Windows 1
Protect your online account
An extra layer of protection
You can practically eliminate the threat
from a brute-force attack, but you
can’t stop passwords being exposed as
part of a wider security breach due to
mistakes or weaknesses on the part of
the online service that is holding your
data. So, how do you take steps to
protect your account in the event of
such an attack?
The answer is 2FA, or two-factor
authentication. This introduces a
secondary requirement to the log-in
process: a six-digit code you need to
enter in addition to your password. The
code changes regularly, and can be
delivered via email, text message, or
authenticator app. Email is the least
secure – what if your account is
compromised? – while authenticator
app and text are preferable because
they require your phone, a separate
device outside the hacker’s control.
Text messages require a mobile
network – codes tend to change everyÀYHWRWHQPLQXWHV – but authenticator
DSSVZRUNRIÁLQHDQGWKHFRGHV
change every 30 seconds, which is
obviously more secure. Numerous
systems and apps exist, but we
recommend Authy (www.authy.com),
which can be used on more than one
device for convenience.
After installing and setting up the
app, log in to your online account, and
look for a setting to enable 2FA. If it’s
offered, choose the option to receive
codes by app or Google Authenticator
if it’s name-checked. You can either
type in the lengthy code manually, or
scan the uniquely generated QR code
into Authy using your phone’s camera.
Enter the six-digit code to verify
everything’s been set up correctly,
and you’re done. Just open the app –
which can be passcode-protected for
additional security in case the phone is
stolen – whenever you’re prompted to
enter a 2FA code to log in.major sites have detailed recovery
procedures that enable you to answer
certain questions using personally
identifiable information. Facebook
enables you to nominate a trusted
friend to take back control of your
account. Again, make sure you’re on
the genuine website and not a spoof.
This process also relies on the fact
that the hacker hasn’t changed your
personal information to prevent you
from gaining access. You need to
consult your email provider’s support
pages for specific advice if you’re
unable to get in (search for hacked,
recovery, or password reset). Be
prepared to make contact by phone if
such an option is available.
Once you’ve regained control of the
account, log in to the associated email,
and check the inbox, sent, junk, and
trash to see if the hacker has left any
traces of what they’ve been up to –
including other accounts they’ve
targeted. You may even see spam or
infected messages have been sent to
your contacts – you’ll need to alert
them if this is the case.
If you think you’ve been the victim
of identity theft – typically revealed by
unusual transactions in your financial
records—visit one of the credit score
providers, such as Equifax (www.
equifax.com) or Experian (www.
experian.com), for the steps to follow;
usually ordering a copy of your credit
reports and filing an initial fraud alert.
Contact the police, too, and speak to
your credit card provider and bank.
Stay safe going forward
Once you fixed your problems and
ensured your accounts are protected
by up-to-date passwords, you’re done,
right? Not quite. It’s time to take a more
proactive approach. First, don’t worry
about changing your passwords every
six months as conventional wisdom
dictates. Your passwords are no longer
easily guessed, and brute-force attacks
won’t reveal them anytime soon.
That said, it might be wise to change
the password at least once a year,
particularly on accounts where no 2FA
protection is available – reports like
Have I Been Pwned are based on old
data, so you can’t assume you’re safe
until your password manager alerts
you. We also suggest that you update
your master password more regularly
- every six months, say. Look for an
option to rotate your encryption key
at the same time.
Otherwise, follow the usual
good-practice tips: Enable two-factor
authentication (2FA) wherever you can;
keep a tight lid on your computer’s
security, following advice in previous
issues; remain vigilant against
scammers – most hacks are now
instigated through trickery; and
above all, don’t panic! Q
Check for breaches in a private or
incognito web browser window.May 2019 | |^53