, but it’s not always the case — search for ‘data breaches’ and you’ll see how many times large extracts make the news.
You probably have an email that you use for most things, but a good practice is to have a few addresses and to use them for different purposes. You reduce an attack vector by not using the same email everywhere — you’ve increased the complexity from the point of view of the attacker.
A site that collects information from data breaches is haveibeenpwned, which lets you check your email against known compromises. It’s worth checking your mail address every now and then, and changing passwords if your email is confirmed to have appeared in a breach.
I recommend signing up to a secure email service (search for ‘secure email provider’) and using that for your more sensitive purposes. There are free offerings that come with some limitations, such as number of mails sent per day or amount of storage in your inbox, but it’s more than adequate for general usage. Personally, I use ProtonMail, which has both a great free offering and well designed interfaces.
- Use a different email address for secure banking, purchasing/e-commerce and social media.
- Use an encrypted mail service for your more secure operations like banking or government sites. Only use for this purpose. Keep this inbox free from clutter, don’t sign up to mailing lists using this address.
- Check your email address against known breaches. Change your password if it’s confirmed to have been breached.
- Use a mail service (just search for ‘temp mail’, there are lots of free ones) for temporary access where you’re not sure about the site.
The last point is an interesting one, not something I’d recommend everyone does, but it does have it’s place. Maybe you want one-time access to a bit of information, but the site is forcing you to register. Perhaps you’re in a different country and want to access a Wi-Fi network, but joining the network requires you use a mail address. These are good opportunities for a temporary email account, which lets you receive emails to a totally random mail address that you don’t actually own. This is handy if the site forces you to validate your email by clicking on a link — you’ll be able to do this as the email is received in the browser.
Sites hate you using temporary mails and there’s more validation going on that rejects them, but they can be a good option in certain scenarios as it reduces the attack surface, your real email is being shared less often — it’s being stored it less databases.
Never use a temp mail for anything other than one-time access that you consider absolutely throwaway, it’s an insecure mail address and anything you can see others could as well. Treat it accordingly.
If emails, passwords and other personal information is valuable to a hacker, obtaining your payment card details is a massive win for them.
When you enter you card details into a site to buy something, you’re trusting that company to do the right thing and store your data safely. Sites that handle payment cards should adhere to the Payment Card Industry Data Security Standard, and companies are audited to ensure they are PCI compliant. That makes sure that well-known companies that make e-commerce their business stick to a standard and reduces the risk of card fraud. However, it doesn’t stop a hacker setting up a spoof site, with the primary goal of capturing card details from unsuspecting victims.
You should regularly check your bank transactions and look for anything out of the ordinary. If your card is cloned or used fraudulently, you are covered under Payment Services Regulations and the Consumer Credit Act, but it’s your job to be vigilant and report activity to your bank as soon as possible. With a debit card, money has left your account and it’s then your job to be reimbursed, whereas with a credit card you aren’t going to be paying the bill for a period so it’s the banks money rather than yours that has been initially exploited. (You are jointly liable with the bank under the credit act, but better the bank has to prove you are negligent and force you to pay rather than you trying to get your money back from the bank)
More details on what to do if you think you have fallen victim to card fraud can be found here.
- Careful when shopping on new sites. Are they well known and reputable?
- Make sure the site you’re on is using HTTPS and the certificate is valid. Any site that takes payment details must use HTTPS. Don’t enter card details into a site otherwise. Guidance on checking a sites connection can be found for Chrome here.
- Consider using a credit card rather than a debit card for online purchases. Put the emphasis on the bank rather than losing money from your current account.
Even if a site is using HTTPS, this doesn’t guarantee everything is above board, but it’s certainly a basic check you can perform. Hackers are nothing if not persistent and can invest time to setup very convincing sites at first glance, it’s only when you dig a little deeper you start to notice the flaws.
This all takes me nicely onto…
One of the attacks that cyber criminals will attempt is a pure numbers game, the carpet-bombing approach. Imagine that an attacker has a set of email addresses they’ve harvested, and they have 100 million emails in that database. If the attacker sends a phishing mail to all addresses, they only have to be successful in 0.01% of attacks and they will have 10,000 people they are attacking. They count on that small percentage where people aren’t as security conscious, or perhaps are more trusting in nature. It helps to be cynical by default, until you’re absolutely sure the communication is OK.
- Be highly suspicious of unsolicited mails
- Don’t click on links or download anything you didn’t ask for
- If something seems too good to be true, it probably is. If someone you’ve never heard of wants to give you a gift or you’ve won a prize in a competition you didn’t enter, then alarm bells should be ringing
- If someone is asking you to give them money, on the promise of more money being sent back to you — let’s face it, that’s not going to happen — it’s very likely a variation of the Advance Fee Scam. Don’t send money to random people, bit coin addresses, or any other money transfer service unless you are 100% certain that everything is above board.
- Sites will never ask you to ‘validate your account details’ by entering data. If you’ve followed a link and it’s wanting you to input your password, bank account details, or anything else — don’t!
On point 4), be conscious whenever you are giving your information away. Did you initiate the conversation, or was it unsolicited? What information are they asking for, why would they need it? Is the website known and trusted? If it’s the first time you’re using a site to buy something, perform a search to see if there have been any reports of bad activity.
Your information is precious and this is what hackers are after, don’t give it away easily.
An example of this in July 2020 is the twitter hack which allowed accounts to be compromised and send tweets asking for money to be sent to a bitcoin address, promising that double would be returned. Out of the millions of people that could have possibly seen the tweets, at least 375 people did send money totalling $120,000. That’s all it takes — a combination of large numbers and an Advance Fee Scam.
Be careful of downloads
Hackers will always try and get you to download or run something — they can hide executable code in a number of different formats.
Once code is running on your device, it opens up a whole range of opportunities for a hacker, so avoiding this is really important to keep your details safe.
- Keep your anti-virus definitions up to date.
- Always scan your downloads for malware.
- If you weren’t expecting to run a program, don’t.
- Don’t run any code if you’re not 100% sure it’s trustworthy.
The difference between App and Browser experience on mobile
Ever been browsing a site when you see a popup like ‘this experience is much better in our app, get it from the app store’? Companies prefer you to use their applications, as this gives them much more information about you and how you interact with them. A browser is an untrusted application and by default it has limited access to your phones functionality. An application can do much more — it can access your contacts, GPS information and hardware like the microphone or camera. Apps have to ask to be able to do this, but once granted permissions they can fundamentally do much more on your phone than a browser can. They are running code, directly on your device.
Some apps provided by large companies have dedicated teams of engineers, checking each others work and constantly improving the applications, fixing bugs and closing out exploits whenever they’re identified. Other apps have a much smaller pool of resources to maintain an app and may not fix issues in a timely manner.
Apps can be exploited remotely and there have been many reported cases where this has happened. One of the more recent examples of this was a WhatsApp exploit that allowed a remote attacker to access controls on the device by simply making a call that didn’t even need to be answered. This exploit has since been shut down, but it goes to show that the more apps you have running code on your phone, the greater your attack surface.
An app will also be generating telemetry about how you are using and interacting with the app. When the app is running, it will be sending packets of data ‘home’ to the app developers servers. This is usually harmless and helps the developers make the app better and fix bugs, but it’s another area where unscrupulous individuals could harvest information from your phone.
- Only install applications you trust, from reputable companies/developers. Read reviews before installing.
- Don’t install too many apps, use the browser experience until you’re sure you want the app version
- Don’t grant an app too many permissions, if you’re not sure why it would need a permission, be suspicious.
Watch out for Apps on social media
Cambridge Analytica has been much in the news and is the subject of a Netflix documentary The Great Hack. By encouraging a relatively small amount of people to fill in a survey, they were able to harvest information from millions of their friends.
Facebook and other social media providers use the concept of a Graph, which builds up connections between you, the things you like, your friends, the things they like, and so on. This builds up a spiders web of connections of socio-economic groups, allowing understanding of people with similar interests, political views etc. This is a very powerful tool and is how Facebook sell advertising — you can see how this would be a goldmine for companies who want to target their ads at particular groups of people.
Facebook provides a Graph API, which allows app developers interact with a users connections, often to provide features that make an app useful, but it also made it a target for data harvesting. At the time of writing, Facebook have announced that they will be focusing on privacy in 2019/2020 and will be shutting down some of the exploits that were used as part of Cambridge Analytica data mining, but it’s important to understand that not all apps are run and maintained by Facebook themselves — it’s easy to create and submit an app to Facebook, and thousands of developers have. In the past, these apps have been gathering data about you, possibly your friends, storing that information in databases not operated by Facebook for various purposes.
Ever seen one of your friends suddenly posting strange content, linking to shops with really high discounts? Or perhaps received a message from them in IM, asking you to visit a link or ‘check this video out of you’? They’ve probably clicked into an app, granted too many permissions and allowed it to perform operations on their behalf, using the Facebook APIs.
If you’ve made it this far, you know not to click those links, right? That high discount shop with 90% off for the next 2 hours seems a bit too good to be true.
- Watch out for ‘games’, ‘surveys’ or other spurious apps on Facebook, if it’s not something you really need, probably best to ignore it.
- Check your privacy settings in your social media account pages. Make sure you’re not sharing everything with everyone.
- Don’t give away too much personal information in your profile.
- Watch out for what permissions apps request.
- Keep an eye on what applications you are signed into. Revoke access to apps you no longer use. Check the Apps and Websites tab in your account settings to see what applications are using Facebook tokens, keep this up to date and relevant.
Be Careful on public Wi-Fi
You’re on your way to work and the train you’re on has a Wi-Fi connection — you connect and start browsing. Definitely don’t choose this moment to do banking or submit sensitive data.
Keep your public Wi-Fi usage basic — reading news or articles, videos or other media — try and avoid submitting data and be aware that you know nothing about the network you’ve connected to. Is it secure and maintained? Have you definitely connected to a legitimate network?
Wi-Fi networks by their very nature are publicly accessible and can be prone to attacks. A well known vector against Wi-Fi spots is a Man in the Middle attack, where an attacker can sit between your device and the site you are connecting to. As far as you’re concerned, you’ve connected to a site and everything looks secure, but in fact you could be leaking sensitive information to someone eavesdropping on your traffic.
Some networks are very well set up and less prone to this kind of attack, whilst others may have been set up by someone with limited experience, who hasn’t considered all the attack vectors — but that’s the point. You don’t know enough about the network you’ve connected to, so be cynical, don’t trust and limit the amount of data you put through the network. Keep your sensitive operations limited to networks you know and trust.
As a recap, follow these and you’ll make a hackers job harder and reduce the chances of your data being involved in a breach.
- Don’t use the same email and password combination on more than one site. Please don’t do this, you’ll thank me.
- Use a password manager and let the password manager generate strong passwords.
- Use different mail addresses for different purposes, two at a minimum (‘private/sensitive’ for banking and commerce, ‘public’ for social media and general usage).
- Don’t trust unsolicited mails or other communications. Random mail from someone asking you to click a link? Delete! Random message in IM asking you to download something? Delete!
- Careful when entering card details for purchases. Check sites on first use, consider using a credit rather than debit card.
- Don’t download anything you didn’t expect, don’t run downloads before scanning them for malware.
- Don’t grant applications too many permissions. Be wary of social media apps that want permissions, or want to collect data from you.
- Restrict your activities on public Wi-Fi.
- Don’t install too many apps on mobile, use the web browser until you fully trust a site and want a slicker experience from an app.
- Never give your information out when you didn’t initiate the process. If someone is asking you to ‘validate your information’ or ‘confirm your details’, don’t!
If you use your common sense, you can avoid a lot of the pitfalls that allow hackers to easily access information. Be cynical and ask yourself, could this be an exploit, have I performed some basic checks, is this definitely a reputable company? By making it as hard as possible, we make the investment hackers have to put into their attempts more costly and time consuming, with less reward.
If all else fails, you can unplug all your devices, close the curtains, buy a tin foil hat. It helps you sleep at night.
I’m Dylan Morley, one of the Principal Software Engineers at ASOS. I primarily work on the back-end commerce APIs that enable our shopping experience — All views are my own.