Online Banking Systems

Online Banking Systems
Although online banking systems have been around for a while, they are still looked at with
suspicion by some Internet users – especially older folks. It’s understandable why: up until a
few years ago online banking systems were frequently targeted by hackers due to the
potential for theft. And too many financial institutions (and governments) didn’t take Internet
security seriously enough.
However, that has changed relatively recently. The following factors have all had a big
impact on online banking solutions, for the better:
• Fear of reputation damage from widespread data breaches;
• Newer government requirements;
• Greater focus on and investments in corporate security practices;
• Significant improvements in data security technologies.
That’s not to say that your financial institution will never be breached. As we discussed in the
Social Engineering section, hackers are very clever and innovative, and it’s important to
realize that this is a cat-and-mouse game. But today’s online banking systems are light
years ahead of where they several years ago. Information security is a booming business,
and a lot of smart people have made it their focus to protect your data and assets.
So if you have been dismissive or afraid of online banking before, please give it a second
look. Check out your bank, credit union, or building society’s online banking system. Read
up about how they trying to protect your information, and feel free to grill them on some of
the topics that we’ve covered earlier in this book. Because most modern online banking
systems offer you convenient and immediate access to your financial assets, and allow you
to provide a plethora of important actions, such as transferring money securely between
accounts or systems, paying bills securely online (which avoids to risk of check/cheque
fraud and the theft of bills from your mailbox), tracking your investments closely, and closely
monitoring for potential account and card fraud.
Some questions you might want to ask them about their online banking system:
• Does their online banking system support multi-factor authentication? Their
answer should be an emphatic ‘yes!’ and they should be happy to share the
details with you.
• How do they encrypt their customer’s data ‘in transit’ – in other words, when it’s
being sent over the Internet? As of right now, the answer here should be that they
use HTTPS and TLS.
• Do they encrypt their customer’s data ‘at rest’ (in other words, when it’s sitting on
their servers or in the cloud? As of right now, the answer here should be that they
use a strong encryption method like AES or RSA.
• What steps do they take if you tell them that your account might have been
hacked? They should encourage you to immediately contact them and be
prepared to be moved to a new account.
• Which government agency or regulatory body do they report data breaches to,
should they occur? This will depend on your country and the type of the financial
institution, but some quick research by you can verify this.
• Are they insured by a government agency or regulatory body (which means that
you can get any lost assets back in most cases)?
• Do they have a dedicated information security team who closely monitor their
online banking system for possible issues? Their answer should be an emphatic
‘yes!’ and they should be happy to share the details with you, including that they
perform regular ‘penetration tests’ to try to anticipate how a hacker might try to
break in to their systems.
Simplifying your Finances
If you have financial accounts with many different organizations, you might not realize it, but
you are increasing your exposure to fraud.
A lot of people have bank accounts, investment accounts, credit cards, and other financial
assets spread across an overwhelming number of institutions. And if you have trouble
tracking them, or if they require a lot of time to monitor their activity, that opens the door to
exploitation by hackers or other unsavory individuals.
It’s important to note that this risk isn’t isolated to online fraud. It is also a concern for more
traditional types of fraud, such as mail fraud, check/cheque fraud, or letter-based/fax-based
social engineering.
So a good practice is to limit your financial assets to just a few institutions. And also, make
use of your institution’s online banking systems – assuming they are secure and reliable!
The Internet of Things
If you’ve shopped around for appliances or other household devices recently, one thing you
might have noticed is the growing trend of Internet-connected devices. Refrigerators,
heating and air conditioning systems, home thermostats, printers, televisions… the list goes
on. An increasing number of household items are being sold with built-in WiFi connectivity,
which allow you to control them remotely via your smart phone. The broad term for this trend
is the ‘Internet of things’ (or ‘IoT’).
It’s wise to be cautious of connecting up IoT devices to your home network. As with many
other online privacy concerns, the benefits of convenience come at a cost of security. Sure,
being able to access your home security cameras via your phone is neat. But that also
means it’s possible for criminals to also hack into them and invade your privacy.
You can take common-sense precautions to limit these concerns helps a lot. But ultimately,
the best defense is to not hook these devices up to your home network in the first place. Is
being able to check on your fridge’s temperature really worth the risk of someone using that
appliance as a gateway in to compromising your entire home network?
Section Review
Action Items:

• Consider using multiple email accounts to isolate your Internet communications;
• Don’t be afraid to use your financial institution’s online banking system, but do your
research to make sure it is secure and well-kept;
• Try not to spread your financial assets across too many different institutions.
Other Terminology
Related to online security and privacy, you might see some of the following terms mentioned
in articles or television programs.
Don’t feel obligated to learn about the following terms, especially if you’re feeling
overwhelmed with the information presented thus far. But if you want to learn more, knowing
some of these terms might help you to better understand the Internet and online security.
Authentication is the general process that websites use to verify each of their user’s identity
for areas of their website that contain sensitive or private information. Authentication usually
involves providing credentials (most often in the form of a username and a password), but
can sometimes also involve a PIN number, or a temporary token that is sent to the user via a
mobile phone text message.
The term bandwidth refers to your Internet data usage, either via your Internet Service
Provider (ISP) or your mobile provider. Most providers in the Western world have a cap on
how much bandwidth you can use within a given month.
Bloatware is a negative term for computer software that comes loaded with unwanted
features or additional programs. It is relevant to the concept of only safety because
bloatware can include features that quietly use your Internet bandwidth to send and/or
receive data, sometimes without your knowledge or authorization.
Broadband is a general term used to describe a high-speed Internet connection. Broadband
for consumers usually involves a cable or DSL (Digital Subscriber Line) connection between
their home and their ISP (Internet Service Provider).
In terms of Internet usage, cookies are little chunks of data that are used by web browsers to
store information about your interactions with a given website. This sounds more ominous
than it really is.
Most cookies are harmless, and only store harmless preferences about how you should use
that website. However, they can also store web browser session information, and be prone
to exploitation by hackers who want to sneak in and steal or manipulate your information
with some web sites. Logging out to end your session is usually a good precaution to
prevent such cookie-based attacks though.
A CAPTCHA is a small test that some websites conduct to ascertain if you are human or not.
You’ve probably already encountered these online, especially when registering a new
account or recovering an existing account’s password. CAPTCHA stands for Completely
Automated Public Turing test to tell Computers and Humans Apart, and they come in a few
different varieties.
• An image with skewed or distorted text, followed by a text box into which you type in
what you can read in the image;
• An image broken up into a clickable grid, and a prompt for you to click on each
section of the image that contains a specific item (e.g. a sign, a car, or a shopfront);
• A simple checkbox that you need to manually click.
The idea behind CAPTCHAs is to require human intervention when filling in an online form,
and so prevent automated systems from quickly posting requests to a website.
The Cloud
The Cloud is a catchy phrase basically refers to data that is stored on the wider Internet.
Data stored in the cloud is usually stored on powerful, well-maintained computers that are
housed in huge, secure buildings. Companies are increasingly storing their data in this
manner because it means they can focus on other efforts. Cloud-hosted data is usually no
less secure than data that is stored on a company’s premises.
A crypto-currency is a type of currency that has no physical (i.e. paper or coin)
representation, and that is not controlled by any central agencies, national governments, or
banks. An example of a crypto-currency that you might have heard of is Bitcoin.
Crypto-currency ‘coins’ are generated by computers completing complex mathematical
calculations. Their worth is based on market demand, which means their value can fluctuate
wildly and be prone to booms and busts. So it’s usually best to avoid investing or
exchanging money for crypto-currencies.
The Dark Net
Also sometimes (and contentiously) called the ‘Dark Web’, or confused with the ‘Deep Web’,
the Dark Net is a portion of the wider Internet that is hidden from regular users, and is only
used by very tech-savvy individuals (including more knowledgeable hackers).
It’s a place where stolen information, drugs, human trafficking, extreme forms of
pornography, and any number of other illegal activities are frequently sold for money (often
crypto-currencies), and is best avoided. Fortunately, it is also quite difficult to access for
most regular Internet users.
The Deep Web
The Deep Web refers to another portion of the wider Internet, but unlike the Dark net, the
Deep Web does not usually have a scary or ominous subtext. The Deep Web includes
internal corporate networks and data. It is a portion of the Internet that is either inaccessible
or difficult for the general public to reach, because the data is locked up and requires some
form of authentication to access. The Deep Web and the Dark Net are often, and mistakenly,
confused for one another. But they are very different conceptually.
Encryption is the process of masking data so that it’s difficult for unauthorized people or
systems to be able to read it. Encrypted data will look like an unintelligible chunk of text, but
with the right settings it can be reversed back into its original ‘raw’ value. There are many
different forms of encryption, with the most popular overall standard being AES (which
stands for Advanced Encryption Standard).
Similar to encryption (and often mistaken for it), hashing is another way of protecting data.
However, hashed data is very difficult to reverse back into its original raw form. A ‘hash’ is a
one-way process whereby data is made into an unintelligible chunk of text and sent to a
computer system. This value can then be compared to another hash that is stored in the
system. If the two hashed values match then the sender can feel confident that the value
they sent was correct. If they don’t match then the sender only know that the value they sent
across is wrong. But they don’t know what the correct value is.
Hashing is a very popular way to store passwords and other authentication data. As the time
of writing this, the RIPEMD hashing method is one of the strongest out there. But the
SHA512 method is still popular.
ISP stands for Internet Service Provider. An ISP is a company that provides Internet access
to either a consumer or a business over communication lines that the ISP owns and
Open Source
Open Source is an ideology that is commonly employed when writing computer software.
The idea behind ‘open source’ software is that the underlying code is available to anyone
and everyone. Open source computer code is readily accessible to the world to read or
customize for free, and open source software is free to use (though sometimes with
licensing restrictions).
The goal of the open source approach is to instill a level of transparency that makes it easier
for people to collaborate and build better, more secure computer programs. Arguably the
most popular form of open source software are the various Linux operating system variants.
In modern online terminology, responsiveness refers to a web site or web application that is
designed to display nicely on any sized device. So while the website might look different on
a desktop computer with a large monitor when compared to a smart phone, it will still be
easy to ready and interact with on both devices.
Streaming refers to a type of data transfer over the Internet that usually involves voice or
video. It can be one-way (e.g. watching a non-interactive video on YouTube or Netflix), or
two-way (e.g. video chatting in real-time with your friends or family via Skype or Zoom).
Streaming often uses a slightly different Internet protocol (UDP) that is more forgiving about
data loss than the protocol used for many other more precise Internet activities (TCP).
Usability is an increasingly common term on the Internet. And while it only has a passing
relevance to online security, it’s still very important to understand, especially for older
Internet users.
Usability refers to how usable a website or a mobile application is. It is a concept that is
designed to allow everyone to easily use that website or app, regardless of whether they
have mobility issues (e.g. users who have difficulty using a mouse or touchscreen) or if they
are visually-impaired (e.g. users who are color-blind, have poor vision, or who are legally
blind). Usability is addressed on modern websites via a number of methods. These include:
use of easily-resizeable text, having the pages be easy-to-read regardless of the screen
size, using proven complimentary color palettes, and making them accessible via screenreader technologies.
VPN stands for Virtual Private Network. It is a secured link between two specific computers
across the Internet. Access to the VPN requires specific credentials, so unauthorized users
cannot sneak in. The goal of a VPN is to allow for sensitive information to be transferred with
much less risk of it being intercepted by a third party.

Multiple Email Accounts

Having multiple email accounts is a popular strategy with Internet users today. If you have
just one email account through which you receive all your electronic communications, you
might understandably be thinking that juggling two or more would be way too much work.

But splitting your Internet communications over different accounts does have some very real

You can cleanly separate your communications based on importance, usage, or
some other broad metric;
You can isolate your communications so that if one of your email address is
hacked the hacker doesn’t get a big picture of all your contacts and online
services you use;
You can funnel any services that you expect will flood you with spam or sell your
information into a different email inbox that you can largely forget, without the
need to set up complex filtering rules;
If one of your email addresses is hacked and you have to abandon that email
address you can quickly switch to one of your other addresses (which is useful if
your email address ends up on a sucker’s list);
Perhaps surprisingly, two or more purpose-driven email accounts can in fact be
easier to maintain than a single all-purpose account.

To summarize the above points: using a single email address for all communications is akin
to putting all your eggs in one basket.
One very popular strategy today is to use two email addresses: one for ‘junk’ mail, and one
for ‘important’ messages. Some people have several unique email accounts! One for friends
& family messages, one for social media networks, one for online services, etc.
How you decide which contact goes to which email address is up to you. But the multiple
email account approach is a tried-and-tested approach that millions of users now use. And
cheap or affordable web-based email services make it pretty easily to set up.

Shared Credentials and Privacy Concerns in Social Media

Social Media
Social media is a broad term that refers to applications and systems that allow you to
connect with other people and share news and photos.
Techie Term:
Social networks
are websites that allow you to connect with many other users and share
your opinions, news, and thoughts.
Examples of social media ‘networks’ include Facebook, Twitter, LinkedIn, and Instagram. But
there are many other social media solutions out there on the Internet. Even some newer
online payment systems like Venmo have a social media element built into them.
These social networks can be a great way for people to stay in touch with friends and family
who live far away. You can share updates, thoughts, jokes, photos, and even videos with
others in your ‘social network’.
But social media should be used with caution and awareness.
Loss of Control over Data
One caveat to social media usage that many forget or disregard is the nature of the
messages and media you are sharing. Critically, if you share something on social media you
immediately lose control over the dissemination of that information.
Once you’ve published a photo or update to your social network it is out there for good.
Those messages or photos or videos are “in the cloud” (see the Other Terminology section
for a definition of what the Cloud is) – i.e. they are permanently stored on a computer server
somewhere on the planet (or maybe on countless other people’s computers once they’ve
also viewed your shared image or message!), and you can’t get them back.
So be very careful when you share anything on social media. An off-the-cuff thought or
comment can come back to haunt you for many years to come, especially if the ‘court of
public opinion’ takes umbrage at something you did or said (or didn’t do or didn’t say!).
Privacy Settings
Another aspect of social media that is frequently overlooked, and often closely-related to
control over one’s data, is how each social network company is handling privacy. Social
networks ostensibly operate for free. But as a popular saying goes: ‘if you’re not paying for a
product then you are the product!’
In reality, social networks make their money through advertising. And when most users
freely provide a lot of personal information to these companies because of the features and
perceived benefits, it’s easy for them to use that information to create ‘targeted ads’ –
adverts that are designed to entice you the user to buy or view something based on your
personal preferences, thoughts, and feelings.
Closely tied to this allure of leveraging personal information, most social networking
companies deliberately design their product settings to have very lax privacy defaults when
new users sign up. That way they can more easily use your information or sell it to their
partners or corporate customers. In addition, some social networks make it very confusing
and difficult for their users to tighten up their privacy settings.
Shared Credentials and Privacy Concerns
The prospect of tracking users extends far beyond adverts. Many commercial technology
service providers have ready access to their user-base’s most private communications.
Have you ever sent a political rant to your best friend over email? Or a saucy text messaging
to your significant other? Well, there’s a very good chance those messages have been
scanned by the service provider to determine your personal opinions or preferences. And
that data might have been sold on to other companies so they can target you with more
relevant ads.
The same thing can even apply to shared credentials. Facebook, Google, and some other
major social media and Internet companies often allow approved partners to use their
services as a way of authenticating users. For example, if you’ve ever seen a smaller
website allow you to ‘login via Facebook’, that website is using Facebook’s authentication
system. They do this because it means one less thing they have to track, and also because
it’s convenient to their users (who have one fewer passwords to remember). But this can
also raise some possible security concerns:
• It can allow hackers to target these smaller websites as a backdoor into one of your
main social media accounts, as well as any other sites that also use those shared
• It can enable the big social media companies to access data you might not want them
to see, and further expand their profiling of you.
So a good rule of thumb is to avoid using shared credentials and create a unique password
for every website.
Social Media Recommendations
So if you do decide to use social media, here are some recommendations that will help
maintain your privacy and personal information:
• Share as little personal information as possible. Many social networks provide
‘prefer not to disclose’ options to questions like gender, marital status, hobbies,
employer, profession, etc. Whenever given that option, take it. Alternatively, if
they don’t offer such an option, enter bogus information. However, be aware that
if you enter a bogus name: a) you might be violating that social network’s terms
of use; and b) you make it very difficult for your friends or family to find your
profile or verify your identity on that social network.
• Do not upload or associate your profile with an actual photo of yourself. Instead,
leave your profile picture as a default silhouette image, or use a more generic
‘avatar’ (representative profile image) like a flower, a painting, some sports
equipment, or a building.
• As soon as you’ve signed up to a social network, seek out their privacy settings
in the options or tools on the platform’s menus. If you can’t find them yourself,
use Google or another popular search engine to find instructions on how to
tighten up your security settings on that social network.
• Learn the difference between a private message and a more public ‘post’. Private
messages are usually only shared between you and the explicit user(s) who you
are messaging. Posts are generally visible to either all your friends on that
network or to the entire world.
• Don’t post anything that you might regret others seeing in the future. This can be
a tough one to gauge. But when in doubt, leave it out.
• Don’t post anything that contains sensitive information. This includes photos. And
be mindful and respectful of other people in your photos, videos, or messages.
They might not want their information or appearance sent out to other people,
especially people who you know but they might not know.
• Be very selective about who you add or accept as friends on your social
networks. Don’t add strangers or people who are just casual acquaintances.
Don’t add people who are prone to inflammatory or embarrassing outbursts.
Don’t add people who annoy you. Don’t add people who are emotionally unstable
or immature.
• Refrain from making impulse posts or messages. A good tip to assist you here is
to first type your message into Notepad or some other text editor on your
computer. Revise it there, and then sit on it for a day or so. If you still want to post
it after that, then copy the text from Notepad and paste it into the social media
post or message box and submit it.
Section Review
Action Items:
• Only add people to your social network who you know and trust;
• Lock down your privacy settings on all social networks you use;
• Be very careful with what you post on social media.

Anti-Malware and Firewalls & Personal Computer Maintenance

Anti-virus software has been around for a long time, so many users are familiar with it by
now. Its goal is to spot digital viruses that can infect your computer, and block them. A close
sibling to anti-virus software is anti-malware software.
Think of both of these types of software as like antibodies living in your device, vigilantly
monitoring and combating foreign invaders to keep their environment healthy and running
Techie Term:
Anti-malware is a type of software that lives on your computer or mobile device, and guards
it against unwanted invaders that seek to compromise or exploit it.
Anti-Virus versus Anti-Malware
You might be asking: what’s the difference between a computer virus and malware?
Computer viruses can be considered a subset of malware.
• A virus is a piece of unwanted software that is designed to replicate and spread
to many computers, with the end goal being to corrupt or destroy as much data
on the infected computers as possible. Variations of computer viruses include
trojan horses (which appear to be legitimate programs but are not), and worms
(which spread rapidly across local networks, such as home networks, infecting
multiple devices).
• Malware is a piece of unwanted software that surreptitiously infects a computer
and then does any number of different nefarious tasks, including: corrupting or
destroying data (also known as ‘viruses’), gather data and send it over the
Internet to hackers, force unwanted adverts onto the user (also known as
‘adware’), or hold programs or data hostage until a ransom has been paid to the
malware’s authors (also known as ‘ransomware’).
Modern anti-virus software is actually anti-malware software. But because ‘anti-virus’ is
a more commonly-known and understood term, it is often used interchangeably with, or
preferred to, ‘anti-malware’. For accuracy however, we will refer to such software as
‘anti-malware’ from here on.
Choosing Anti-Malware Software
There are many decent anti-malware suites out there. And it’s a big business, so many of
these suites have nice ‘bells and whistles’ (such as web browser activity monitoring, email
activity monitoring, or claims to periodically search a centralized service that looks for your
information on the Dark Net). But understandably, they come at a price – both monetarily
and on the performance of your computer.
If you’re using the Microsoft Windows operating system (version 7 or above), believe it or
not, you have anti-malware software already! Windows Defender is a free default application
that handles a variety of tasks.
To check if you have Windows Defender installed, or to customize it or check on its settings,
click on your Start button in the bottom left corner, and then type in Windows Defender.
Some search results will appear, and if it’s installed the top option should be a clickable
option called Windows Defender Settings.
If you are using Windows 10 and want to see more details regarding Windows Defender,
click on the Open Windows Defender Security Center button. A new window should appear,
and clicking on the Virus & threat protection and the Firewall & network protection headings
on the side will show you a summary of your anti-malware and firewall health.
If you want to feel even more comfortable, you can install one of several free anti-malware
programs. These can work in conjunction with Windows Defender.
• One good option is Malware Bytes –
• Another good alternative is Spybot Search & Destroy –
Anti-malware isn’t just important for desktop computers – it’s also vital for your mobile
devices like smartphones and tablets. So make sure you have it installed on those devices
too! For mobile users, both Android and iOS have some excellent inexpensive or free antimalware software.
• For Android, Lookout and Avast Mobile Security are good choices;
• For iOS, MobiShield and Lookout are both good choices.
A firewall is a security barrier that runs in the background on your computer, and monitors
the traffic coming from and going out to the Internet. Firewalls can run on personal
computers or on actual hardware that connects your computer to the Internet. And many
modern routers come with some form of built-in firewall.
Techie Term:
Firewalls are types of software that act as a barrier, protecting your computers and home
network against unwanted invaders.
Again, Windows Defender handles this by default. If you are running a lot of esoteric and
processor intensive programs, you might have to customize the Windows Defender ‘firewall’
settings. But most consumers never need to worry about this. And usually Windows
Defender alerts you if there’s something being blocked by its firewall.
Remember: if in doubt, lock it out! If your firewall software alerts you that another
program is asking for access to something on your computer, or trying to run on your
computer; and you don’t recognize it; play it safe and don’t grant that program access.
Section Review
Action Items:
• If using Windows, make sure Windows Defender is enabled on your computer;
• Optionally use a highly-rated free anti-malware program;
• Install anti-malware software on your mobile devices;
• Pay attention to alerts from your anti-malware or firewall software.
Personal Computer Maintenance
An aspect of online safety that is often ignored – especially when it comes to online security
– is regular maintenance of your personal computer. Like a garden, personal computers
require tending and upkeep. Otherwise they become messy, unsafe, and a haven for
unwanted elements.
Below is some useful information about computers, and some tips on how to keep your
personal computer in good repair. Incidentally, these same tips also apply to other ‘smart’
electronic devices like mobile phones, tablets, and laptop computers.
How a Computer Works
The term computer often refers to the physical machine and additional devices (mouse,
keyboard, monitor, etc.) that you interact with. These devices are also known collectively as
‘hardware’. However, there are also many layers of critical computer software that are
needed for the computer to work.
The cornerstone software for any computer is the ‘operating system’ (sometimes referred to
just as the ‘OS’). Every personal computer uses an operating system to allow users to
interact with it. Without an operating system the computer would just be a useless box that
purrs away on your desk. Microsoft Windows is an example of an operating system. Android
and iOS are also examples of operating systems.
Techie Term:
An operating system is the software that allows you to interact with the computer or device,
and acts as a kind of gate keeper for other software that performs specific tasks on the
In addition to providing an easy way to access the computer, the operating system hosts
other programs (web browsers, word processors, spreadsheet applications, games, etc.). So
the operating system does a lot, and plays a critical role in making your computer useful and
Operating System Patches
Companies that make and distribute operating systems are constantly sending out ‘patches’
to their products. A patch is a free software update that fixes vulnerabilities and bugs that are
found after the operating system is first distributed to users. They also sometimes add new
features to the operating system.
Techie Term:
Patches are small updates to software that fix problems or address security concerns that
weren’t known when the software was released to the public.
You’ve probably noticed pop-up messages on your personal computer notifying you that an
update is available. It can be tempting to postpone applying that patch, because it can
interfere with your daily use of your computer. But it’s very important that you do apply these
updates in a timely fashion. Especially if you are using an older operating system.
Evergreen Software
The latest version of Windows (Windows 10) and many other rival operating systems are
considered ‘evergreen’ software. In other words, it actively checks for and install new
versions by itself, so you don’t have to worry about that. And in theory it should never grow
too old to become obsolete (as, for example, earlier versions of Windows would do). Many
modern operating systems, including Windows 10, are quite aggressive in applying patches
to itself. So for example, if Microsoft consider the patch to be critical, or if you drag your
heels on applying it for too long, Windows will take matters into its own hands and apply the
patch for you.
The same practice applies to a lot of newer application software too. For example, most
newer web browsers like Firefox and Chrome are considered evergreen software, and will
apply new updates by default. This is a good thing, because it removes the onus on you to
manually update your software.
Updating Older Operating Systems
If you are using an older version of Windows (Windows 8, Vista, or earlier), it’s even more
important that you stay on top of operating system updates. Ideally (if money permits it),
upgrade to a brand new computer that comes with an evergreen operating system.
Or if you’re feeling confident or want to learn something new, another path is to switch over
to an open source operating system, like Linux. For a more detailed definition of what ‘open
source’ means, see the Other Terminology section at the end of this book.
Section Review
Action Items:
• Install operating system updates and patches promptly;
• Seriously consider upgrading to an ‘evergreen’ operating system

Password Best Practices


One area of online security that is often overlooked or misunderstood is password usage.
Passwords are a huge point of attack for online hackers, because so much information can
be acquired once they have one or more of your passwords.
Password Best Practices
Here are some best practices for creating and maintaining secure but usable online
Make sure your password is at least 10 characters long, and includes numbers,
special characters (#, %, *, !, &, etc.), and both upper-case and lower-case letters
(also known as a ‘strong password’). This variety of characters makes it harder
for hackers to decipher your password;
Better still, make your password longer and use just uppercase and lowercase
letters (also known as ‘passphrases’). Removing numbers and special characters
might seem like the password is less secure, but some experts in the field of
digital security (e.g. the National Institute of Science and Technology) have stated
that a passphrase that is comprised of 25 letters is stronger than a password
comprised of just 10 characters, numbers, and special characters. In addition,
these longer ‘text-only’ passwords can be easier for you to remember, because
you can string several words together into a ‘pass phrase’. For example:
“MyCatLikesToEatMySlippers”. Just remember to make your passphrase unique
and difficult for someone else to guess, just as you would your passwords;
Don’t use obvious words for any of your passwords like ‘password’, ‘qwerty’, or
• Don’t use an easily-guessable word like a pet’s name, the website or company’s
name, your street name, etc. for your password;
• Change your password frequently. At least once every six months is
recommended, but once every three months is preferable;
• Use a different password for every single website and online service. While this
can be a hassle to remember them, it means that if one of your accounts is
breached, there is far less risk of the hackers getting into any of your accounts
with other companies or organizations;
• Use an online password manager (for example Bit Warden or Last Pass) to save
your web-based passwords in a central place on your computer or device. Or if
you prefer to go ‘old school’, use a physical password book to write down all your
online passwords, and then place that book near your home computer, but still is
a discrete and less noticeable location;
• Make sure every device that can access the Internet is password-protected with
a secure and difficult to guess password – including your router device.
Techie Term:
A passphrase is an alternative to a password, and are gradually becoming popular with
some online services. Passphrases are longer than passwords but often contain no numbers
or special characters.
Lost Password Retrieval
If a company sends you your password in an email that’s a big red flag! If you lose your
password and follow a ‘forgot password’ link on the company’s website, they should send
you an email with a long complicated link in it. Clicking on this link will prompt you to select a
new password. This is a much more secure approach to password retrieval, because:
• It implies the company are storing your password in a very secure way – ideally
in a way where they cannot even tell you what your password is and require you
to select a new one;
• It also implies that the company take online security, and your information with
them, very seriously.
On a side note, if you receive an unsolicited and unexpected email from a company you
use prompting you to click on a link to change your password, this might be a sign that
someone is trying to gain unauthorized access to your account with that company. Or it
might be a phishing attempt (as we discussed earlier). Either way, it might be a good
idea at this point to update your password with that company.
Section Review
Action Items:
• Use a unique and difficult-to-guess password or passphrase for each website that you
log into;
• Change your passwords regularly;
• Don’t trust websites that email you your forgotten password as plain text.

Multi-Factor Authentication

What is Multi-Factor Authentication:
The term multi-factor authentication sounds very technical and probably a bit overwhelming.
But essentially it means “verifying who you are in two or more ways”. It used to be referred
to as ‘two-factor authentication’, but it was changed to multi-factor authentication to reflect
the idea that you might be required to provide more than just two pieces of information to
prove your identity.
Techie Term:
Multi-factor authentication is a strategy through which online companies verify you are you
and not someone pretending to be you. This is done by proving your identity in two or more
Use of multi-factor authentication is becoming more and more common in today’s society, as
company’s seek ways to combat identity theft, data loss, and unwanted expenses due to
reimbursements to consumers.
Multi-Factor Authentication Examples
Here are a few common examples of multi-factor authentication on websites:
1. The website will prompt you for your username on one page, and then your
password on a second page. This allows the website to perform two checks and
limits the amount of information it is exposing to the public (including to any
opportunistic hackers);
2. In conjunction with example #1 above, before asking for your password after
collecting your username, the website might display an image you chose and/or a
unique phrase that you chose during enrollment in their online service. This
allows you to verify that you did, in fact, enter your username correctly (and didn’t
‘fat-finger’ it), before proceeding with your password.
3. After entering your username, the website might send you a text message on
your mobile phone with a short authentication code. Then on the second page
where you are asked to enter your password, you will also be asked to enter the
authentication code that was just sent to you. This allows the website to reduce
the risk of a hacker impersonating you, because they’d also have to have your
mobile phone on hand. These authentication codes usually expire after five or ten
Techie Term:
Fat-fingering happens when you enter information via a keyboard or touch screen and
unwittingly enter an incorrect letter or character.
Essentially, if a company says they use multi-factor authentication, you can feel more
comfortable that they take data security more seriously. And if they offer you a chance to use
multi-factor authentication, you should do so for your own protection.
Section Review
Action Items:
• Make use of multi-factor authentication whenever you can;
• Put more faith in companies that offer multi-factor authentication

Social Engineering

Social engineering is an increasingly common form of attack. And in many ways it is the
most dangerous and under-appreciated method of exploiting consumers for their sensitive
information. But in truth, social engineering is usually used as a type of glue to connect
multiple other forms of attack, or as the final step in gathering detailed information. In effect,
it allows more shallow and opportunistic data theft methods to be amplified with deeper and
more tangible sensitive information

Techie Term:

Social engineering is the psychological or emotion manipulation of people, with the end goal
being to exploit them for information

Unlike many other types of hacking, social engineering doesn’t focus primarily on electronic
devices or digital networks, although they can still be utilized as a means to an end. Instead,
social engineering focuses on human interactions. Social engineering relies on
psychological and emotional deception, with attackers attempting to trick their victims into
disclosing their sensitive information under false pretenses.

Techie Term:

Hacking is the general practice of someone gaining access to a computer system or data
repository, with the intent of taking control or gaining sensitive information therein.

Social engineers use a few different channels to exploit their victims. These are outlined
This involves sending an email to the victim under false pretenses. Phishing emails (which
are a form of email ‘spam’ or junk email) will usually appear to be coming from a trusted
company that the victim does business with. However, phishing emails are fake. While there
are often subtle signs that can be used to identify a phishing email, it can often be difficult to
discern them.
Techie Term:
Phishing is the practice of sending fraudulent emails which appear to come from a company,
with the intention of tricking the recipient into unwittingly providing the impostor with
Two closely-related concepts to phishing are spearphishing and pharming

  • Spearphishing is a more targeted email attack, in which the email is much moretailored to your tastes and preferred websites and interests, because the senders havespent more time researching your social media and online presence;
  • Pharming is the use of a fake website or file that tricks a user into entering their credentials (username and password). These credentials are sent to the hacker and are then used to access the user’s account on the real website.

Common signs of a phishing email include one or more of the following:

  • They purport to be coming from a company you do not have an account with;
  • They can contain typos, grammatical errors, or poorly-formed sentences;
  • They can contain stretched or poor-quality embedded images (including company logos);
  • They try to instill a false sense of urgency or fear-monger to coerce the reader into rash actions;

• They make unbelievably good offers with regards to services or products;
• The email asks you to respond with sensitive information, such as passwords,
driver’s license numbers, government issued identification numbers, credit card
information, or bank information;
• They can contain suspicious attachments that might be infected with viruses or
other malware. Popular file attachment types are Adobe PDF documents, Word
documents, PowerPoint presentations, or Excel spreadsheets;
• They can contain links that appear to point to the company’s website, but which
actually point to bogus websites (also known as pharming); †
• The name in the email’s from address does not match the name in the email
signature or the email body;
• The email urges you to reply via a personal email address (for example:,,,, etc.);
• Your email client or your anti-virus software might visually flag the email as
suspicious. Be attentive to any such warnings.
Meanwhile, common signs of a spearphishing email include one or more of the following:
• They purport to be coming from a company with which you do have an account or an
existing relationship;
• They mention your full name, first name, or an username you recognize;
• They will almost certainly contain links that appear to point to the company’s website,
but which actually point to bogus websites (also known as pharming); †
• They might still contain suspicious attachments that might be infected with viruses or
other malware. Popular file attachment types are Adobe PDF documents, Word documents,
PowerPoint presentations, or Excel spreadsheets;
• Your email client or your anti-virus software might visually flag the email as
suspicious. Be attentive to any such warnings.
† Fraudulent links can usually be determined by floating over them with your mouse
cursor (but without clicking on them!) Most email clients will display the actual link in
floating text or in a status bar at the bottom of the client. For example, in the below
screenshot, floating over a “Shop Now” link purporting to be from a popular clothing
company, reveals that the link in fact goes to a very suspicious-looking website.

Some good strategies for dealing with phishing emails – and with junk mail/spam in general
– include:
• Don’t open emails that you email program has flagged as being spam/junk, even
if you recognize the sender;
• Don’t open any attachments that are sent in such emails;
• Don’t respond to such emails.
Phone Calls
Social engineers often call their victims on the phone and pretend to represent a company or
organization that the victim has an established relationship with. They almost always sound
personable and cordial, but also speak with assurance and confidence.
The perpetrator may try to rattle the victim with warnings and threats, and thus alarm them
into taking a rash course of action. Or they may sound downright blasé or relaxed, so as to
lull the victim into a false sense of security.
It’s worth noting that social engineers are not always direct in their questions. And so you
might feel that their questions are trivial or few in number. But this can be a common
strategy by social engineers. They might not ask you for a lot of information up-front. They
might slowly chip away at you with questions over a period of weeks or months, so as not to
arouse suspicion. Their goal is to slowly build a profile of your activity and social profile. And
usually they are in no big rush to do this, because they know that keeping you oblivious of
their goals is more effective than possibly alerting you that someone is trying to exploit you.
Do not be afraid to grill the caller with questions! But be careful not to give away or verify
any personal information they are asking about. If in doubt, hang up and follow the steps
listed under the Responding to Suspected Social Engineering Attempts section of this book.
Signs of an inbound social engineering phone call include:
• The call is not expected by you;
• The caller asks you to confirm sensitive information, such as passwords, driver’s
license numbers, NI numbers, credit card information, or bank information;
• The caller asks probing questions about your account, lifestyle or;
• The caller is vague or evasive in responding to any questions you ask;
• The caller outright refuses to explain why they are calling;
• The caller tries to flatter you by telling you that you have won a prize or are
needed for an important or secret project.
Letters and Faxes
The use of faxes and postal letters for social engineering has slowly diminished over the
years. But they are still sometimes used by social engineers as a way to manipulate you into
something you will regret.
Many of the same safeguards apply here as with social engineering emails:
• They try to instill a false sense of urgency or fear-monger to coerce the reader
into rash actions;
• They try to entice you into responding by telling you that you have won a prize;
• They urge you to contact a company you have an established relationship with
via a suspicious-looking website, email address, or phone number.
• The letter comes from outside the country, or from a location that does not seem
to fit with the purported company;
• The letter comes from a company you have never heard of;
• The paper stock is poor quality;
• The letter contains typos, grammatical errors, or poorly-formed sentences;
• The letter contains a skewed, distorted, or poor-quality company logo in its
Reacting to Social Engineering
It’s also worth noting that a social engineer might try to make their attack seem more
authoritative by combining multiple forms of media. For example, they might send an email
and then call you. Or they might send a letter and then call you. So don’t assume that just
because an individual claiming to represent a company communicates with you in multiple
ways that it is necessarily legitimate.
Ultimately, if you are suspicious in the slightest that a communication might be an attempt at
social engineering, follow the steps below:
1. Hang up or do not respond to the communication.
2. Look up a customer service number for the company on a form of media you
know is legitimate. You can use an old statement that you are confident was
valid; or you can your browser and go to the company’s website (either via
Google and clicking on one of the first non-advert-driven results, or by handtyping the address into the address bar), rather than following a link that was sent
to you.
3. Contact the company at a verified phone number and verify that they contacted
you recently, or confirm the story the original caller told you.
Post-Hack Advice
If you do become the victim of a social engineering hack or data breach – in other words if
you believe a social engineer may have gained access to your financial assets or other
sensitive information – it’s important to realize that it is not a sign of naivete or stupidity. It
can happen to anyone, regardless of how tech savvy or vigilant you are.
The important thing is to put any embarrassment aside and take action immediately to gain
control over your information and assets. The first step to doing this is to report the breach to
the authorities.
• US-based users can report fraud and data breaches to one of several Federal
agencies and bureaus, depending on the scope and nature of the crime. More
information can be found at this website:
• UK-based users can report fraud and data breaches to the National Fraud &
Cyber Crime Reporting Centre. Their relevant web page is:
• Canada-based users can report fraud and data breaches to the Canadian AntiFraud Centre. Their relevant web page is:
The longer you wait, the less likely you are to get any losses back, and the greater the
chances are for your other online accounts to be compromised.
Here are some steps to immediately take if you believe you have been hacked by social
• Immediately report the suspected hack to any of your banks, credit card
companies, or other financial institutions that you think may have been impacted.
They will probably have you close any existing accounts and open new ones.
• Do not respond to any more emails from the parties who you believe have
hacked you.
• File a police report.
• Make sure your anti-malware software is up-to-date (by opening it via the system
tray icon in the bottom right corner of Windows), and run a full scan.
• Contact the national credit bureaus and have a temporary freeze put on your
profiles with them.
Combating Persistent Hack Attempts
If one or more of you’re accounts have been compromised a couple of times, you might find
that you are receiving an increasing number of suspicious emails.
Sadly, this can be an indication that your email address has found its way onto what is
referred to as a sucker’s list. Though the term “sucker’s list” predates the Internet by several
decades, it has found a new lease on life in the digital age.
Techie Term:
In the context of hackers, a Sucker’s List contains the information (for instance, email
addresses) of people who have fallen for a scam in the past and might be vulnerable to future
Ultimately, if you are receiving an increasing number of fraudulent emails (as outlined in
the Phishing section), it might be time to consider creating a whole new email account,
migrating all your legitimate contacts over to it, and abandoning the old account.
Section Review
Action Items:
• Be cautions clicking on links or attachments in emails;
• Be suspicious of strangers with unbelievable offers or who try to pressure you;
• Verify any unusual requests from people claiming to represent a company;
• If you are hacked, report it to authorities and affected companies immediately.