Many ways, many protections.
Not a day goes by that we don’t hear about some kind of account compromise or attack. Sometimes it makes the news; sometimes it’s just a friend who mentions account loss in passing. And, of course, if you’re the tech person in your circle of friends, it’s often someone coming to you for help.
Account hacks matter because they lead to things like financial loss, identity theft, and more. And, of course, you lose access to everything that was in the account at the time.
The good news is that there are steps you can take. The even better news is that there’s a good chance you’re already taking many of them.
Become a Patron of Ask Leo! and go ad-free!
Account hacks and what to do about 'em
Bad guys try many tricks to steal your accounts: fake messages, cracking passwords, sneaky software, and more. But you can stay safe by using strong, different passwords, turning on two-factor login, and keeping things up to date. Most of all, be smart, skeptical, and pay attention.
How they get into your accounts
While they’re not targeting you, specifically, (you’re not that interesting, after all), they do target anyone and everyone. While not limited to this list, these are the most common approaches to account theft.
Phishing
Phishing might be the most common attack vector right now.
You might get an email, text, or even a phone call pretending to be from a person or organization you trust. They send you to a webpage that looks like the real and expected site, into which you need to sign in. Unfortunately, it’s not real at all, and you’ve just handed over your credentials to a hacker.
Social engineering
This is similar to phishing but with a different target. Social engineering is when hackers use psychological influence to get people to do something (like give them a password) or divulge confidential information.
The attacker contacts an organization where you have an account and pretends to be you. If they have enough information about you, or the organization’s security standards are more lax than they should be, or perhaps the customer service rep is just having a bad day, they can convince them to reset your password. This, then, locks you out and lets the attacker in.
SIM swapping
SIM swaps are typically social engineering attacks targeted at gaining access to your mobile phone number.
By convincing the mobile provider’s customer service representative they are you, a hacker can have your mobile number assigned away from your device and to theirs. This gives them access to things like 2FA codes and other recovery methods associated with the number. They use this to “recover” access to your account and set a new password.
Malware and keyloggers
Malicious software, and specifically keyloggers, can harvest sensitive information from your computer.
They arrive like any malware (through malicious downloads or attachments) and set up shop on your computer. Then, as you type in account information onto a website, the malware records the keystrokes and sends them on to the attacker, who can then use the information to attempt to log in to your account.
Chain of account compromise
This approach allows one compromised account to act as a gateway to compromise additional accounts.
One approach is if you’ve used “login with Google” or similar mechanisms. If your Google account is compromised, then the attacker has access to all the accounts for which you’ve used Google to sign in. Similarly, if your email account is compromised, then the attacker can use access to that account to compromise other accounts where that email address was used as a user ID or as a recovery email.
Bad password hygiene
Weak and reused passwords are a common attack vector.
Obviously, easy-to-guess passwords are, well, easy to guess. Passwords are easier to guess than you might believe. More critically, though, is that re-used passwords — using the same password for multiple different accounts — are one of the most common forms of password-based account theft today. If the password is exposed anywhere, it’s exposed everywhere.
Data breaches
I list this last because it’s rare, though not completely unheard of, that a data breach will result in account compromise.
More pragmatically, the information stolen in a data breach can be used for identity theft or to enable many of the social-engineering-based attacks listed above.
Lock it down
With all those approaches to getting in, we need several tactics to lock down and protect our digital world. Hopefully, you’re already doing most of these.
Use a password manager
Using a password manager is more than just a convenience: it enables you to use complex passwords you could never memorize yourself, and use a different password on every site you visit. There are many other conveniences, of course, but enabling those two aspects of password hygiene is by far the most important reason to use a password manager.
Two-factor authentication
The next most important thing you can do is to enable two-factor authentication (2FA) on every account that supports it. Even if someone knows your password, they’ll still not be able to get in. 2FA need not be a burden, as it’s only required the first time you sign into a site on a new device or browser. The fear of losing your second factor is also overstated, as you’ll establish recovery information when you set it up.
Set up and maintain recovery information
If your account does get compromised, you’ll want to get back in as soon as possible. That’s where your recovery information — additional phone numbers, email addresses, and codes — comes into play. Your ability to access, respond, or provide recovery information is that additional layer of proof that you are the rightful account holder and should be let back in. Without it, a compromised account can be lost forever.
Beware the unexpected
Whenever you get a message or phone call from someone or someplace you don’t recognize or didn’t expect, always be extra skeptical. Double-check that the sender is legitimate (confirming things like email addresses used or even contacting the “real” person via another channel) and that any links involved go exactly where you would expect for the situation.
Update, update, and update again
I know, I know, we keep hearing about machines and devices having problems after an update. (Remember, news is news because it’s uncommon.) I’ve even said that you can keep using Windows 10 safely after updates stop. But staying up-to-date remains an important part of your overall strategy, and you’re safer if you do than if you don’t. (Just take a backup before major updates, just in case.)
Review your accounts periodically
If your online accounts offer it (most do not), check to see where it thinks you’ve signed in from in recent weeks or months. The location won’t be terribly accurate (mine is dozens of miles off), but if it lists you as having signed in from a different country that you’ve never been to, it’s time to take action and secure your account. Similarly, check your credit card accounts periodically to ensure all the charges listed are charges you recognize.
Lock your mobile account
Setting an additional PIN or password with your mobile account helps prevent SIM swaps. This is separate from your online account sign-in password and would need to be provided before any account change (possibly with the exception of in-person changes with appropriate ID). For example, if you do get a new phone, it won’t be enough to sign into your account to move your number to it, you’ll need to talk to a customer service representative and provide this additional PIN.
Do this
It may feel like there’s a lot to be afraid of, but as long as you keep the possibilities in mind and prioritize security, a few simple habits can go a long way to keeping your accounts secure without being an excessive burden.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
why is there a window on the left of the page that partially covers your article? and there`s no way to close it.
Probably an intrusive ad. I have a fix on the way, but it’ll be end of July before that kicks in. If you can make your window wider, that can help.
Great summary of the landscape of current risks and mitigations.
I’m a bit surprised that your only mention of back-up was related to major updates. You normally highlight backups in general.
If you perform regular system image and daily incremental backups as Leo constantly harps on, you wouldn’t even have to think about backing up before an update. It would have backed up automatically the previous day and articles telling you to back up before an update would be unnecessary as you’d always be backed up.