“Hack-Proof” Your Life

I’m going to teach you to avoid 5 common security problems and to keep your email as secure as possible.

How do you prevent people from hacking your email?

Email contains access to nearly all of our online services, banks, shopping accounts, credit cards, utilities, and even health info is stored in our email or can be accessed via email. Let’s say that you use Google Chrome and store all of your website passwords in Chrome – if someone gets into your email, they can get into all of your saved passwords by signing into your Chrome account on their computer.

You know these prompts?

prevent-hackers-from-hacking-email

Let’s go over my 5 solutions to problems that make most email accounts easily-hackable.

Problem # 1 – “I have a really strong password… that I use everywhere.”

Almost everyone I know use the same password everywhere. But they say “oh, don’t worry… It’s a ‘good password'” or “I know I shouldn’t do this but…”

Newsflash: if you use the same password everywhere – it almost doesn’t matter how strong that password is – it is not a “good one” anymore.

It is very likely that you have used your password on a site that was compromised. Maybe you bought something at target.com or on Sony Playstation – two of the largest hacks in history. There are 100’s of other websites that are compromised daily which you probably use all the time and will hear about being hacked.

Solution #1 – Get a password manager.

If you are not using a password manager – get one today. I recommend LastPass (freemium), 1Password (30 day free trial), or Keepass (open-source). Password managers allow you to store and generate different passwords for each of your sites stored in an encrypted database – all you need to remember is your unique master password (or a fingerprint on biometric mobile devices). They will also warn you if you have over-used the same password.

Here is a great video that covers all 3 of the best password managers.

Problem #2 – “What is Two-Factor Authentication (2FA)?”

If you have no idea what Two-Factor Authentication (2FA) is, then you are probably not using it where you need to be. Right now, if someone is able to guess or learn your password, then they can login to your accounts, reset things, and lock you out of your own account potentially costing you time and money to recover.

Two-factor authentication is when a site requires you to use a separate device to login to it. Back in the 80’s and 90’s – 2FA devices looked like this:

two-factor-authentication-prevents-hackers

Starting in 2013, many major sites began to support sending a verification code to your phone when you sign into an account. You could get this verification code in the form of a text or email or have a special app such as Google Authenticator or Authy.

Solution #2 – Get 2FA Setup Everywhere.

This is probably one of the best things you can do for your online email or website security. Here is a site where you can search to see which of your accounts/sites are able to use 2FA. The results look like this:

2fa-search-gmail-security-hackers

Personally, I prefer software tokens over SMS, phones, or hardware tokens (these can incur charges).

You can easily Google search “how to setup 2FA on <insert name of site or service here>” – for instance, to enable Two-Factor Auth on Gmail, you would search: how to setup 2FA on Gmail.

Problem #3 – “I clicked something weird that my friend sent me. Was that wrong?”

Phishing is the most common way that people are tricked into giving up their email passwords. Phishing occurs when someone sends a fake email or link that asks you to send your password or sign in to a seemingly legit page to retrieve a document or message from someone you know.

Many, many times I have gotten a massive email from someone I know sending me a “document” that requires me to sign in to retrieve it.

If you sign into one of these pages, you will be handing them your password.

Below is an example of a really well designed phishing page that started circulating about 2 years ago. When I first saw this one, I thought “Wow, this is really convincing for people. There are so many options for me to sign in!”

phishing-site-example-email-security-password-stealing

What happens if you enter your email and password into one of these sites?

The first thing that happens when your email and password is entered into a phishing site is that a computer program will log into your email account rapidly send a link to all of your friends, family, and the 20000 other people in your contacts so that they can collect more emails and passwords.

Secondary attacks can include using the email address and (get ready) SAME PASSWORD for all of the most common sites or services – Apple, Amazon, Twitter, Facebook, GoDaddy… to see what else they can acquire.

Phishing attacks have become more and more sophisticated (and lucrative), but also  difficult to detect. If you educate yourself on some basics, you will be able to avoid them.

Solution #3 – Educate yourself and the people around you on phishing sites and emails

Below is an amazing video about phishing that everyone should watch. If everyone and their parents spent 5 minutes watching this video – the world would be a safer place. If you even watch this video one time, you will know more about how simple phishing works so that you will be able to protect yourself from phishing attacks.

tl;dr – If you are questioning a site’s legitimacy, DO NOT TYPE ANYTHING – everything you type may be captured even if you do not submit the data. If you are wondering if the site is legit – check the URL – you can even enter it into a URL security checking site.

Problem #4 – “I used a public or shared computer and now my email is sending lots of spam.”

This is more common than you would think. Email passwords can be captured by either hardware or software methods. Software includes programs called “malware” or “spyware” which are designed to sit on your computer undetected and wait to capture something juicy like an email password – then send that data to a remote database. Even still, attackers might hold on to that data for months before acting on it.

Computers can be infected with all kinds of programs to monitor every letter you press, every number that you type, and even things you say could be recorded by software. There are also hardware keyloggers which look like a keyboard or a USB port (see example below of a keygrabbing device below).

keygrabber-keylogger-email-password-security

The keygrabber/logger collects data into a text file. The more sophisticated ones send it to a remote server – an example of captured data might look like this:

email-password-security-grab-text-typed

As you can see, everything that has been typed by the user has been captured and recorded.

Solution #4 – Do not type your password into other computers.

Typing your personal info into someone else’s computer can be a very high-risk activity – especially for your email password. Don’t do it. Do not sign into your account on someone else’s computer. Especially if it is running Windows XP… or any version of Microsoft Windows or OS X – Dell, HP, Apple – it does not matter. Malware exists for every operating system (even Linux is not totally secure).

Don’t use public PCs or other people’s computers to check your email. Not even their work computers. Many corporate networks can be compromised for months and even years and never go discovered. Often, if there is ransomware or some other loudly announced infection – the actual penetration had occurred long before the incident is discovered.

Problem #5 – “Oops, I signed into a free WiFi signal at the airport…”

Networks that are encrypted using only digits (WEP) or networks that require no authentication password at all are particularly vulnerable to allowing other devices to read all of the traffic being transmitted.

Due to advances in software utilities and online guides, it has become relatively simple to acquire data from open network traffic by performing man-in-the-middle (MITM) attacks or poison DNS and force people to visit a fake site that appears legit and even has the correct URL.

Solution #5 – Avoid free WiFi with no encryption and always use HTTPS

Some password protected networks can also be unencrypted, so it’s not just the fact that a network has a password which matters.

For example, if you use http:// connections instead of https:// to access your email – an attacker can easily capture the username and password for your email. This also applies to your email client – if you use POP, IMAP, or SMTP unencrypted (no TLS or SSL) – then you could be vulnerable – especially from your phone.

Unencrypted WiFi is especially found in airports, cafes, or public parks will show up on your phone or computer.

Sometimes, attackers will setup rogue access points with familiar SSIDs (Netgear, Free_WiFi, Free Public WiFi) in busy areas to capture data from unsuspecting passerby whose phones will jump onto their network briefly.

If you must use public WiFi – then you will need to check that all of your connections use secure protocols. This is easier to determine than you might think.

 

https-vs-http-hacker-mitm-security-password-email

You just have to make sure that you see the green HTTPS symbol on each site that you share data on. There is a great browser extension called HTTPS Everywhere then it will enforce secure connections on every site that supports it. Download this free extension for your browsers.

If you use this extension and like it, or if you liked this article – please make a donation to support the Electronic Frontier Foundation (EFF) – the protectors of digital privacy and free expression on the internet.

Any questions? Comments?

We are here to support you! Feel free to reach out to us with any questions or leave a comment below!