The internet is often described in ways that make us think of it as another world or place. Cyberspace, virtual reality, ‘the web’ and that when we ‘go online’ we’re in a state of travel. Really though, the internet is just another way of connecting with information and other people, albeit the most immersive and creative way ever invented, but it’s very much part of the fabric of this world, not another. Those names and faces that we see online are real people, some of them good and some of them bad and both are often inclined to alter their identity.
Since bad news sells, particularly if you get all your information from the papers, you might think that the internet is awash with bad people doing bad things and therefore the internet itself is bad. Fortunately most people realise that plenty of good can, and is, done as a result of the internet and try to take a more balanced approach.
Protection Beats Cure
That said, it’s important to be wary. Like real-world crimes, the risk of the bad things that can happen is much reduced if you take basic protective measures online. A professional car thief can usually bypass any level of security yes, but the far more common opportunist will simply check every car until he or she finds one that has been left unlocked.
Online it’s exactly the same, except the bad guys can scan millions of accounts or connected computers over very short periods of time looking for those without adequate security and many people do not know how to secure their computers and accounts in the way that keeping the car locked is now common sense. Worse, many don’t notice when they have been compromised!
So, the purpose of this post is to advise you how to ensure that the home computer is protected and then how to ensure each of the most popular web services that you use is also as safe as possible from the bad guys.
Secure Your Computer Before Going Online
Antivirus companies have their work cut out these days. Once upon a time an antivirus scanner just downloaded a list of the known computer viruses and once or twice a day and checked to see if any were present on the computer. A connection to the internet opens up the potential for creative bad guys to try all manner of exploits to get at important information on your computer, or perhaps even take control of it. Computer viruses don’t set out to break our computers anymore, they hunt for bank details, passwords, remote controls for use in an attack elsewhere - stuff we’d never notice whilst using that same computer to look at Facebook and check our finances.
So what can we do? Well, the good news is you don’t have to pay a lot for a good antivirus product. In fact, you can give your computer excellent protection without spending a penny!
Most of the main vendors have a free product (for personal use), providing basic protection and then levels of product above and beyond for a modest sum. For example Avast comes highly recommended and the basic version includes virus and spyware protection in the form of a traditional scanner. By spending a bit more you get identity management tools, warnings about dodgy websites before you happen to click on them and SPAM blockers to keep the noise down in your inbox.
If you’re a generally confident user, or know how to recover from viruses yourself then trying out the free ones is a good place to start and possibly stay. Other leading products include AVG Antivirus and Microsoft Security Essentials. Moving up to the Pro versions of these products, spending between £25 and £30 would be advisable for novice users, particularly those that expect to pay for PC support when things do go wrong.
Installing a good antivirus product, particularly for Windows computers is the best way to secure yourself when you go online. We’re about to talk about how to make sure your web services are now kept safe, but most good practise is for nothing if the machine you’re accessing them with has been compromised.
Securing Gmail and Your Other Google Services
Google dominates the web and for good reason. It found a way to give away largely excellent services to millions of online users and make a lot of money out of it. Some of the more cynical commentators say that Google is not a tech company, it’s an advertising agency. Whatever they are, I know that when I need a map, I look at Google Maps, my email is Gmail and I’m writing this in Google Drive, as it’s a decent word processor that I can access from any of my devices.
A large amount of the information I keep within my Google account is quite important. In fact, I can also log into several other web-based services using my Google credentials, so it’s starting to become a key part of my online identity. Certainly it’s the one I’d be most concerned about (after my bank details) were the password to fall into the hands of the villains.
So how to keep it safe? Well, first is that password. I often read advice that suggests you should have a different password for each any every account. I personally believe this is a security flaw, because people who attempt this either get fed up with managing it all and replace with a single, easy to remember (and therefore guess) one, or start to write them all down somewhere (usually a post-it on the computer monitor, or worse a text document on the computer) and achieve no real security at all!
I try to fall somewhere between a single password and having too many, but I make sure that the really important sites do not overlap. Don’t make your email one the same as your bank one for example. If someone cracks your email, within minutes they’ll likely know your bank and in a few more seconds they’re into that too. Perhaps a few sites that don’t mean disaster though could share and leave you able to manage a smaller amount of passwords in your head.
Most people know not to make the password a word that could be easily guessed, but if you can, don’t make it a word at all. Have a simple code where a symbol always replaces a letter, not zero for an ‘o’, but perhaps a comma replaces the first and second vowel, so that on the screen it’s not an actual word that you’ve typed. Even a basic one will foil the common ‘dictionary attack’ where viruses use long lists of words are used to try and break in by hacking programs.
Always Use HTTPS
I try to stick to my site’s strapline of ‘Enjoy technology without having to learn a new language’ and I'm not about to drone on about how HTTPS works, but know this, it’s the most secure way to send data over the internet and with Google, you can enable this easily.
From Gmail, click on the Settings cog at the top right of your email list
Under General look for Browser Connection and select Always use HTTPS
Scroll down to the bottom of the window and press the Save Changes button
One word of warning; if you use a lot of devices to check your mail, it’s possible that one won’t like this type of connection. If you see a device stop connecting to your email, you may decide to switch it back off again. If everything is looking good though, it’s well worth leaving this on.
So you’ve got a clean computer, a strong password and a secured internet connection to Google. It all sounds pretty protected now, but there is one last, very simple step that you can take to really feel confident that only you ever see your account and that’s two-step verification.
Basically, you register your mobile phone with Google and whenever you connect to your account from a new computer, Google will text you a unique code that must be entered alongside your password. That computer can then be registered as ‘safe’, so you don’t have to do this every time or, left open (say on shared computers) so that whomever is logging in not only has to have your password, they also have to have your phone. Ingenious, relatively convenient and very secure.
Here’s a link to Google’s support page to learn more and assist with the setup:
Whilst setup is easy, this is a relatively new feature and some devices and apps don’t support it. If you use an unsupported app or device, Google will alert you and give you steps for setting up a special password for those devices. Equally, when you can’t get at an SMS for the code whilst using a new device (perhaps when travelling) this could get annoying. If you’re prepared though, it is possible to print out a list of ten codes from Google to use in these situations.
As you can see, 2-step is a bit more effort, but the reward is an account you KNOW is secured.
Yahoo help us demonstrate the importance of protecting your accounts by showing that they allow you to sign in with your Google or Facebook account. We’d better look at Facebook next.
HTTPS (SSL) - JP breaks his Jargon Promise
Once in, Yahoo has made sure it’s kept up with the competition and SSL is available by pressing the settings cog at the top right of the screen and then choose Mail Options.
The last option is ‘Turn on SSL’ which is a simple checkbox and then press the orange Save button back at the top. This will give you that all important secured connection. That and a good password gives you a solid chance of never succuming to the hackers (so long as you don’t ever, ever ever ever give your password to anyone under any circumstances).
The Sign-In Seal
Don’t go worrying that Yahoo have gone and invented some awful ‘Disney-style’ character who will pop up and annoy you about security whilst making bad jokes about fish. The sign-in seal is a neat idea where you can either upload an image of your choice, or come up with a text phrase that is your ‘seal’. Then, on any Yahoo site that you visit from that computer, the seal will be displayed and you know that you’re on a genuine Yahoo site, for example when you click on a link. It won’t protect you on public computers, but it’s worth setting up on each of your home machines.
Like Google, Yahoo will let you use a code sent over text message to your mobile phone act as a second stage password when logging in. Each computer you use regularly can be trusted, new ones need a code. Like Google, this can be trickier to manage when you don’t have your phone with you, but if you’re really keen to know for sure that only you are accessing your account, this is worth the effort.
Facebook for many people IS their online identity. Not only is there an awful lot of information about you in your account (which FB the company are getting ever more inventive at monetising) there are direct links to all your friends. This all adds up to mean there is a lot of potential for loss and embarrassment should your account details fall into the wrong hands.
Fortunately Facebook have done plenty to ensure that you have every opportunity to protect yourself.
Good design standards means that, like the above, it’s the cog button that gets you into settings and then Account Settings. The first thing you’ll see is when you last changed your password. It’s generally considered good practice to change regularly and, for all my research, I’ve learned that I’ve reset my Facebook password precisely, er, no times...
After the password has been reset, you can elect to have all your devices currently logged into Facebook to be kicked out, ready for you to return with the new password, or let them stay logged in. Having just practised what I’m preaching, I’ve elected to log-out all devices and I’ll go round and do them again, just in case. 10 mins later, Facebook have emailed me to inform me of the password change. Excellent service Facebook!
On the left, you’ll notice a link to Security settings
Click on this and all the additional security tools available are listed in the one place.
Secure browsing switches on the HTTPS/SSL browser connection, which means information flowing between your computer and the Facebook server is private and really should be in the ON position.
Login approvals is a tool which, like the two-factor authentication employed by Yahoo and Google means you can register your computers with Facebook and then, any time an attempt is made to access your Facebook by another computer, a security code sent over mobile text message is needed.
If you use your Facebook account to access other services, for example Spotify or Yahoo, then you’ll also need to setup App Passwords, which, rather than having codes come to the phone, you set them up via the browser and approve each app, one by one. Facebook seem to have gone the furthest to make this an easy process, so I recommend giving it a try. Then you can use your Facebook account to sign into other services with confidence.
Twitter is another interesting beast. Less of a service and more of a digital expression of who you are and what you’re thinking. It’s also a service that you can open up to myriad other services. For example, I can tweet directly from my smartphone news-reading app so that I can share interesting stories direct to Twitter and even my iPad has a direct connection so I can tweet without having to visit the site.
All of these services ask you for permission to access, but Twitter make it easy for you to check the list of services with these rights approved and you can revoke any that you don’t recognise, or perhaps that you don’t use any more.
Again, the settings cog is there (I’d never noticed before writing this, all the sites seemed to have agreed on the settings cog!) and you can click on Settings and then Apps to review this list.
I had written a short comment here on Twitter not having a two-stage authentication, but this week that changed and you can now check ‘Require a verification code when I sign in’. You’ll need to register your phone, which involves sending a text message to Twitter, which may cost if you don’t have free messages left in your account, but there is no premium attached.
Once activated, take the time to set permissions for what Twitter will do with your mobile number. I’ve turned it all off, but if you don’t have a smartphone, it may be nice to get text alerts when something happens on Twitter.
You can now switch on the two-factor authentication and generate a password for the other services that you’ve signed up to using your Twitter account.
Shut That Door
So there it is. With each of these major services, it’s possible to leave the door open by giving every account the same simple password, or ramp it right up to Fort Knox like security with regular password changes, an HTTPS/SSL connection and two-factor authentication along with a good antivirus product on your computer. All of these should be considered must-haves at a time when one of the big growth markets is online fraud. Take these steps and you should find the bad guys move on to an easier target and, sadly, whilst there is chocolate, there will be plenty of those: http://news.bbc.co.uk/1/hi/technology/3639679.stm