Before we start on what sounds like a boring topic, here’s a story that should help make it more interesting.
After work, Dan decides to indulge in a quiet cup of coffee in his favorite local shop with free Wifi. Opening his laptop, he notices a guy nearby hunched over working intently on a laptop. He must be a hardcore techie because his computer is covered with stickers and has a small antenna attached to it. The heavy metal band logo on his hoodie confirms Dan’s suspicions. A moment later, a beep from Dan’s phone reminds him that he has at least a dozen personal messages to read so he connects to the first network on the list “Free Coffee Shop WiFi.”
As he waits for the webpage to load, he thinks, “How strange, yesterday it was just called Coffee Shop WiFi, maybe they want people to know that it’s really free?” Soon he sees the familiar login page and signs into Gmail. It rejects his password. That’s also strange, he was so careful to type it correctly. He enters it again and it works. Annoyed now, he chalks it up to his new crazy complex password that he is using for his most valuable accounts. “Oh well, can’t be too safe these days.” Somebody at work suggested a password manager, but who has time for that nonsense. Besides, typing it once a month is no big deal.
You probably know where this story is going. Dan has just been hacked and his Gmail login and password stolen. As soon as he leaves, the hacker will change it to prevent Dan from getting back in and try to access his bank, social media, etc. Dan won’t get the warning emails because he can’t access his account anymore. The hacker has reported his phone lost and erased it remotely.
Hopefully, this story demonstrates the need for something security professionals call “layered security.” It’s actually not that hard to implement. Earlier parts of this series have already discussed parts of the technique such as confirming the website address in the browser, HTTPS security, strong/unique passwords, and using a password manager. In this case, a password manager would have prevented the hacker from stealing Dan’s password. How? Since it wouldn’t have entered the password because the hacker’s fake login screen wouldn’t have matched the website used when the password was stored. A password manager can also prevent a hacker from video recording Dan’s fingers typing his password. Oh, those clever hackers!
To wrap up this post, below is a summary of the layers of security involved in Dan’s sad story and the associated parts of this series of posts.
- Part 8 – The next post will explain why a Virtual Private Network (VPN) should always be used on public Wifi to avoid others eavesdropping. Remember, most of the time hackers are not looking to hack you personally, they are looking for easy targets.
- Part 3 – Never reuse passwords across sensitive accounts.
- Part 2 – Look for secure connections to websites (the padlock symbol = HTTPS) and logout when done.
- Part 4 – Use a password manager and secure it with a unique, very strong password. Below is a comic strip that explains how and why courtesy of XKCD.
- Part 10 – Use something called two factor authentication (2FA) to secure your most sensitive accounts. 2FA stops hackers by requiring “two factors” to login, typically something you know (such as a password) and something you have such as your cellphone (a code received as a text message).