Cyber crimes are always intangible. Certainly, you could be burgled or someone might pluck your bag from under the table in the pub. But this year a report by the National Crime Agency certified that the balance had tipped from offline crime towards online. Computer misuse and cyber-enabled fraud now account for 53 per cent of all UK crime.
It’s also an inevitable consequence of the smartphone’s centrality to our lives. We shop and bank on apps; we pay by brushing devices against readers. We share home and email addresses complacently and we surf for dates by synching Tinder with our social media profiles.
At the centre of all these activities are passwords. They are the multipurpose key but you struggle (or can’t be bothered) to come up with anything more inventive or secure than Mum’s name and birthday, which you use for everything because you know you’ll (probably) remember it.
This is no longer enough. Experts have called for us to up our game, while sites such as Instagram and Mastercard online banking are updating their password protocols, replacing secret phrases with selfies. So what else can you do to stay safe?
This week researchers reported that typing a password on your phone while connected to a public network can imprint signals onto radio waves that can in turn be read by hackers, and some criminals might create fake wi-fi hotspots to lure users. Loafing in a coffee shop using the wi-fi? You’re endangering your data.
Facebook is trying to help. At a conference this month the social network revealed that criminals are using dark-web marketplaces to sell passwords leaked during data breaches. Facebook is also buying them, in order, it says, to protect its users — though critics argue that this practice could help fund cyber-terrorism. The caution is timely: yesterday, it was found that Deliveroo customers had been the victims of a hack, using passwords that had been stolen in previous privacy breaches — a phenomenon experts call the “domino effect”.
The first thing you can do is change your passwords. “We’re asking people to have a number of passwords for everything that matters,” says Dr Bob Nowill, chairman of Cyber Security Challenge, an educational initiative for online safety. Controversially, he advocates writing them somewhere: “in a way that is protected — whether that’s by storing them in a safe or using password management software”.
You’ll need to generate something secure first. Nowill explains that passwords using combinations of words are “a known construct — so pretty much every one can be broken with brute force”. The key is to have passwords that are “distinct and complex” — and crucially not words. Instead, use a combination of random letters, symbols and numbers.
If you need inspiration use a password-generator site. Nowill says that security agency GCHQ and some software manufacturers recommend sites for password generation and management. For example, the Norton anti-virus software company has a site that will help you devise passwords that are difficult to break.
The industry is innovating too. On Instagram, selfies are the last word in basic, but as passwords they’re actually pretty sophisticated. Last month Mastercard announced the launch of Identity Check Mobile, which invites users to verify their identity using a selfie before using their credit card online. To increase your budget limit on Revolut — a global money app that provides a pre-paid debit card for fee-free international payments — you must take a selfie, which the app compares to your passport photo. Selfies are part of a wider biometrics trend. The new iPhone 7 has a very receptive touch sensor on its home key — leading to more accidental calls because you don’t realise you’re touching it. Luckily, it only works with the owner’s thumb. Apple has incorporated a touch bar and touch ID on its latest MacBook Pro models too.
Nowill is wary of biometrics (“overhyped”) but says that something like a thumbprint could be used as the second factor in two-factor authentification — which he champions. “Good sites send an authentification code to your mobile phone,” he says. “The chance of the hacker having access to both of those is limited.” Gmail does this if you want to change your password, and WhatsApp and the Halifax banking app send a code when you download their apps to new devices.
Other experts have advised those companies creating payment systems to reduce security risks by changing the keypad layout for every transaction, so that hackers will struggle to work out which keys have been pressed in which order. And emoji passwords have (obviously) been touted. It’s twee but pretty safe — the possible combinations of emoji are far, far larger than the possible unique combinations of numbers. Get it right: security’s only as good as your word.
0 comments: