10 tips on how to protect your personal data online
Published on May 23, 2014 7:00 PM
Visiting a website and putting in personal details is not quite as simple and straight forward as it used to be, with cyber-criminals on the prowl to hack into website databases to steal personal particulars.
On Wednesday, eBay said that its corporate network was hacked and hackers made away with customer details such as their names, encrypted passwords, e-mail addresses, home addresses, and phone numbers. Cyber-security experts said such information, while not financial in nature, could be useful for crooks to send spam e-mails, fill-up bogus applications and more.
What can consumers do to protect their personal data when they are surfing online? The Straits Times speaks to cyber-security experts for some handy tips.
1. Avoid easy-to-guess passwords
One of the cardinal sins when it comes to cyber-security is to use a weak password that is short and made up of words found in the dictionary.
Using passwords that are easy to guess are a no go, too, because it makes it that much easier for cyber-crooks to use software to figure out what consumers' passwords.
Notorious examples to avoid at all cost include: password, 123456, 111111, 123123 abc123, Admin and iloveyou.
These are among the 25 most popular passwords from 2013 compiled by security and productivity software firm SplashData.
2. Get "wacky" with passwords
Cyber-security experts advise using a complex password to secure online accounts.
To make a password strong, Sophos senior security adviser Paul Ducklin suggested using one made up of 12 to 14 characters. It should comprise letters in upper and lower case, numbers and "wacky characters", which could include symbols like %, $, ^, +, - and *.
Ms Macky Cruz, the security focus lead at Trend Micro, said consumers could string a few words from a phrase they can remember easily as a password, and then replace some characters with symbols and use letters in upper and lower case.
Passwords should also be changed on a regular basis, said Mr Eugene Teo, Symantec Singapore's senior manager for security response.
Another good practice is to use a two-factor log-in if it is available, said Mr Teo. This could involve a password and a one-time password generated by a security token.
3. One password for one account
Another bad habit among consumers is to reuse the same password for multiple accounts, said Ms Cruz.
This is problematic because a hacker can use one password to log into a variety of online accounts and pose as the victim. Things get worse if the crook accesses an online account linked to payment methods, as this means he is one step closer to stealing money from the victim.
People who have trouble remembering different passwords for different accounts might want to try out password managers, experts advised. These can use one strong password to manage several online accounts.
4. Revealing your pet's name online may be risky
Perhaps more worrisome is that with access to different online accounts, a hacker can start creating a profile of the victim. The hacker's job is made infinitely easier if a victim publicly shares personal details online such as on social networking sites.
With that information, a crook could use it to guess security questions - such as asking for pet's names a user unwittingly disclosed in a Facebook post - to online accounts to reset a consumer's password.
Users who use personal information as passwords - like their birth dates or pet's names - should be wary of revealing such details online for obvious reasons.
Crooks could also use a consumer's data to craft very targeted e-mails to trick the victim to give-up more personal information.
For instance, the hacker could pose as a Facebook friend and send an e-mail to gush about seeing the victim's selfie on Instagram with a celebrity at a fan meet. The hacker might then urge the victim to check out a link to his own photos from the event.
When the victim clicks the link, he could be sent to a malicious website that automatically downloads malware onto the user's computer. This malware could then start sending the hacker a lot of sensitive information about the user, such as log-in details when he visits a banking website.
5. Information you should avoid sharing
Consumers should avoid storing or sharing credit card information on retail, commerce, or social networking websites, said Mr Teo.
They should also not provide more information than necessary when signing up for an online account. If the information that the website has requested does not make sense, then it probably is.
When posting online, such as on a public forum or mailing list, do not share personal details, he added, because information shared online can remain in cyberspace indefinitely.
6. How to figure out if an e-mail is bogus
Looking at an e-mail sender's name is not a good gauge of whether the mail is bogus because it can look like the real deal.
More telling is the sender's e-mail address. If it looks really strange and unrecognisable, chances are it is not legitimate. Any links and attachments in the e-mail should not be opened as well.
Also, if the message in the e-mail seems very terse and uncharacteristic of a friend, the e-mail is likely to be a fake one.
7. What you should do with bogus e-mail
Such e-mails should not be replied to as well as it can be a signal to hackers that a user's e-mail address is actively checked, so they might send over more spam e-mails.
Organisations typically do not ask for consumers' log-in details, personal details or financial information in e-mails. Hackers do, however.
So, if such e-mails arrive seemingly from a bank or a retailer, they should be deleted. Consumers who are unsure should call up the organisations to check, although dialling numbers in the questionable e-mails should be avoided.
Other tell-tale signs include bad grammar and spelling mistakes in the e-mail message, urgent sounding e-mails, and e-mails from organisations users have no prior relationship with.
8. How to tell if websites and links are legitimate
By hovering the mouse cursor over a web link without clicking it, it is possible to see its Web address. If the address comprises a string of numbers, it is likely a bogus link.
Fake sites and links sometimes have addresses that do not tally with the content or organisation stated in the e-mail. They may also contain spelling mistakes of the organisation's name.
Legitimate sites that are secure also tend to have "https" in their Web addresses instead of just "http".
Many Web browsers can also tell users if a website is legitimate. Typically, if a green padlock appears beside the Web address bar, it means the website has been verified to be run by legitimate organisations and is a secure website.
Mr Teo said some security software can also help verify if a site is a secure or malicious one, as well as determine if websites called up in search engine results are safe to visit.
9. What to do when a website is hacked
If, like in eBay's case, a consumer learns that a website he has an account with has been hacked and personal data could have been stolen, he should change his passwords as soon as possible.
The password should be complex and also not be the same one used for other online accounts.
Ms Cruz advised affected consumers to keep a close watch on their online activities and look out for any strange transactions online or in their bank accounts and credit card statements.
10. Closing an account may not mean end of story
After a data theft incident, some concerned users might close their accounts to limit the risks from hackers taking over their digital lives.
However, it does not necessarily mean the information associated with the compromised account is safe. The data could still be stored somewhere.
Mr Teo said one consideration for users is whether their information on a website is encrypted from one end to another, and stored securely.
Users will have to do their due diligence to check that a website they want to sign up with is trustworthy. They could check out website policies and look at the site's past history to determine if past data breaches or security issues have been reported before, said Mr Teo.