CURITY
GATEKEEPER
Authentication
Passwords. Achieve maximum complexity while retaining your ability to remember it by de-
vising a ‘root’ password. It should contain a minimum of twelve characters comprised of up-
per and lower case letters, numbers, symbols and a variable that corresponds to, for exam-
ple, the first letter of the website to be signed into: Lock500$File would become Lowk500
$File for ‘website.com’.
2-Factor Authentication. To further reduce the risk of unauthorized access to your accounts,
simply enable this feature, if offered, and provide your cell #. At each subsequent sign-in, a
text containing a one-time, temporary passcode will be sent to your phone. Enter it at the
sign-in screen to proceed with accessing your account.
Additional methods. Biometrics, security keys, password managers and authentication apps
all offer additional methods for protecting accounts and devices from unauthorized access.
Time spent developing a general understanding of their functions and adoption will signifi-
cantly improve security of personal information.
Hazards
Phishing Email. Their primary objective is to lure the recipient into clicking on a hyperlink,
resulting in any of four outcomes: Previous usernames and passwords captured from brows-
er cache, keystrokes captured going forward, direction to website featuring genuine-looking
but false account sign-in page, or ransomware that locks your hard drive ahead of an extor-
tion attempt. These risks can be minimized by opening the email on a desktop computer,
then carefully hovering the mouse pointer over each embedded hyperlink or hyperlinked
button. If any of the revealed URLs don’t precisely match the actual organizations domain, ie
‘website.com’, it is likely a hoax and should be deleted immediately.
Spear phishing. A ruse whereby the perpetrator has targeted a specific organization member
with an email, ostensibly from a senior employee, instructing them to undertake an urgent,
financial task. New employees are prime targets, who, once onboarded, should be informed
to report all similar requests to their manager.
(continued)
1Hazards (continued)
Public Wifi. Logging into accounts via public wifi should be avoided. When urgently required,
a VPN session should first be activated on the device in order to encrypt the user’s wifi traffic
so it cannot be captured by nearby eavesdropping.
Finance
E-Transfers. The majority of funds misappropriated from e-Transfers are a result of a compro-
mised email account. Do not send the question and answer to the recipient via the same ad-
dress as the e-transfer link. Also, be certain of the recipient’s email address or cell #, as a mis-
type for a Direct Deposit/Electronic Funds Transfer may send the payment to the wrong re-
cipient.
Online purchases. Ensure that the vendor for purchases being considered has a demonstrat-
ed reputation and is not merely the lowest price. Also, secure websites have an authority-
issued certificate that can be verified for authenticity. Click the padlock icon to the left of the
URL, then (slightly varied between browser types) click ‘Connection is Secure’, follow
‘Certificate is valid’ and note the website beside ‘Issued To’; it should match the vendor’s
website URL.
Cryptocurrency. A grasp of the transaction security process is crucial. Crypto keys can be
stored at multiple locations within two storage types: 1. A custodial ‘hot wallet’ at either a
crypto exchange, cloud storage, personal computer or mobile device. These are all online to
the internet. 2. A non-custodial ‘cold wallet’, either a specific physical device similar to a USB
flash drive, or a ‘paper wallet’ - simply a physical paper copy of your keys. Additionally, should
a wallet or device become unavailable, access to its cryptocurrency can resumed if its owner
possesses the generated ‘Seed phrase’, a 12 or 24 word collection.
Information in this handout is intended for general guidance only. Any reliance you place on the information in this handout is strictly at your own risk.
Steve Chapelle has been providing information privacy and security education to
Canadian professional, parent, student and retiree organizations since 2006. Prior to
that he spent over 20 years in information technology management, analysis and
customer service, primarily in the financial services sector. Experience has included
security, availability and disaster recovery planning. He is also an instructor and
developer at the Udemy online course platform, and the author of ‘No Deci
No comments:
Post a Comment