Information Security

 

Make my online accounts secure

Make my online accounts secure

Introduction

Good online services take the hassle out of the most mundane chores and make sharing things and connecting with others a pleasure. We expect easy and entertaining online experiences, and that's usually what we get. However, just because they look nice and are easy to use, you shouldn't take it on trust that all services you've signed up to are giving you the level of protection you need. And even if your services are red-hot on security, the safety of your online accounts is ultimately up to you. It's time to take matters into your own hands.

Audience:

Everyone

At a glance

  • Create a different, strong password for every account.
  • Use two-step login verification.
  • Change the default security settings to the level you need.

In detail

To gain access to your accounts, hackers mostly rely on: 

  • 'Keylogger' malware - malicious software that finds its way on to your computer and logs every keystroke you make.
  • Leaked passwords - as we keep hearing in the news, many online providers are not very good at keeping their clients' account details safe. If they get hold of one of your passwords, online criminals may use it to try to gain access to all your other accounts.
  • Phishing scams - typically a fraudulent email or social media post that tricks you into parting with your password.
  • Harvesting information from your public profile that could help them get past security questions and into your account.

The protection provided by online service providers is extremely variable, so you should make it your business to put in place the account security you need. Here’s how to stop the bad guys stealing your data and identity:

  • Create different and strong passwords for every account. Criminals can access whole databases of leaked or stolen passwords on the Internet. If yours is on one of them, they could use it to try and gain access to every account you have. If you have the same password for everything, you’re making it incredibly easy for them. Protecting your email password is most important of all, since this is usually linked to all your accounts and can be used to change other passwords and lock you out of your accounts.
  • Use two-step login verification to add an extra layer of security to your accounts. Each time you log in, the service will send a code to your phone via an app or SMS that's needed to complete the process. This means no one can access your account without having your phone too.
  • Set up account recovery options, so that if you forget your password or lose your device, you have another means of getting into your account. We recommend setting up more than one recovery method, in case one fails (e.g. if you lose your phone). Google, for example, offers to help you recover your account via your phone, an alternative email address and security question, and pre-printed codes.
  • Set strong answers to security questions (the ones used to prove you are who you say you are if you forget your password). These are often incredibly weak – things like "Where were you born?" and "What high school did you go to?" - just the kind of information a standard social media profile makes widely available. Pick questions that can't be easily guessed from public information about you, or just make up some random answers (as long as you can remember them).
  • Check your account for unusual activity (for example, if someone has attempted to log in to your account from an unknown location). Many service providers have functionality to let you check for this (Dropbox, for example). Good providers may let you know by phone or email (but fraudsters may also imitate this tactic, so follow our phishing advice before responding).
  • Keep your computer and browser up-to-date and virus-free by installing the latest security updates and patches.
  • Only access your accounts from devices you trust (in other words, your own), and never log in to critical accounts such as online banking from public computers in libraries or Internet cafes. You simply don't know what nasty spyware could be lurking on them.

Even if you've comprehensively blocked even the most determined hacker from gaining direct access to your accounts, you still need to be sensible about what you share and who with, whether that’s personal details on social media, or important files on document sharing websites.

  • Review the level of privacy and security on your accounts. Social media companies make money by allowing advertisers to target you with ads based on your information, and so most default privacy and security settings share your posts with everyone in your network. We recommend you don't allow anyone you don't know to connect with you or share more information than you are comfortable with (once it's out there, it's out there – even if you later delete something you regret posting, there's a good chance it will have already been reposted elsewhere). Criminals are able to aggregate and match up all kinds of scattered personal details and use them to target you with phishing.
  • Check the lists of apps that are authorised to access your accounts.
  • Be careful when sharing folders and files – check who is authorised and what permissions they have. Review and revise your security settings regularly.
  • Choose your document sharing solution based on the level of security it offers. It's worth spending a bit more on a service that gives you the protection you need - it may save you time, money and hassle later on.

You know you've been hacked when posts you didn't make start appearing on your social network page, or friends and colleagues start getting emails you didn't send. Here's what to do if you're unlucky enough to have had your account broken into:

  1. If you suspect hackers have got hold of your password through keylogging software installed on your PC, run a full system scan using antivirus software and remove any malware you find. It's essential to clean your computer before you change your password, otherwise they will quickly pick up your new password in the same way the next time you type it in. More on dealing with an infected computer
  2. Sign into your account and change your password. If you have been locked out of your account, use the account recovery options outlined above or request a password reset.
  3. Revoke connections to any applications associated with your account that you don't recognise.
  4. Change the passwords of each of your trusted applications.
  5. Review your account settings and adjust them as appropriate (since some malware may have changed them in order to hide suspicious activity from you).
  6. If your University account has been hacked, report it.

Two-step verification:

Account security features of major providers:

Other information: