Online Safety Tips

This blog is intended for both general and technical audiences. While the tips outlined below are basic things everyone should already be aware of, following as many of them as possible will significantly reduce your risk of becoming an online victim. First, using common sense is your primary line of defense in staying safe online. Trust your instincts, be cautious of unfamiliar websites or emails, and think twice before sharing personal information on social media. Common sense can go a long way in protecting you online. In addition to using common sense, adhere to the following guidelines to enhance your online safety.

• Passwords: Use long and complex passwords and change them regularly. If the website allows passphrases, use those instead of passwords with special characters that are hard to remember. For example, a passphrase like "Jade Owl Loop Zinc Moon" is easy to remember but much harder to crack. You can opt-in for passkeys when offered, but don’t be fooled into thinking passkeys will solve all your password problems; they won’t. Read this blog (https://blog.selvansoft.com/2025/01/passkey-practical-or-premature.html) which explains why.
• Multi-Factor Authentication (MFA): Wherever possible, use more than just a password to secure your accounts, commonly referred to as two-factor authentication (2FA). Most websites provide multiple options for MFA these days. Always choose an OTP authenticator or hardware key-based authenticator if those options are offered and avoid SMS-based 2FA at all costs.
• Account Recovery: It is very important to set up account recovery for your Gmail, Apple, and Microsoft accounts. Make sure account recovery is set up with recovery codes, your phone, and most importantly, a different email that you never use for anything else but account recovery.
• Web browsing: Always ensure the website you visit uses the HTTPS protocol, especially when entering sensitive information. While all modern browsers enforce this and provide warnings, be attentive to these warnings and refrain from using any website that does not use HTTPS protocol or, worse, provides a mismatched SSL certificate, which is a red flag for a phishing attempt.
• Online Banking: Before logging in to your banking website for financial transactions or to review your bank statement, close all tabs in your browser. If you are particularly cautious, temporarily disable any browser plugins you may have installed, which you can turn back on later. When you are logged in to your banking website, do not do anything else, such as performing a Google search, browsing Facebook, Instagram, or any other sites. Specifically, avoid reading emails or, worse, clicking on a link your buddy sent you to "check it out." Once you are done with your online banking, make sure to log off. Many secure banking websites these days do protect you by logging you off automatically. However, don’t rely on them because there are still some online banking websites that don’t properly log you out in a reasonable time or, worse, don't do anything.
• Public Wi-Fi: When using public Wi-Fi, avoid logging into sensitive accounts or performing financial transactions. It's safer to wait until you're on a trusted network. This applies even to smartphones, as they are on a wireless data network shared by thousands of devices.
• Enable Firewall: Ensure your device's firewall is enabled. Most operating systems come equipped with a built-in firewall, so enable it and block all inbound connections. Keeping your firewall enabled is a simple yet effective way to bolster your security on any network, public or private.
• DNS: Don’t use the default DNS servers provided by your ISP (Internet Service Provider). Instead, use any of the following DNS servers: 1.1.1.1, 8.8.8.8, or 9.9.9.9. You can follow this link (https://www.tomsguide.com/us/cloudflare-dns-1.1.1.1-set-up,news-26964.html) that walks you through how to change DNS on various devices.
• Antivirus and Anti-malware Software: Keep them updated to protect your device from threats.
• Phishing Scams: Be skeptical of emails or messages with links or attachments that urge immediate action or ask for personal information. If it sounds too good to be true or creates a sense of urgency, it's likely a scam.
• Installing Software: Only download and install software from reputable sources. Avoid pirated software and gaming cheat codes, as they almost always contain malware and viruses.
• Software Update: Regularly update your operating system, browsers, antivirus definitions and apps to protect against security vulnerabilities. 
• App Permissions: Check the permissions granted to apps and revoke any that are unnecessary.
• Personal Information Sharing: Be mindful of what personal information you share online. Don’t overshare on social media and be wary of websites or services asking for more information than necessary.
• Monitor Your Accounts: Regularly check your bank and credit card statements for any unauthorized transactions.
• Credit Freeze: Add a credit freeze to all major credit bureaus. There is no need for your credit report to be in an "unlocked" status unless you are applying for a loan, bank account, credit card, etc., which you don’t do every day. So, why does it need to be in an "unlocked" status? When you need it, you can unlock your credit report, get your business done, and lock it back. Follow this blog (https://blog.selvansoft.com/2023/05/howto-credit-freeze.html) that walks you through the credit freeze process.
• Backup: Regularly back up your data to an external hard drive or a cloud service.
• Educate Yourself: Stay informed about the latest cybersecurity threats and how to protect yourself. There are a lot of useful cybersecurity FAQ’s documented in this blog (https://blog.selvansoft.com/2024/09/cybersecurity-faq.html) 
• Trust Your Gut: If something feels off or too good to be true, it probably is. Your intuition can be a powerful tool in staying safe online. 

Is your computer compromised?

Easy way to check if your computer is/was compromised now or in the past

With the recent addition of Naz.API dataset (a massive collection of over 1 billion stolen username and passwords) to HIBP service ("Have I Been Pwned" - a service by troyhunt.com), it is now very easy to check if your computer is compromised by information stealing malware now or in the past. 

Go to the HIBP service at https://haveibeenpwned.com and enter your e-mail (don’t worry, it is 100% safe) and check the search results. The results may span several pages, so make sure to scroll down and check all the breaches your email is listed as compromised. Keep in mind that it is not at all unusual to see your email show up on multiple breaches. For example, see the screenshot below of my own email search.

As you scroll through the list, check if your email is listed for Naz.API. If your email was one of the unfortunate one to be included in the Naz.API list, it is a clear indication that your computer is now or in the past was compromised and information was stolen. The very least you can do is to make sure your current password is not included in the list. There are couple of ways you can check. I know some password managers like 1Password for example can check all your passwords against HIBP database. If you don’t use any tools that support checking your password in HIBP database you are welcome to use my php script at my GitHub repo below which does the same thing, the only caveat is that it checks one password at a time against HIBP database, so you have to repeat that for all your passwords.

https://github.com/aselvan/scripts/blob/master/security/pwned_password.php

How to run: If you are on a Mac or Linux, you can run the script directly with the two commands as shown below ... If you are windows, you have to install php, curl etc first which is beyond the scope of this blog.

curl -s https://raw.githubusercontent.com/aselvan/scripts/master/security/pwned_password.php -o /tmp/pwned_password.php

php /tmp/pwned_password.php

If you are unfortunate to have your password listed in HIBP as per the tools (1Password or my script or any others that check your password against HIBP), and if it is any of your current passwords, change it ASAP and enable 2F if that’s not already in place. If your current password is not found, it means an old password you used in the past was compromised. Still, it is a good idea to change all your passwords ASAP.

If you use more than one email address now or in the past, repeat this for each e-mail.

For further details can be found at the following links

• https://www.bleepingcomputer.com/news/security/have-i-been-pwned-adds-71-million-emails-from-nazapi-stolen-account-list/
• https://www.troyhunt.com/inside-the-massive-naz-api-credential-stuffing-list/

New Year, New Password!

As part of your new year’s resolution, it is a good idea to get your online security a fresh start in 2024. With cyber threats becoming an unfortunate norm these days, it's time to enhance your cyber hygiene to protect yourself from becoming a cybercrime victim this year. Change all your online account passwords, especially financial/banking, shopping, social media accounts. The following is a list of things to consider.

• Change your passwords (also change username if permitted)
• Enable password-less logins if available.
• If you don’t have 2F enabled, make sure to enable it.
• If the site supports stronger 2-factor mechanisms, like Authenticator app or better yet hardware key based, use that instead of SMS based 2-factor; While SMS based is better than just password alone, it is prone to attacks like SIM swap scams 
• Validate your recovery mechanisms.
• Reset recovery app keys (if any)
• Validate recovery e-mail.
• Reset onetime login codes.
• Last but not least, invalidate all logins (i.e. log out from all devices and log back in). Though this step may be enforced by the password change, some sites don’t enforce it.

Remember, cyber hygiene is like flossing, not the most glamorous, but essential for long-term digital health. This year, make your online security a resolution you actually stick to. Have a safe 2024 and beyond!

Related Link: https://blog.selvansoft.com/2022/06/deterministic-password-manager.html

Three Simple Online Banking Safety Tips

Here are three simple steps you can take while doing online banking to minimize your chances of becoming a victim. As the title says, these steps are simple and does not take much time or effort to follow.

1. Before login to your banking website for financial transactions or to even review your bank statement etc., close all tabs in your browser. If you are paranoid, temporarily disable any browser plugins you may have installed which you can turn on later.
2. When you are logged into your banking website, do not do anything else like google search, Facebook, Instagram, or any other browsing specifically, read emails or worse, click on a link your buddy sent you to "check it out". You can do all that after step#3 below.
3. Once you are done with your online banking business, make sure to log off. Many secure banking web sites these days do protect you by logging you off automatically. However, don’t rely on them because there are still some stupid online banking web sites that don’t properly log you out in a reasonable time or worse, don't do anything.

Simple Cyber Hygiene Practice

Here is some advice on simple cyber hygiene practices to protect yourself online. You really don't have to take extreme steps to bulletproof your online accounts because if a persistent and determined cyber criminals decided to target you (i.e., spear phishing), there is very little you can do to stop them especially if you are a high value target. Luckily most of us don't fall into that category unless you are dumb enough to divulge your personal info by posting on social media that makes you a target. However, with a bit of effort on your part, you can make it slightly harder for cybercriminals to scam you so they will move on to easy targets. 

"You don’t have to run faster than the bear to get away. You just have to run faster than the guy next to you."

Trust me, there are still stupid people out there who use "123456" as password (BTW: "123456" is one of the top 10 passwords in 2022 including "password") feeding this fast growing $8 trillion cybercrime business. 

Now, how do you make it "slightly harder"? The answer is, as you may have heard many times, don't just rely on user/password alone even if you have a strong password like "~ti0ah5%#W". Though a strong password is the first step in making it harder, it does not always protect you in all cases as there are ways criminals find a way to gain access to your stuff. So, ensure that you enable 2FA (two factor authentication) wherever it is offered. If multiple methods are provided for 2FA like SMS & authenticator, choose the latter as SMS based 2FA is a false sense of security though it is better than just user/password.