When it comes to online security, I can safely say this is something I have been quite lax with. I’m sure many of you are in the same boat. But after reading a few different articles lately about what information is actually out there on the internet, I decided to change my stance somewhat. I’m starting to look a little closer at what I can do to try and protect myself as much as possible.

The Problem With Online Information

The problem we have is that once something is put onto the internet, it’s VERY difficult to remove it. Although the website that originally had the information my not exist anymore, there is a good chance that services such as Google Cached Pages have archived this information so it will continue to be available for years to come. For some data, page caching is great! For your personal data, not so great.

“My Password Is Strong, I’m Happy”

Lets assume we have a lot of personal information available on the internet. “So what?” you may ask. I used to ask the same question. No one knows my passwords, my Pin numbers or have access to my email account so what can they do?

We use passwords to access pretty much our online accounts, ranging from Facebook to online shopping to online banking. I can probably guarantee you that most of you re-use the same password across many of these websites. It’s got to the point where you have so many accounts it would be almost impossible not to. Whilst this is by no means ideal and very insecure, especially if one of the sites you frequent is compromised by hackers, it might just be secure enough for most of us as a good password isn’t easy to hack. However, regardless of the strength of your password, a major the security weakness is the processes that are put in place to check that you are who you say you are when you have ‘forgotten’ your password.

There are many good, secure password managers available that you can use to avoid using the same password over and over. LastPass and KeePass are a couple of good examples.

You’ll Never Forget Your First Pet

The type of checks I am referring to are the ‘Secret answers’ to generic security questions that we often have to fill in when we are signing up for online accounts. For example:

• What is the name of your first pet?
• What was your first car?
• What was the name of your first school?
• What year were you born in?

I’m sure you all recognise these questions. It’s the continued reliance by many websites on these types of questions that is the weakest link to our online security. Knowing the answers to these ‘simple’ questions will usually get you access to your online account. Someone else knowing the answers to these questions will get them access to your online account.

Social Engineering

Online security has come on leaps and bounds in the last 5 years. There have been a lot of new technologies introduced to help keep our personal information secure and for the most part they seem to be doing a good job of it. One of the most popular ways to add another layer of security when online is the use of Two-Factor Authentication. If you use a small device that generates numbers to access your online bank accounts, you are already using two-factor authentication. You don’t always need to have a physical device for Two-Factor Authentication, your smartphone can also work in a similar way. Checkout Google 2-step Verification as a good example.

Regardless of technology advances the biggest problem we have around online security,  is You. And the main issue both we and our employers face is Social Engineering.

Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information.

Putting It All Together

Armed with your personal data found publicly on the internet an attacker can often easily answer many of those simple ‘Security’ questions without even speaking to you. Many answers can be found via peoples Facebook profiles. I recently posted a simple article with tips on Increasing your Facebook Privacy that will help reduce the amount of personal data members of the pubic can view from your Facebook profile.

If there isn’t specific information available online that an attacker might need, it can be quite easy for them to Social Engineer a conversation with you to find out the extra information. Quite often these conversation will not take place in person as we are taught from a young age ‘not to talk to strangers’. However, do we follow this advice online? How many of us have had conversations on a Facebook group page with a complete stranger? I would imagine, most of us. This is when it becomes easy for someone who we don’t even know to engage us in a conversation about something as mundane as their dog. As the conversation progesses at some point they may ask if you’ve had pets – before you know it they know the name of your first pet. It’s that easy. Such an innocent conversation about dogs can give them enough information to access one of your online accounts. And many of use wouldn’t even notice what we’d even told them.

So How Can We Protect Ourselves?

To project ourselves, we should lie on our security questions, DO NOT USE REAL ANSWERS. It’s as simple as that and it’s a system I have been using for some time now. Make up a pet’s name that you will only use for online accounts. Websites do not know the name of your first pet. They will not know if you’re lying. Brittany Spears could have been the name of your first pet, the website is not to know that and quite frankly doesn’t care. It’s just a simple word match process.

Do this for every question, even your date of birth. Personally I use something like 01/01/91 as it’s easy to remember, but feel free to chose your own date. Your first car, put in your favourite car that you’ll never be able to afford. That way if someone was to have access to your Facebook photos and find out what your first car was from some old photos, they would always get that security question.

NOTE: For some online account such as bank accounts, the security questions such as ‘date of birth’ will need to actually be your official DOB as it’s legally part of the Banks process.

It’s a simple concept, but one that could help you be just that little bit more secure as more and more of ours life goes online.