Multi-Factor Authentication (MFA)
MFA - or Multi Factor Authentication - just means having multiple security checks when logging in to something. Usually this means a password AND a one-time code, or a fingerprint, face scan, or many other methods of authentication to prove it's really you logging in.
TODO: Make absolutely certain you have MFA setup for ALL essential services such as finance and government, as well as anywhere that stores a lot of your personal data like your email provider, Facebook, Instagram and LinkedIn.
Organisations and government services are increasingly mandating MFA. Anywhere you don't MFA you are one step away from having your money or identity stolen. It’s like locking the front door, but keeping the backdoor wide open. All a criminal needs is your password, and given how many times passwords get leaked by tech companies, it’s likely you’re already vulnerable. MFA protects you, even if your password has been leaked. You will be surprised at how little protection and support there exists if you are a victim of ID theft - often you can’t get your money back. And just because you haven’t been caught up in a public breach that’s in the news (like Optus) you can’t assume your password is safe. IBM released a report that said most companies take 277 days to discover and report a breach. What that means is any major company could have already been breached and you wouldn’t know about it for almost a year, which is plenty time for a hacker to make off with your money or data.
HOW TO SETUP MFA: If you opt for using a one-time passcode (OTP) authenticator app, I recommend Aegis or Raivo. For privacy reasons, I would avoid Google Authenticator, but if you're already using it that's still much better than not having a second factor, so don't panic.
Please also do not use your phone number as the second factor if you can help it. While it's not highly likely, phone numbers and messages can be tampered with, intercepted, and stolen; it's not a system that was designed as a mechanism for authentication. It’s also slower and less reliable than OTP authenticators, so save yourself the frustration and install one. Read more here and here in case you needed more convincing on why relying on your phone number as authentication is not a secure solution.
Some more info here on where and how to set up MFA.
Password Manager
Keep it secret, keep it safe.
A password manager is a tool and/or service that can securely generate and store unique passwords and secret notes for you on an account-by-account basis. The take-away here is: when using a password manager you only need to remember one master password rather than a number of different ones.
TODO: You should be using one by now. If you are not already doing so you're running an unnecessarily high risk to your identity and finances. (Unless you're using one-time pads, or writing down complex, unique passphrases in a physical notebook you keep on you or locked away at all times. Then carry on I respect the hustle.)
This is an increasingly serious and urgent thing that you should be very concerned with doing something about. And, while password managers are ultimately a band-aid solution to a problem that is intrinsically insecure, passwords are unlikely to go away any time soon, so we need to make do as best we can. You will soon have the option to use passkeys for a lot of services instead, which is an improvement. But passkeys also come with their own issues, and are unlikely to be adopted ubiqitously in short time. Most password managers will also provide passkey support, however, so it's worth getting set up with one regardless.
All of that being said, if you don't already have a password manager service, I recommend BitWarden (if you're lazy like me), 1Password (similarly accessible, great UI), or KeePass (if you want more configurability and isolation, and don't mind the extra effort in managing it).
Integrating a password manager into your life might be annoying at first, but once you're up and running, it's one of the very few security solutions that benefits both security and convenience at the same time. Most managers have browser extensions and mobile apps, which make things nice and easy.
I will also add that if you're using LastPass, you should strongly consider moving to another service because they’ve been hacked multiple times.
What should I do if I've been pwned?! If you know your password or login/personal details have been leaked, you should play it safe and change that password ASAP. You can check here to see if and where your email and phone number have been leaked or stolen.
More great info on using passwords/phrases here.
And more info here on password managers.
Keep Your Devices and Browsers Updated
This is self-explanatory - make sure you have auto-update enabled and ensure that you connect to WiFi often enough if you've disabled updating through mobile data.
It's likely none of you need to do anything here, but it's important to call this out anyway. Updating takes almost no time, and keeps you safe.
Don't ignore auto-updates on your browser or personal computer (even if they can be frustrating to wait on). Find time to make sure they're done ASAP.
Android Setup
iPhone/Apple Setup
Keep Your Devices and Browsers Neat
If you don't need an app or browser extension, remove it. Or just don't install it to begin with.
The more apps or services you have with access to your device in some way, the wider the attack surface of your device. Your phone's operating system (or desktop internet browser) might be relatively secure, but installing a vulnerable app or extension can create a backdoor that bypasses all that great security completely. Here's just one of the many examples of why this can be a huge problem.
Importantly, don't download extensions or apps that aren't verified or endorsed. Reviews are easy to fake, so if you're unsure, do a bit of research to see if it's legit.
Spend a little time reviewing the permissions the app/extension/plugin asks for when you do install something. Even if it seems trustworthy. Many apps will try to gain access to much more than their purpose calls for. While this is not always done with malicious intent, it will create that much larger an attack surface for your device.
UPDATE: Be especially critical of AI-powered extensions. They are the greatest security nightmare - kind of like leaving matches or a lighter with a toddler near your very dry barn.
Be Mindful of Device Manufacturer and OS Support Lifespans
It sucks, but device versions (e.g. Apple iPhone 12, Google Pixel 4 etc) as well as operating system versions (e.g. Android 11, iOS 17 etc) have an end-of-life date beyond which the manufacturer or developer no longer support that version for security updates.
When buying a new phone (or laptop, or anything that requires regular updates) it is important to consider the support life. All vendors and developers should provide a timeframe for how long a particular device or operating system will be supported. This is important because it means getting timely security updates that patch vulnerabilities that might get exploited by malicious actors, leading to a compromise or leak of your sensitive accounts and data. It's worth adding this to the list of considerations when you're looking at buying a new phone - or updating an operating system - to know how long it will receive those important security updates.
Many device and system lifecycles are tracked here. If yours is not in there, a quick Google should help you find more information, ideally from the manufacturer/developer themselves.
Scams
I wish there was a silver bullet for this, but unfortunately it all comes down to educating yourself, and being vigilant (especially with untrusted channels).
Scams are getting more sophisticated every day, and with AI tools picking up a lot of the slack in places that made scams easier to spot, it's more important than ever that you are critical of any communication you receive that isn't obviously authentic and trusted.
Some useful rules of thumb in protecting yourself against scams:
- Never send money anywhere unless it's through legitimate channels, and to legitimate destinations. If someone says they want to send YOU money, be even more critical of this.
- Never give out your secret information - no legitimate service or entity should ever ask for your password or one-time passcode.
- Try to avoid ever sharing any personal information. Occasionally organisations and institutions like banks need to confirm your identity over the phone, in which case they should only need a DOB, or address, at most. Never tell anyone information if they were the one to call you. You’re better off asking them if you can call back, and then calling back on a secure number you found on an official website.
- Never share access to your devices.
- Never let emotional triggers drive how you react to a communication that's come out of the blue - scammers leverage empathy and panic to get you to make a rash decision. If you’re given a very short timeframe to react, or the message is related to criminal offences or unexpected debt, chances are good it’s fake.
What to do if I've been scammed, or know someone who has?
[Taken from ABC News]
Here's what an ACCC spokesperson says to do after you have been scammed:
- Contact your bank or financial institution as soon as possible if you have lost money
- Contact the platform on which you were scammed and provide details about your experience
- Tell your friends and family about your experience for support and to help protect them from scams
- The ACCC also encourages you to make a report on the Scamwatch website, subscribe to their Scamwatch radar alerts and stay updated via Twitter.
- You can report fake websites as well as websites suspected of hosting or distributing malware to Google for review.
ID Support NSW makes it easier for people to access help if their NSW Government proof of identity credentials are stolen or fraudulently used.
This guide has a lot more useful information that's useful to read up on.
This one goes into financial protections more specifically.
Ransomware (but usually, just scamware)
More on this soon, but in the meantime read up on one case of scam/ransomware masquerading as legitimate software over here.
Be Wary of Websites and URLs
Especially online shopping sites. These can seem legitimate, with top Google search results and sophisticated looking designs and URLs. See this story about ways to watch out for online shop scams.
Try to never open a http link (not https) unless you really trust where it comes from. HTTP links leave you open to an attacker watching your browsing activity, along with any data you input to that site. Browsers generally have warnings for this these days, but it's good to be aware of it.
Example:
'http://legitlookingsite.com' = bad
'https://whatever.com' = better
Google Transparency Report can be useful to identify a dodgy looking site.
Be careful with links you follow in general - you can usually see where something is going to take you by hovering your pointer over it and looking in the bottom left corner of your browser (or holding down on it on mobile).
More info here.
Public WiFi and Power
Don't use public charging ports. Use your own cable.
Never use public WiFi if you can help it. Even in places that seem trustworthy, like airports. If you have to, at least try and ascertain if the access point name is the correct one - it's very easy to spoof an access point name, and capture traffic going through it.
General Advice
- Don't use a login pattern to access your phone. PINs and fingerprints are better, primarily because they're harder to observe/steal.
- Try not to leave your bluetooth on when you're not using it. There are many ways it can be used to mess with your device, as well as track you without your consent.
- If you're anxious about online shopping and exposing your credit/debit card details to do so, you can look into temporary, virtual cards to compartmentalise your funds. These offer a lot of the same protections as your existing cards, but reduce the harm potential for your card details getting leaked. Check with your bank if they offer such a service/account - most large banks do these days. Otherwise, look into services like Revolut for this - I've used this service before myself and it was very convenient and fast, especially as a travel card.
- Implicit trust is part of human nature, but can be a dangerous thing.
More Resources