One password to rule them all
If you add up all the web services you use each year, what does the total come to – 20? Fifty? That’s a lot of passwords to remember. If you are using the same password for each service, you are risking having numerous accounts accessed if a data breach of one exposes your username and password.
You can use the autofill function on web browsers such as Chrome and Firefox to enter your username and password automatically. But that won’t be as secure and convenient as using a password manager, which stores all your passwords in an encrypted “vault” and fills them in automatically when you log into the web services and mobile apps you use. It means that you have to remember only one master password – the one that unlocks the vault.
A wide range of password managers are available. Some are free, but generally limit you to one device and up to 50 passwords. A paid subscription will typically cost between $10 and $70 a year depending on features. Family plans for multiple users are common and ideally the password manager will work with all your devices, from iOS and Android smartphones and tablets to Windows and Mac computers.
IT manager Alison Moore recommends staff use LastPass (US$$41.40 a year). It is a highly rated password manager that has broad device and browser compatibility.
As you begin to use a password manager, it is a good idea to check the integrity of existing passwords. Website haveibeenpwned.com searches a massive database of email addresses and passwords that were compromised in past data breaches and posted on the web, usually by hackers looking to sell them to cybercriminals.
If your email address has been “pwned”, it will list the service where the breach happened – LinkedIn and Last.fm came up for my email address. Change the passwords associated with the breached service immediately, using your password manager to generate a complex password to use. The basics to look for in a password manager include auto-filling of web forms and app login screens, twofactor authentication, password generator, keystroke encryption and multiple device support.
Remember, the master password for your digital vault should be strong but easy to remember. The password manager might offer you hints to guess it, but if you forget it there’s a good chance you won’t be able to access your vault and will have to reset all your passwords.
POPULAR PASSWORD MANAGERS
Dashlane, 1Password, LastPass, Keeper, Norton Password Manager, Trend Micro Password Manager.
The scam works with attackers sending an email informing you that they have used your webcam to record footage of you while you are visiting websites – often ones containing pornographic content. They then threaten to send the footage to all of your email contacts unless you pay up – often via a transfer in the anonymous bitcoin cryptocurrency.
“To make the threat seem real, the attacker includes a password that belongs to the recipient as ‘proof’ – in actual fact, the attacker will have found the details online in a data breach,” says Pope.
A hacker could hijack your webcam, but it is time consuming and technically difficult to pull off. Tricking people into thinking there’s a recording of them in the hands of a scammer is much easier.
“These scams play on people’s emotions and use the fear of embarrassment to get people to pay,” says Pope.
As the Christmas shopping season ramps up, so too will the scams. Websites and emails are being crafted by scammers to look more professional and leverage off trusted brands, such as banks, airlines and phone companies. But the scam that comes into its own during the festive season is the couriercompany phishing attack.
“The emails usually replicate the branding of a well-known courier company and pretend the recipient has a pending parcel delivery,” Pope says.
Scammers inform you they have recorded footage of you visiting certain websites – and threaten to pass it on.
PARCEL NIGHTMARE
The email asks the recipient to click a false link to accept delivery of the parcel. Sometimes they will be asked to enter their details, which could be used for identity theft or another attack. Often a payment will be required for the delivery to be made – for a non-existent parcel.
“It’s always exciting being notified you have a pending delivery, but we recommend a couple of checks,” says Pope. “If you’re not expecting a delivery, don’t click, and take simple precautions such as searching the courier company online and calling to check that the delivery notice is legitimate.”
CERT has received 5000 reports of cybercrime incidents this year, but those are the tip of the iceberg. The majority of attacks, successful or not, go unreported.
The most painful scams to read about are the ones that manipulate people the most. There’s the “Windows technician” calling pensioners and convincing them to transfer money to have their computer “fixed”. Then there’s the most pernicious scam of all – the romance scam. Last year, a Kiwi farmer known in the media as “Mark” told the embarrassing tale of how he lost $1.2 million after being sweet-talked by a woman who contacted him through Facebook.
“This woman, Connie, told me her parents had been killed in a car accident. I talked to her for about two or three months,” Mark told Newshub in February.
“Then she told me she had inherited some gold and needed money to pay fees to have it released by the American government, and I went along with it.” Mark lost the farm he had inherited from his parents as a result of the scam.
However, such cases are extreme and rare, says Pope. “This all sounds pretty scary, but there are things that people can do to keep themselves safe. Most of the measures we can all take to be safer online aren’t complex tech solutions, they’re little things such as making sure you use a different password on each account, or turning on two-factor authentication,” he says.
As we begin to be bombarded with Christmas and New Year sales adverts, Pope has another piece of advice for when you see the prices slashed on high-value products such as electronics, clothes or limitededition sneakers.
“As the old adage goes, if it’s too good to be true, it probably is.”
CERT has received 5000 reports of cybercrime incidents this year, but those are the tip of the iceberg.
There’s the “Windows technician” calling pensioners and convincing them to transfer money to have their computer “fixed”.