No one knows security mistakes better than hackers - because for them, tiny errors in security are the ‘keys’ that allow access to home PCs and office computer systems.
And hackers are clear about one thing. Computer users make mistakes all the time - and often the same ones, over and over again. Two hackers - one ‘ethical hacker’, who tests computer systems by attempting to break into them, and one ex-hacker who now works in security - lay bare the ten errors that crop up most often.
‘People are too trusting,’ says Tom Beale, who has worked as an ‘ethical hacker’ for 10 years, protecting corporate and government systems by finding weaknesses.
‘The human element is always the weak link in the chain. People are very easily distracted - and particular attackers prey on that.’
‘People are just getting more and more stupid,’ says Cal Leeming, an ex-hacker who was convicted for a cyber crime, but now works in computer security.
‘They want their stuff to be protected, but they expect someone else to do it for them. People don’t want to know. Even for companies, computer security isn’t a priority, because it’s not a primary source of income. It’s only once the company’s been hit that they realise, "Oh we should have paid more attention than that".’
[Exclusive: Watch the action-packed ‘Cybergeddon’ trailer only on Yahoo!]
1. Don’t use the same username everywhere
‘People often upload photos of themselves to an online library, say,’ says Cal Leeming, a former hacker who works in security at Simplicity Media, ‘But they use a username they use on other sites. They don’t realise that people can use Google to connect them across all the different worlds they visit, and then work out a way in.’
2. Don’t trust public wi-fi
‘When you go on a public wi-fi network you have no way to determine whether it’s a real network run by a reputable company, or a fake run by a spotty guy next to you,’ says Tom Beale of Vigilante Bespoke. 'The problem’s particularly bad on mobile, where you really can’t tell if you’re on a fake network set up to steal your data. If you’re going to use public networks for business, use a laptop, because the browser will warn you of security breaches - your phone won’t.’
[Related content: How Cybercrime Works]
3. Be careful about who you friend on Facebook
‘Facebook has been basically forced to implement privacy settings,’ says Cal. ‘But people still get it wrong. They randomly friend other people, not realising they are giving away information that could be useful in a cyber attack - for instance names of pets or family that might be a password or security question.’
4. Don’t trust people you don’t know
‘I always tell people to do an ‘offline test’ - ie would you do the same thing if you were offline? So for instance, if you’re chatting to someone online, and you tell them some information, would you give that information to someone you’d just met in a bar?,’ says Tom. ‘Online, you’re even LESS safe - because you may not be talking to who you think you are. People just seem to lose all concept of reality when they’re on a PC.’
5. Use two-factor passwords when you can
‘People resist this except when they’re made to do it - like by their bank,’ says Tom. ‘But it does add that extra layer. It does offer protection. People accept that their bank will use tokens or keycard readers, but when other sites add it, people resist it - they just want quick access.’
6. Don’t re-use your email password
‘This isn’t going to be a problem that goes away any time soon,’ says Cal. ‘People don’t realise what are the risks of using the same password. If you reuse your email password, you’re handing out the keys to be hacked and breached - giving hackers access to the information they’ll need to hack your bank account and other networks you use. People use simple passwords for convenience - memorising too many is just a pain.’
7. Don’t be fooled by ‘cries for help’
‘Some of the most effective attacks are "cries for help" from friends - sent by email from a compromised machine. It’s incredible how many people respond to that,’ says Tom. ‘If it’s someone who travels a lot, and their email is hacked, it’s more convincing when you get an email saying that they are stranded abroad, and need money. They target people with a scattergun approach, but when they find someone who IS abroad a lot, it’s very effective.’
8. Use antivirus software
‘I can’t see any reason why you wouldn’t run AV software,’ says Tom. ‘It’s not a Holy Grail, but it helps you to deal with most known problems. Browsing without it is like driving without a seatbelt. It’s your first layer of defence, whether you’re using PC, Mac or Android.’
[Related link: Shop for anti-virus software]
9. Remember that funny videos can be very unfunny
‘Facebook’s system doesn’t filter for malicious links, so they can be very dangerous. Often a ‘video’ link will try to fool people into visiting an infected site or downloading something in the guise of video software or fake antivirus software. Your only defence is to think, ‘Would my friend really post that?’ so be careful about people you only half-know. Facebook and Twitter need to inform users better.’
10. Set everything to auto update
‘Attackers will be actively looking for vulnerabilities - not just in your operating system, but in your browser, in plug-ins such as Flash and Java. Be sure that all of those are up to date,’ says Tom. ‘If you don’t, you are leaving security holes. Most updates don’t add functions, they just fix holes, and if you don’t get them, you still have the holes.’