On Tuesday Chief Technology Officer Oskar Stal reported in a blog post that hackers have been detected using one user’s account data which is prompting a mass recommendation to have users reset their passwords and update their Android Spotify applications to the latest version. At the time iOS and Windows users were not going to be affected by the notification and I don’t have details on whether or not those who only connected through Facebook Authentication are affected. Cyberattacks are more and more frequent and I am also a user of Spotify myself so there are some things to note and help minimize risk when having accounts with companies that get attacked where your credentials could be compromised.
Gone are the days where you can trust a username/password as your only recourse of protection, security questions and answers as well are just too easily thwarted with 90% of information being able to be gathered from social media profiles and other online searches and queries about you. So as a basic consumer you should assume at any given point and any given day at least one of your online profiles will be hacked and compromised.
Take that into consideration for everything, if you knew your Facebook was going to be hacked into tomorrow, what would you do differently? Let’s say you can’t stop it, it will happen, so what would you do to minimize the damage?
Use Unique Passwords
The first and foremost is NEVER use the same password on multiple websites, you must use unique and completely unrelated passwords on all sites and profiles, regardless how inconvenient it is. You would never want a Netflix account compromise to also give the hacker your password to your bank account too. You can use an automated password generator or you can simply use something that you develop, but you must make sure your passwords are not pure dictionary words and/or use any information related to your identity (no birthdays, pets names, kids names..etc). Passwords should be an entire phrase that is compressed and consolidated into a password with mixed case, special characters and numbers thrown in.
Marry the Ogre becomes M@rr3D0GR3 For example.
However, this will only reduce your risk of a brute force attack or someone trying to hack into your account and compromise your password, this will not stop it if the source accounts are compromised and stolen hence the next statement is recommended.
Avoid Keeping Card on File
Hackers will have all the information that the provider has and may have the information needed to successfully get past a forgotten password service or other change password mechanism. So simply you have to minimize your convenience a bit here, when you purchase items don’t opt to save your credit card on file, delete your credit car profiles for anything that is not an automated monthly billing subscription where possible. For those that have monthly billing subscription, it is always better to use a credit card instead of your bank check card or debit card. It is easier to file exceptions and if a hacker steals your information and charges debt, this is devastating but not as devastating compared to them directly draining thousands out of your bank accounts because you used a check card instead of a credit card.
Change Passwords Frequently
Change passwords routinely, most often databases are compromised based on months ago, a breach may be announced in July that data was stolen in May, so if you are changing your passwords every 2 or 3 months, there is a chance the breach could have stolen an invalid password which is no longer applicable.
Opt for the Highest Security Features
Many online companies will offer SMS based additional authentication but merely require you to enable it, by opting in for the two factor authentication mechanisms you are helping minimize your chance that a password compromise alone will grant the hacker access to your account. For instance if you use Facebook security feature which requires the additional passcode and to notify you if an authentication attempt comes in from an unauthorized device, you will have better protection. Microsoft will send an email to confirm an access code for certain Live access if they don’t recognize the device which adds a level of authentication to help minimize full account access from just a password compromise as well. You often will have to look in your account settings if you are with applications for a long time, they may offer a new user to setup the advanced authentication features but they may not go back and remind existing accounts to set them. Also if you did set it up previously, make sure your phone and email are on file and accurate! When you opened your Facebook account back in 2005 are you using the same email and phone number that it is tied to? If not, then you need to update it.
Enable Alerts Where Possible
Online Banking is huge here, always enable online alerts and set low thresholds, you may be annoyed if you get notified every time you get an email that a $1 transaction has posted, but the day you get an email about a transaction posted and you didn’t do any transaction is they day you will be glad you had your alerts setup. Set reasonable alerts and make sure they are working by testing them if you are using customized rules.
Beware Orphaned Applications
How many services have you signed up for over the years that you may never log into again? They have orphaned profile information and passwords, this is also why you need to never re-use passwords and use unique passwords every time, because service could be compromised that you haven’t used in a long time, yet the info stored there could compromise your other accounts.
Assume your account will be compromised at some point, so make sure you think about what you are doing to minimize the damage if and when it is.