Computer Shopper - UK (2020-03)

SECURITY

ISSUE385|COMPUTER SHOPPER|MARCH2020 75

Eachsiteand servicehas adifferentsetup
routine toenabletwo-factorauthentication,
so you’ll need tofollowtheinformation
providedtoadd this extraprotection.
The service that youusedefinesthe options
that areavailable.The bestones, such as
GoogleandFacebook, letyou usean appon
your phonetogenerateyour codes. The
GoogleAuthenticatorappisgood,but ifyou
haveLastPass, youcanuseitsAuthenticator
app tosynchroniseyour codes securelyto the
cloud.Ifyouloseyourphone,youcan geta
newone and restore yourcode generators.
All sitesthat letyou generateacodewill
also giveyou severalbackup codesthat you
shoulddownload andprintout.Youcanuse
theseinan emergencyshould youloseyour
phoneand needtogetaccess.
Forevenmore security,look outforsites
that supportthe YubiKeyorotherUSB security
key.Thesekeyscan be carriedaroundwithyou
and pluggedintoaUSBport. Whenasite or
serviceasksforacode,youcanjustusethe
button on theYubiKeyto sendthedata.
However,it’sworthhaving abackupoption,
such asacodegenerator,just incase.
We useLastPassprotected bybothalong
and complicatedpasswordandaYubiKey:
only thiscombinationwill unlock ourother

passwords. Make surethat you never divulgea

two-factorcodetoanyoneto prevent

fraudulentaccesstoyour accounts.

WHATTODOIF

YOU’RE HACKED

Sowhat happensifyou’rehacked,and howdo

you know? Forthelatter,youmaygetan email

from thecompanytelling youof asecurity

breachand thatyour detailsmaybeat risk.

Youmay be told that yourpasswordissecure.

However,inmanycases, youdon’tget

muchinformation, barsomewarning signs.

Forexample,we’vehadafewemailswith

two-factorcodes comeinforanoldVPN

accountwherethepassword had been

breached.Thistellsusthat thepassword had

been compromisedbut

that ourtwo-factorsystem

had preventedfurther

access.Lookoutforthese

emailsorwarningsof

suspicious activity,asthey

hint thatyour password

has been compromised.

Whenyougetany warnings, direct or

otherwise, it’swisetogoto theaccountin

question,loginand createanewsecure

passwordusingapassword manager.Thiswill

protect youagainst furtherproblems.

Ifyou’veused thesamepasswordonother

websites aswell asthecompromised account,

you’ll needtologintotheseaccounts too,

andthen change thepasswordforsomething

moresecure.Ifyou useapasswordmanager,

itwill warnyouif you’vestoredweakor

repeated passwords forany websites.

Take thesewarnings seriously: youshould

update andreplace old,weakpasswords

andthose that youhaveusedonmultiple

occasions. Thiscouldpreventyoufrom having

abiggerproblem inthefuture.

DEALING WITH SCAM PHONECALLS

S

cam phonecalls havebeen around foralong time now.

Youknow the one: youget aphone callfromyour ‘internet

provider’ or ‘Microsoft’ tellingyou that your computerhas been

hacked. The aim of the call is usually to getyou to install some

softwareonyour computer that gives the hackers remotecontrol

so they can start to steal data from you, or showyou false

information on the screen to getyou to pay for avirus clean-up.

We’ve probably all become more aware of this type of attack,

and the anti-malwaresoftware that we’ve tested later on usually

picks up thetools that areused. As aresult, hackers have stepped

up agear.We’ve seen first-handhow hackers can callusing afake

incomingcallerID. Forexample, you might see anumber that

looks like yourbank’s and answer it, and then you’retold that it’s

your bank’santi-fraud team. The initial call, appearing to come

from the correct number,can

easily throw you off, which is

what the criminals want. They

then ask for data protection

information before they speak

to you, which they canthen

use themselves to break into

your account. In this way,the

criminals aren’teven trying to

trick youinto doing anything

on your computer,focusing

entirely on connectingto

your online account.

This kind of attack is far

trickier to spot, particularly as

big institutions often will

phone and ask forverification information beforetheycan start.

We’ve been saying for along time thatcustomers need to be able

to set up atelephone passwordthat thecaller has to use first.

That way,you can verify that who’s calling you is legitimate, and

then you can divulge your data protection questions in safety.

In theabsenceofthis, thereare afew things to look out for.

First,never give out any two-factor authentication codesover the

phone. Forexample, if thecaller says that to verify your identity

you need to provide thecode that has been texted to your phone,

what they mean is that they’ve triggered thecode to be sent and

they’ll type it in to get access to your account.

Second,beverywary of any information that you’rebeing

asked for,such as customer information or thefull answer to a

standardsecurityquestion, as opposedtogiving the sixthletter

of your telephone password,

for example.

The best option in many

cases, unless you’respecifically

waiting for acallback or

telephone callataset time, is

to hang up and then callback

thecompany using the number

on their websiteorlatest bill.

Thatway,you can get through

safely.Inour case with the fake

caller ID from the bank, when

we called back and got

through to the fraudteam we

quickly found out that this was

ascamthat we’d avoided.

RIGHT:Two-factor

authentication gives you an

extralayer of protection

Be careful who

you’retalking to

on the phone