Here Are Some Of The Best (And Worst) Ways To Protect Yourself Online
In some ways, online is like the wild west of days gone by. It’s an exciting place to visit, but you place yourself at risk every time you go there. Taking steps to keep yourself safe online should be as automatic as fastening your seat belt when you get into a car, but many people take only rudimentary safety precautions. It’s foolish, but it’s had the beneficial side effect that attention has focused on building security measures that are simple to use and fairly non-intrusive. Google evaluated six security measures to see how they fared against three common security threats.
Google detects and blocks hundreds of thousands of attempts to hijack user accounts every day. The threats come from phishing attacks and bots armed with user passwords that were obtained from corporate security breaches.
Phishing attacks are as common as dirt because they’re easy to carry out and surprisingly effective. Phishing generally involves sending an email that invites the recipient to click on a link that leads to a malicious but harmless-looking website. The website can launch an immediate threat like a ransomware attack or surreptitiously inject code that steals passwords in order to break into the recipient’s accounts.
Most phishing attacks are sent in bulk to tens or hundreds of thousands of users. They’re usually fairly easy to spot and it’s surprising that so many continue to fall for them. Spear phishing is more insidious and harder to detect. Spear phishing targets individual users. The email often appears to come from a government office, someone the user knows or a trusted source like Google or Amazon. The image at the head of this section shows several examples of man-in-the-middle targeted spear phishing attacks that try to elicit user information by mimicking Google.
Bots are programs that run autonomously. They can make things easier by automating repetitive tasks but they can also be used for malicious purposes. For example, bots can sit quietly in a user’s system until a network of them are simultaneously activated to launch a denial-of-service attack. Bots can also be a more direct threat by stealing passwords, account and credit card numbers, and other information that needs to be kept secure.
Google evaluated the effectiveness of three device-based security measures and three knowledge-based measures it uses to protect user’s accounts. The device-based measures were a prompt sent directly to the user’s device, an SMS message sent to the user’s phone, or a security key attached to the device. The knowledge-based measures were sending a message to a secure secondary email address, calling a phone number the user has identified as trusted, and comparing the current and most recent sign-in locations. The graphs at the top of this section show how each of these security measures fared against bulk and targeted phishing attacks and automated bots.
As you can see, the device-based security measures were far more effective than the knowledge based measures. Security keys were rock solid providing 100% protection against all three threats.
Google’s on-device prompt system came in second with 100% security against automated bots, 99% success against bulk phishing and 90% success against targeted phishing. The old standby SMS two-factor authentication was strong against automated bots and bulk phishing but was only 76% effective against targeted phishing.
The knowledge-based security measures didn’t do nearly as well. A message sent to a secure secondary email address was the best of the lot but it was also the only security measure that didn’t provide 100% protection against automated bots. The other two are better than nothing but not by much.
What can you do to increase your online safety?
The data tell the story. If you want premier security, attach a security key to your device. Google sells a Titan Security Key that protects Google, Facebook, Twitter, Dropbox, GitHub, Salesforce and other accounts along with the Android and Chrome operating systems.
If you have a compatible Android phone, you can set it up to receive on-device security prompts from Google. If you don’t have an Android phone or don’t want to receive the on-device prompts, set up some form of two-factor authentication for your important accounts.
There’s another simple thing you can do that makes accounts much more difficult to hijack or hack. Use unique passwords that are hard to guess for all your accounts. Everybody knows this but a lot of people don’t do it. For example, the National Cyber Security Centre in the UK analyzed passwords found in public databases of breached accounts and discovered that 23 million people used “123456” as their password. It’s a pretty safe bet that most of these people used it for more than one account as well.
People often don’t use unique passwords because they think it will be difficult or impossible to remember different passwords for all their accounts. It doesn’t have to be. Here’s a system for creating unique passwords that are easy to remember and hard to guess.
Many people ignore online security until it’s too late and they discover just how damaging identity theft or a hijacked account can be. Don’t be one of those people. Take some basic security precautions to protect yourself while you’re online. Do it now while you’re thinking about it.