Vera (not her real name) lives alone, and is fiercely independent. At the age of 82, she still runs all her financial affairs herself, at her bank’s local branch. She deflects all persuasions on the part of her increasingly anxious daughters to sign up for internet banking. If her health fails, or if some temporary injury keeps Vera home-bound, her daughters know things will get unnecessarily tricky on the financial management front.
Vera isn’t unusual: there’s a whole generation of people who are deeply suspicious of cyber-criminality.
At the other end of the spectrum are those who, having run their affairs virtually for many years, are casually confident that nothing can go wrong.
Of course, neither end of this spectrum is wholly right, nor is either wholly wrong. Cyber-criminals certainly don’t have an easy time of it. But that doesn’t stop them trying, and with a bit of carelessness and a touch of bad luck, any one of us could find ourselves targeted.
As in the physical world, understanding what is valuable to a criminal helps you prioritise your defenses. In addition to your money, the accounts you run online, and even the use of your computer, are commodities to be traded in the cyber-criminal world.
Choose your passwords well
SplashData, which collects passwords from data breaches in the US and Western Europe, tells us we’re rather predictable: the three most common passwards last year were “12345”, “qwerty” and “password”.
You’d never use any of those, right? But the other favourite trick –substituting numbers for letters (“JohnSmith” becomes “J0hnSm1th”, for instance) – is surprisingly easy to crack.
The experts say that choosing a phrase and using the first letter from each word is a good approach. “I am a 2-metre tall Cyborg” would become “Iaa2-mtC”. It ticks all the boxes: it’s eight characters long, includes a combination of numbers, letters and symbols; and no-one would guess it (unless, perhaps, you really are a 2-metre tall Cyborg).
Change them
Your passwords should not be reused on different accounts. Different security levels mean a password stolen from a low-security site could be used to test your identity elsewhere. The most secure password, on the most secure site, could thus become vulnerable.
Go low-tech
If you have a spreadsheet of passwords or other digital access codes, keep them on a device not connected to the internet. Or encrypt them. But don’t leave the spreadsheet on your desktop.
Stay out of bad neighbourhoods
You wouldn’t stand on a corner in a dodgy part of town looking up something on your iPhone. No more should you loiter on dodgy sites.
It’s also a good idea to only use one computer for your sensitive transactions. If you have a family computer and you can’t be sure how the rest of the family uses it, don’t use that computer for your banking.
Be sceptical
Never respond to mails, no matter how official-lookiing, asking you to log in. If an e-mail or pop-up asks you to enter your username or password, don't do it. Instead, open your browser and go to the site. If you really do believe it’s legitimate, phone the sender institution first.
Check your statements
Stealth attacks are common. If you cannot find explanations for small withdrawals, query them. Many cyber-criminals, once they’ve accessed your details, work on a low-margin, high-turnover principle: they’ll take small amounts every month, knowing that most of us are lazy about checking. A figure like R57.31, for instance, is too modest to warrant a serious query. But a cyber-criminal taking R57.31 from 100 000 people sees a big payday. The danger for you isn’t the R57.31: it’s that the ability to take it tells you they are able to take everything else too.
Protect your devices
If a cyber-criminal has loaded remote-control software on your computer, not even two-factor authentication can protect you. Make three basic online hygiene principles routine:
- Don’t allow browser plugins to run by default. On Firefox, use the “No-Script” plugin, which whitelists websites that can execute Javascript and plugins. On Chrome, use “click-to-play”.
- Keep any programme or plugin that you use online up-to-date, especially Java.
- Run anti-virus software.
*Trevor Damon is head of fraud strategy: WIMI at Barclays Africa Group.