Staying safe in cyberspace
A cybersecurity expert debunks the myth about password and PIN security but cautions against clicking on just about anything that’s available for free out there.
RODNEY Lee has been in the cybersecurity protection for about 20 years. Unlike others in the industry who advise people to change their password every three months to avoid hackers, he hasn’t changed his password for over a decade. His password is the same for all his email accounts.
He even uses a similar PIN for all his ATM, debit and credit cards.
It’s “nonsense” to create a different PIN for the bank cards, he says.
“How are you going to remember it all? For me, the more difficult your password, the more difficult it is to remember it and this makes it easier to breach.”
“It is easier to create one solid password that you remember. I’ve had the same password for 14 years and – touch wood – I’ve never been breached,” says Lee who is the CEO of Dnex Technology Sdn Bhd, a business in IT services and energy.
For him, experts keep telling people to change their passwords because “that is the easy way out.”
“They are not the ones who have to remember it. And because you cannot remember it, you’d have to put it down in your phone or in a piece of paper in your wallet. You’ve made it easier for the password to be stolen,” he says.
So how does one create a strong password or PIN?
Lee suggests using information about yourself that is no longer linked to you. It could be the number plate of the first car you have driven or the hospital identification tag on the wrist when you or your child was born, he says.
“Or you could use statements that appeal to only you. For example, if your Chinese name is Kok (country) Long (dragon) and you are born in 1969, then your password could be ‘I am the country dragon of 1969’.”
“Or you could use personal aspirations and stuff that don’t appear in public like emotions; the non-tangible stuff.”
But isn’t it risky having one PIN for all your bank cards?
“Yes, it is dangerous. But then didn’t all those big firms (which have fallen victim to breaches, Internet fraud and ransomware) have multiple layers of security? Did that stop them from being hacked or compromised?”
“Some things are meant as a convenience. If you put in a little bit of ‘first-time effort’ and create a good password, then it really is convenient. However, if you have to stress yourself, is that convenient?”
“In the case of cloned cards, remember that there’s a two factor SMS TAG that ‘approves’ any purchase. Use that,” he says.
Lee points out that cyber threats are becoming more sophisticated involving huge sums of money and breaches of people’s personal data. He cites the recent hack of Equifax Inc which saw the names, birthdays, addresses, social security and driving licence numbers of about 140 million Americans – about half the US population - out in cyberspace.
Another case, he says, was a cyberattack in Singapore on an insurance company which compromised the personal data of 5,400 customers. A few months ago, an LA college paid US$28,000 (RM118,000) to regain access to its locked computer systems infected by ransomware.
Lee says people used to talk about a friend’s computer being infected “in those days” but “now we are talking about millions, not one or two anymore.”
“It’s like you are holding a balloon and the hackers are holding 200,000 needles. They start throwing needles at you and you have to withstand it. “They only need to get lucky once. You need to be lucky everytime.”
He says in the first eight months of the year, there was an average of 30 cyberthreat incidents each month. Last month, it spiked to 50. This, he says, had something to do with Malaysia inadvertently printing an upside down flag of Indonesia in its SEA Games souvenir booklet which angered Indonesians and hackers there hit out.
“During the SEA Games, there was a lot of attacks on the banks here. The IP addresses were from Indonesia. We advised the banks not to worry. These guys are ‘script kiddies’ – the lowest level of hackers. They just want to show revenge. They had no malicious intent. So we told the banks not to react. They just have to stand strong until the typhoon goes away.”
As for personal data and emails, Lee offers some cybersecurity tips.
“When you travel, you can use the hotel’s free WiFi but just don’t use it for banking transactions. Nine out of 10 times, its WiFi is super weak. It takes only about five minutes for hackers to break in.”
He suggests using the mobile phone for banking transactions because that is more secure.
“Make sure you have anti-virus software for your phone. If you can’t afford one, there are free ones.”
He says people should log in and out of their email wherever they go.
“Don’t respond or click on emails from sources you don’t recognise. Don’t succumb to greed and lust because those are the elements that hackers base their tricks on. The free and fun stuff is where the bad stuff is also.” And there’s no such thing as a free lunch. “Pay for songs, pay for movies, don’t go downloading from torrent sites,” he says.
Lee also cautions against picking up calls from unfamiliar numbers. And stop forwarding WhatsApp messages without verification.
“Don’t think you are doing me a favour by forwarding me a free ticket on Malaysia Airlines, Air-Asia or Malindo Air. Check first if it’s true. If someone sends you something for free, don’t believe it. Don’t be too quick to click on it. They (hackers) always wait for you to take the bait. Then you can’t blame anyone because you clicked willingly.”
Rampant: From January to August this year, there has been an average of 30 cyberthreat incidents a month.
Lee: ‘ There is no need to change your password every three months. Just make sure you have a very strong one.’