We're high up in the Gherkin in the City of London and Garry Sidaway, director of security strategy at Integralis, a firm which advises government agencies, pharmaceutical and financial services multinationals, is giving my computer a security MOT. He thinks we Britons are an overly trusting lot. Sitting ducks for an armada of hackers, who are every bit as focused on stealing our data as we are relaxed about storing it. Enabled by the sharing culture on social media — and with ever more sophisticated malicious software known as malware at their disposal — cybercriminals have become far more adept at crafting attacks and targeting individuals and organisations.
A recent example of the latter was malware disguised as a security warning from Microsoft's digital crimes unit. Typically, these so-called "man-in-the-middle" attacks install colourfully named Trojans pieces of malware, essentially such as Zeus, SpyEye or Citadel on computers, which have the effect of compromising, for example, online banking transactions.
Initially, man-in-the-middle attacks were passwords used in authentication — the criminal would wait until you had finished to start using the credentials they'd just gathered. This is why banks brought in one-time passwords or codes," he says. Once the user thinks they've logged out, the attacker can make payments using the existing session without the victim seeing any changes to their balance until the next time they log on.
This is partly why banks have rolled out card readers to help prevent payments to new payees. Never click on a link you did not expect to receive The golden rule. The main way criminals infect PCs with malware is by luring users to click on a link or open an attachment. Use different passwords on different sites With individuals typically having anything up to online accounts, the tendency has become to share one or two passwords across accounts or use very simple ones, such as loved ones' names, first pets or favourite sports teams.
Any word found in the dictionary is easily crackable. Instead, says Sian John, online security consultant at Symantec, have one memorable phrase or a line from a favourite song or poem. Add numerals and a special character thus: Now for every site you log on to, add the first and last letter of that site to the start and end of the phrase, so the password for Amazon would be "AT0!
At first glance, unguessable. But for you, still memorable. Never reuse your main email password A hacker who has cracked your main email password has the keys to your [virtual] kingdom. Passwords from the other sites you visit can be reset via your main email account. A criminal can trawl through your emails and find a treasure trove of personal data: Use anti-virus software German security institute AV-Test found that in there were 49m new strains of malware, meaning that anti-virus software manufacturers are engaged in constant game of "whack-a-mole".
Much like flu viruses and vaccine design, it takes the software designers a while to catch up with the hackers. Last year AV-Test published the results of a month study of 27 different anti-virus suites and top-scoring packages were Bitdefender , Kaspersky and F-Secure.
If in doubt, block Just say no to social media invitations such as Facebook-friend or LinkedIn connection requests from people you don't know.
It's the cyber equivalent of inviting the twitchy guy who looks at you at the bus stop into your home. Think before you tweet and how you share information Again, the principal risk is ID fraud. Trawling for personal details is the modern day equivalent of "dumpster-diving", in which strong-stomached thieves would trawl through bins searching for personal documents, says Symantec's John.
Once that information is out there, you don't necessarily have control of how other people use it. If you have a "wipe your phone" feature, you should set it up Features such as Find My iPhone, Android Lost or BlackBerry Protect allow you to remotely to erase all your personal data, should your device be lost or stolen. Even if you didn't have the foresight to sign up, many wipe your phone features can be implemented after the fact. Only shop online on secure sites Before entering your card details, always ensure that the locked padlock or unbroken key symbol is showing in your browser, cautions industry advisory body Financial Fraud Action UK.
Additionally the beginning of the online retailer's internet address will change from "http" to "https" to indicate a connection is secure. Be wary of sites that change back to http once you've logged on. Don't assume banks will pay you back Banks must refund a customer if he or she has been the victim of fraud, unless they can prove that the customer has acted "fraudulently" or been "grossly negligent".
Yet as with any case of fraud, the matter is always determined on an individual basis. Under payment services regulations, the onus is on the payment-service provider to prove that the customer was negligent, not vice versa.
Credit card protection is provided under the Consumer Credit Act and offers similar protection. Ignore pop-ups Pop-ups can contain malicious software which can trick a user into verifying something.
Always ignore pop-ups offering things like site surveys on e-commerce sites, as they are sometimes where the malcode is. Be wary of public Wi-Fi Most Wi-Fi hotspots do not encrypt information and once a piece of data leaves your device headed for a web destination, it is "in the clear" as it transfers through the air on the wireless network, says Symantec's Sian John.
If you choose to bank online on public Wi-Fi, that's very sensitive data you are transferring. We advise either using encryption [software], or only using public Wi-Fi for data which you're happy to be public — and that shouldn't include social network passwords. Run more than one email account Thinking about having one for your bank and other financial accounts, another for shopping and one for social networks. If one account is hacked, you won't find everything compromised. And it helps you spot phishing emails, because if an email appears in your shopping account purporting to come from your bank, for example, you'll immediately know it's a fake.
It's true that Macs used to be less of a target, simply because criminals used to go after the largest number of users — ie Windows — but this is changing. Don't store your card details on websites Err on the side of caution when asked if you want to store your credit card details for future use.
Mass data security breaches where credit card details are stolen en masse aren't common, but why take the risk? The extra 90 seconds it takes to key in your details each time is a small price to pay. Add a DNS service to protect other devices A DNS or domain name system service converts a web address a series of letters into a machine-readable IP address a series of numbers.
But they shouldn't be relied upon as the only line of defence, as they can easily be bypassed. Enable two-step verification If your email or cloud service offers it — Gmail, Dropbox, Apple and Facebook do — take the trouble to set this up. In addition to entering your password, you are also asked to enter a verification code sent via SMS to your phone.
In the case of Gmail you only have to enter a fresh code every 30 days or when you log on from a different computer or device. So a hacker might crack your password, but without the unique and temporary verification code should not be able to access your account.
Lock your phone and tablet devices Keep it locked, just as you would your front door. Keying in a password or code plus times a day might seem like a hassle but, says Lookout's Derek Halliday, "It's your first line of defence. Be careful on auction sites On these sites in particular, says Symantec's Sian John, exercise vigilance.
Lock down your Facebook account Facebook regularly updates its timeline and privacy settings, so it is wise to monitor your profile, particularly if the design of Facebook has changed. Firstly, in the privacy settings menu, under "who can see my stuff? Also in privacy, setting "limit old posts" applies friends-only sharing to past as well as future posts.
Thirdly, disable the ability of other search engines to link to your timeline. You should also review the activity log, which shows your entire history of posts and allows you to check who can see them. Similarly, you should look at your photo albums and check you're happy with the sharing settings for each album. In the future you may want to consider building "lists" — subsets of friends, such as close friends and family, who you might want to share toddler photographs with, rather than every Tom, Dick and Harriet.
Also, remove your home address, phone number, date of birth and any other information that could used to fake your identity. Similarly you might want to delete or edit your "likes" and "groups" — the more hackers know about you, the more convincing a phishing email they can spam you with.
Facebook apps often share your data, so delete any you don't use or don't remember installing. Finally, use the "view as" tool to check what the public or even a particular individual can see on your profile, continue to "edit" and adjust to taste.
If this all sounds rather tedious, you just might prefer to permanently delete your account. Remember you're human after all While much of the above are technical solutions to prevent you being hacked and scammed, hacking done well is really the skill of tricking human beings, not computers, by preying on their gullibility, taking advantage of our trust, greed or altruistic impulses. Human error is still the most likely reason why you'll get hacked.