Author Topic: Prevent hacks  (Read 7673 times)

Murse

  • Pencil Stache
  • ****
  • Posts: 574
Prevent hacks
« on: July 03, 2015, 09:31:21 PM »
How does one keep their investment account safe? I suppose I am a little paranoid that someone could get login details to say your vanguard account and drain your life savings. How do you protect against this? I am sure this has been brought up before, I used the search function and could not find what I was looking for.

MDM

  • Senior Mustachian
  • ********
  • Posts: 11477
Re: Prevent hacks
« Reply #1 on: July 03, 2015, 09:36:51 PM »
A couple of things
  - Use a strong password (e.g., something generated by a program such as KeePass or similar).
  - Don't use real answers to the challenge questions.


johnny847

  • Magnum Stache
  • ******
  • Posts: 3188
    • My Blog
Re: Prevent hacks
« Reply #2 on: July 03, 2015, 09:36:56 PM »
Vanguard has two factor authentication. When logging in from a new device you must provide a code that's sent to you via text message.

Also, Vanguard lets you set up email notifications whenever any transaction occurs so you can know right away if there is a fraudulent transaction on your account.

Don't use the same password at Vanguard with any other online service you use.

That's about it off the top of my head. Oh and of course, use a strong password

johnny847

  • Magnum Stache
  • ******
  • Posts: 3188
    • My Blog
Re: Prevent hacks
« Reply #3 on: July 03, 2015, 09:37:21 PM »
A couple of things
  - Use a strong password (e.g., something generated by a program such as KeePass or similar).
  - Don't use real answers to the challenge questions.

I often stump myself with my own challenge questions @_@

Insanity

  • Handlebar Stache
  • *****
  • Posts: 1021
Prevent hacks
« Reply #4 on: July 04, 2015, 05:28:29 AM »
Strong passwords are good.  Use a password manager to help remember them.   I still can't recommend using an online one like LastPass or OnePass.  I use an offline line one called KeePass. You can also use password managers as a place to store your security question answers.

Setting notifications is a good idea, but if a hacker gets into the account they will likely change that.  Notifications usually better for transactions off of stolen credit cards, ATM card, or if someone does an illegal transaction in person.

Two factor auth is a great thing.  If a site offers it, use it. 


forummm

  • Walrus Stache
  • *******
  • Posts: 7374
  • Senior Mustachian
Re: Prevent hacks
« Reply #5 on: July 04, 2015, 05:58:59 AM »
You can also have a really strong root password that only you know in your head--like $(*bSJioj18rt3# --just make it something you can remember always.

And then add on a bunch more stuff that's unique for each site you frequent. Another 8 characters, that is also strong. And then you can save the extra 8 characters somewhere. So even if your password file gets hacked, they still don't have the password root that's in your head.

And also do the other things mentioned in the thread.

Vanguard has two factor authentication. When logging in from a new device you must provide a code that's sent to you via text message.

You can also set it up so that you have to enter in the code anytime anyone logs in from anywhere. More hassle for you logging in, but more secure.

Singularity

  • 5 O'Clock Shadow
  • *
  • Posts: 68
Re: Prevent hacks
« Reply #6 on: July 04, 2015, 06:07:40 AM »
It is Highly Recommended as other mentioned to use high quality passwords that looks random without words, birthdates, SSN, address, or any information that is associated with you or your family.
A Password Manager makes creating, storing, and copy/pasting those passwords so much easier.

Its also preferred for you to make security question answers as high quality passwords too.  i.e. So what is your name of your high school?  Answer: b,UQQa#x_hv`?P3e2z

Vanguard's Computer Security Page recommends the following:
Quote
Secure your computer[/b]

Get security software and keep it up to date to help prevent online attacks. And don't forget to update your computer's operating system.
Is your computer's operating system up to date?
 

If your computer's operating system is outdated, your computer may not be fully protected. Check the websites below to see if you need to update your operating system.
If you're using a Windows operating system, go to Microsoft's website External site
If you're using Apple's operating systems, go to Apple's website External site
You need security software
 

Download security software and keep it current to protect your computer. You should also monitor your computer and browser settings.
Guide to securing your computer
Monitor your accounts for fraudulent activity
 

Contact Vanguard immediately if you suspect fraud, including alerting us to "phishing" e-mails. Also, let us know if you've been a victim of identity theft within the past 12 months.
Contact us if you suspect fraud
https://investor.vanguard.com/security/

johnny847

  • Magnum Stache
  • ******
  • Posts: 3188
    • My Blog
Re: Prevent hacks
« Reply #7 on: July 04, 2015, 06:51:36 AM »



Vanguard has two factor authentication. When logging in from a new device you must provide a code that's sent to you via text message.

You can also set it up so that you have to enter in the code anytime anyone logs in from anywhere. More hassle for you logging in, but more secure.

Yea that's more hassle than it's worth to me. Though I can see how it may not be for some people.

Spork

  • Walrus Stache
  • *******
  • Posts: 5742
    • Spork In The Eye
Re: Prevent hacks
« Reply #8 on: July 04, 2015, 07:05:38 AM »
The above is all good advice.  I will add:
* first off, just be smart with the computer you're using.  Think about where you're going. 
* use malware detection tools
* use browser plugins like noscript and adblock plus.  Only turn on the minimal amount of scripts on a site to get it working... and even then be skeptical
* divide your browsing up by category and use a different browser profile.  In other words, have one browser profile you use for everyday stuff (MMM, facebook, google, etc) and one you use for financial stuff.
* set your browser to discard cookies at the end of a session -- and add exceptions for sites that are a pain in the ass if they don't keep a cookie
* in addition to the "use a different password for everything" ... use a different userid.  And use a different email address.  I personally use sneakemail to manage email addresses... but I think there are several free alternatives. 

johnny847

  • Magnum Stache
  • ******
  • Posts: 3188
    • My Blog
Re: Prevent hacks
« Reply #9 on: July 04, 2015, 07:10:17 AM »


* divide your browsing up by category and use a different browser profile.  In other words, have one browser profile you use for everyday stuff (MMM, facebook, google, etc) and one you use for financial stuff.
* set your browser to discard cookies at the end of a session -- and add exceptions for sites that are a pain in the ass if they don't keep a cookie

Please explain the rationale for these two.

If your rationale is to not correlate your social media accounts with your financial accounts, this can easily be defeated with canvas fingerprinting


Spork

  • Walrus Stache
  • *******
  • Posts: 5742
    • Spork In The Eye
Re: Prevent hacks
« Reply #10 on: July 04, 2015, 07:33:54 AM »


* divide your browsing up by category and use a different browser profile.  In other words, have one browser profile you use for everyday stuff (MMM, facebook, google, etc) and one you use for financial stuff.
* set your browser to discard cookies at the end of a session -- and add exceptions for sites that are a pain in the ass if they don't keep a cookie

Please explain the rationale for these two.

If your rationale is to not correlate your social media accounts with your financial accounts, this can easily be defeated with canvas fingerprinting

3rd party site ability to perform fingerprinting is normally mitigated with tools like adblock plus/privacy badger.

As for why to keep financial info separate: there have historically been successful tabnabbing / cross tab attacks/CSRF attacks.  A separate instance gives you a little bit of a sandbox to keep that sort of thing from happening.  It also allows you to set up an instance that is less paranoid/more trusted than one you would use for every day browsing.

johnny847

  • Magnum Stache
  • ******
  • Posts: 3188
    • My Blog
Re: Prevent hacks
« Reply #11 on: July 04, 2015, 08:02:19 AM »


* divide your browsing up by category and use a different browser profile.  In other words, have one browser profile you use for everyday stuff (MMM, facebook, google, etc) and one you use for financial stuff.
* set your browser to discard cookies at the end of a session -- and add exceptions for sites that are a pain in the ass if they don't keep a cookie

Please explain the rationale for these two.

If your rationale is to not correlate your social media accounts with your financial accounts, this can easily be defeated with canvas fingerprinting

3rd party site ability to perform fingerprinting is normally mitigated with tools like adblock plus/privacy badger.

As for why to keep financial info separate: there have historically been successful tabnabbing / cross tab attacks/CSRF attacks.  A separate instance gives you a little bit of a sandbox to keep that sort of thing from happening.  It also allows you to set up an instance that is less paranoid/more trusted than one you would use for every day browsing.

Third party fingerprinting such as Adblock Plus and Privacy badger when "manually enhanced with EasyPrivacy list are able to block third-party ad network trackers and will block canvas fingerprinting provided that the tracker is served by a third party server (as opposed to being implemented by the visited website itself)"
The key here being manually enhanced. This is not "normally mitigated."

Using an extension such as Disconnect is in my experience easier than just discarding all cookies at the end of a session and adding exceptions for sites that make this a PITA. Of course, you have to build up an exception list for Disconnect also. But it tells you exactly which sites are try to track on the spot so you know which ones to activate. It takes far less time to build up an exception list this way instead of observing the behavior after you've restarted a session.

Spork

  • Walrus Stache
  • *******
  • Posts: 5742
    • Spork In The Eye
Re: Prevent hacks
« Reply #12 on: July 04, 2015, 08:18:11 AM »


* divide your browsing up by category and use a different browser profile.  In other words, have one browser profile you use for everyday stuff (MMM, facebook, google, etc) and one you use for financial stuff.
* set your browser to discard cookies at the end of a session -- and add exceptions for sites that are a pain in the ass if they don't keep a cookie

Please explain the rationale for these two.

If your rationale is to not correlate your social media accounts with your financial accounts, this can easily be defeated with canvas fingerprinting

3rd party site ability to perform fingerprinting is normally mitigated with tools like adblock plus/privacy badger.

As for why to keep financial info separate: there have historically been successful tabnabbing / cross tab attacks/CSRF attacks.  A separate instance gives you a little bit of a sandbox to keep that sort of thing from happening.  It also allows you to set up an instance that is less paranoid/more trusted than one you would use for every day browsing.

Third party fingerprinting such as Adblock Plus and Privacy badger when "manually enhanced with EasyPrivacy list are able to block third-party ad network trackers and will block canvas fingerprinting provided that the tracker is served by a third party server (as opposed to being implemented by the visited website itself)"
The key here being manually enhanced. This is not "normally mitigated."

Using an extension such as Disconnect is in my experience easier than just discarding all cookies at the end of a session and adding exceptions for sites that make this a PITA. Of course, you have to build up an exception list for Disconnect also. But it tells you exactly which sites are try to track on the spot so you know which ones to activate. It takes far less time to build up an exception list this way instead of observing the behavior after you've restarted a session.

Fair enough.  I did not spout enough information.  But it's one click to add a subscription for EasyPrivacy.  (I am not sure about how it adds to Privacy Badger... I stopped using it a while back.)

I'm not familiar with Disconnect.  It sounds cool.  But I have not really had issues with session cookies.

Murse

  • Pencil Stache
  • ****
  • Posts: 574
Re: Prevent hacks
« Reply #13 on: July 04, 2015, 10:22:05 AM »
I am not very computer savvy, let me explain my concerns. When I buy a new computer it always runs amazing for probably 3-4 years, then it begins slowing down for maybe a year, then out of nowhere all of the sudden it's pop-up bananza and crap gets downloaded onto my computer that I have no idea where it came from.

Aren't there programs people try to get on your computer that logs the keys as you enter them? How do you get these?

Do I need to avoid accessing my accounts unless I am on my home internet (avoid public,) and why?

Are you not concerned about forgetting your passwords? Or if you use software to store it that the software loses the information or your computer crash's and loses all of its data?


taekvideo

  • Bristles
  • ***
  • Posts: 273
Re: Prevent hacks
« Reply #14 on: July 04, 2015, 10:40:47 AM »
1) Have good antivirus. I recommend Avast or Microsoft Security Essentials, both are free. If they give you an alert that something you're running is bad, don't ignore it!
2) Don't download software from untrusted sources... knowing who to trust can be tough of course. When formerly-reputable sites like cnet (download.com) start embedding malware in all their downloads... the internet is not safe o.o
3) Use a different password for every website. I have one password I use on lots of sites if I really wouldn't care about it being compromised... but use a unique one for any website that matters. Websites frequently have their user account databases stolen, and those passwords can be tested on other websites to access accounts there.
4) Use strong passwords. You want it LONG, and not something that would be easily guessed. Passphrases are a good idea, for example: "cats wearing hats sitting on a tree near a llama juggling pizzas". Easy to remember, almost impossible to guess or brute force (see: entropy)... though it only works for sites that don't have a really low maximum password length (dunno why the hell they do that >.>). Bonus points that anyone watching you type your password in will think you're crazy paranoid.
5) Don't use easy security questions...
6) Keep your email account secure too!!! If someone gets your email that can "hack" a lot of your accounts.
7) If your phone or tablet or laptop or pc ever gets stolen, change ALL your passwords... you probably had a lot saved on them.
« Last Edit: July 04, 2015, 10:47:25 AM by taekvideo »

johnny847

  • Magnum Stache
  • ******
  • Posts: 3188
    • My Blog
Re: Prevent hacks
« Reply #15 on: July 04, 2015, 10:44:40 AM »
6) Keep your email account secure too!!! If someone gets your email that can "hack" a lot of your accounts.

Oh yea. I forgot about this one. Arguably your email is even more important than any one financial account, because if they hack your email then they can do a password reset on all of your accounts, financial or otherwise!

MDM

  • Senior Mustachian
  • ********
  • Posts: 11477
Re: Prevent hacks
« Reply #16 on: July 04, 2015, 10:45:14 AM »
Or if you use software to store it that the software loses the information or your computer crash's and loses all of its data?

Ever hear the joke about Moses and Jesus each typing a long document on their computers when suddenly both systems crash.  Moses is beside himself with concern over the lost information.  Jesus is unperturbed.  Why?  Because
Spoiler: show
Jesus Saves.


Go now and do the same. ;)

Spork

  • Walrus Stache
  • *******
  • Posts: 5742
    • Spork In The Eye
Re: Prevent hacks
« Reply #17 on: July 04, 2015, 10:46:36 AM »
Some amount of the slowdown is "natural."  By that I mean: we put bigger, more bloated software on it over time and expect it to do more.  (For example, 7-8 years ago most people would probably not have expected to run HD video streaming on a computer.  Now it is normal.)

But some is certainly caused by malware.  Often it comes bundled with some other "legitimate" software.  (For example, it seems common for some software to add search bars that will redirect your searches somewhere else for money.  It's a bit of an ugly thing to do, but it is done pretty often.)

Some is probably something you (or some other user) has done.

1) Keep your software updated.  Always.  Those updates are "offers you cannot refuse."  Take them
2) You want privilege separation.  What I mean by that is: you want to have an everyday user (lets call that "murse") and an admin user (called "administrator" or "root" or "murse_admin").   You want to set up your system such that it requires "admin" in order to do anything that changes the system config.  This doesn't mean a bit of malware you end up running won't harm you.... but it limits the amount of harm that can be done.

Now I'll make an admission:  I'm assuming we're talking about Windows here.  And if so, I am not the guy to give you advice on setting that up.  The last time I ran Windows was windows 3.1 (1992ish).  It can be done in a semi-sane manor.... but it is not likely to come out of the box configured in a sane manor.

As for password managers:  In a good password manager, the data is stored locally and using strong encryption.  And yes: you need to have a back up of that.  But you also need to have a backup of anything you consider to be important information.  I'm not really a fan of cloud backup.... but cloud backup is probably better than no backup at all.

Jack

  • Magnum Stache
  • ******
  • Posts: 4725
  • Location: Atlanta, GA
Re: Prevent hacks
« Reply #18 on: July 04, 2015, 10:50:53 AM »
Strong passwords are good.  Use a password manager to help remember them.   I still can't recommend using an online one like LastPass or OnePass.  I use an offline line one called KeePass. You can also use password managers as a place to store your security question answers.

I turn Keepass into an online password manager by storing the .kdbx file and a "portable apps" Windows version of the program itself in my cloud storage account (e.g. Google Drive, Dropbox, etc.). Keepass2Android is capable of opening it directly from [a cached copy of] the cloud storage and keeping it in sync.



* divide your browsing up by category and use a different browser profile.  In other words, have one browser profile you use for everyday stuff (MMM, facebook, google, etc) and one you use for financial stuff.
* set your browser to discard cookies at the end of a session -- and add exceptions for sites that are a pain in the ass if they don't keep a cookie

Please explain the rationale for these two.

If your rationale is to not correlate your social media accounts with your financial accounts, this can easily be defeated with canvas fingerprinting

3rd party site ability to perform fingerprinting is normally mitigated with tools like adblock plus/privacy badger.

As for why to keep financial info separate: there have historically been successful tabnabbing / cross tab attacks/CSRF attacks.  A separate instance gives you a little bit of a sandbox to keep that sort of thing from happening.  It also allows you to set up an instance that is less paranoid/more trusted than one you would use for every day browsing.

Third party fingerprinting such as Adblock Plus and Privacy badger when "manually enhanced with EasyPrivacy list are able to block third-party ad network trackers and will block canvas fingerprinting provided that the tracker is served by a third party server (as opposed to being implemented by the visited website itself)"
The key here being manually enhanced. This is not "normally mitigated."

Using an extension such as Disconnect is in my experience easier than just discarding all cookies at the end of a session and adding exceptions for sites that make this a PITA. Of course, you have to build up an exception list for Disconnect also. But it tells you exactly which sites are try to track on the spot so you know which ones to activate. It takes far less time to build up an exception list this way instead of observing the behavior after you've restarted a session.

Fair enough.  I did not spout enough information.  But it's one click to add a subscription for EasyPrivacy.  (I am not sure about how it adds to Privacy Badger... I stopped using it a while back.)

I'm not familiar with Disconnect.  It sounds cool.  But I have not really had issues with session cookies.

I normally don't ever close my browser (until it crashes -- despite Mozilla's protests to the contrary, either Firefox or one of the extensions I use still does have memory leaks). However, I use an extension called "Self-Destructing Cookies" to fix the session cookies issue.

I am not very computer savvy, let me explain my concerns. When I buy a new computer it always runs amazing for probably 3-4 years, then it begins slowing down for maybe a year, then out of nowhere all of the sudden it's pop-up bananza and crap gets downloaded onto my computer that I have no idea where it came from.

Aren't there programs people try to get on your computer that logs the keys as you enter them? How do you get these?

Do I need to avoid accessing my accounts unless I am on my home internet (avoid public,) and why?

Are you not concerned about forgetting your passwords? Or if you use software to store it that the software loses the information or your computer crash's and loses all of its data?

  • It may sound harsh, but YOU'RE NO LONGER ALLOWED TO "NOT BE COMPUTER-SAVVY." Learn to use the computer properly, and secure it. This is 2015; you have no choice. To say you're not computer savvy is like saying "oh, I'm not financially savvy" or "oh, I'm illiterate."
  • Yes, keyloggers do exist. You get them by not being computer savvy (see previous point).
  • You shouldn't use public computers because they might have keyloggers.
  • If you lose your data because your computer crashes, it's because you failed to keep backups. Again, see point #1.

2) Don't download software from untrusted sources... knowing who to trust can be tough of course. When formerly-reputable sites like cnet (download.com) start embedding malware in all their downloads... the internet is not safe o.o

Just as a PSA, for those who don't already know:

Sourceforge.net has gone to the dark side and is no longer to be trusted.

At this point, AFAIK there is no "one-stop shop" for trustable software (except for the Debian package manager repository). The safest thing is to go find the actual project's official website and download from there.

Murse

  • Pencil Stache
  • ****
  • Posts: 574
Re: Prevent hacks
« Reply #19 on: July 04, 2015, 12:34:25 PM »
Jack How does one become computer savvy?

Jack

  • Magnum Stache
  • ******
  • Posts: 4725
  • Location: Atlanta, GA
Re: Prevent hacks
« Reply #20 on: July 04, 2015, 12:55:38 PM »
Jack How does one become computer savvy?

By asking questions like you're doing now, and doing a lot of reading. Google a basic question (like "how do I secure my computer?") and then keep researching deeper and deeper until the answers start to make sense. And then when you have a more complicated question, repeat.

In other words, being computer savvy isn't really "knowing the answer." It's knowing how to find the answer -- learning how to learn. Pretend you're a 5-year-old and just keep asking "why?"

The main thing is to have the right attitude (which it seems you do) and not use "but I'm not computer savvy" as an excuse to be helpless.

Just looking through my previous post, someone might want to Google any of the following:

  • What is KeePass?
  • What is a portable app?
  • What is cloud storage?
  • What is a cache?
  • What is browser profile?
  • What is browser cookie?
  • What is browser fingerprinting? (Or "how do I defend against browser fingerprinting?")
  • What is CRSF attack? (I don't know the answer to this, except for being able to guess from context. And that's okay! Nobody knows everything.)
  • What is Disconnect?
  • What is a browsing session?
  • What is keylogger?
  • How do I backup my computer?
  • What is Debian?
  • What is a package manager repository?

It also doesn't hurt to just read about computers in general, even when you don't have a specific question. Slashdot, Reddit, TomsHardware, AnandTech, and lots of other sites are good choices for this. Just do like you do for MMM, except for computers.
« Last Edit: July 04, 2015, 01:10:38 PM by Jack »

Insanity

  • Handlebar Stache
  • *****
  • Posts: 1021
Re: Prevent hacks
« Reply #21 on: July 08, 2015, 08:20:22 PM »

Jack How does one become computer savvy?

By asking questions like you're doing now, and doing a lot of reading. Google a basic question (like "how do I secure my computer?") and then keep researching deeper and deeper until the answers start to make sense. And then when you have a more complicated question, repeat.

In other words, being computer savvy isn't really "knowing the answer." It's knowing how to find the answer -- learning how to learn. Pretend you're a 5-year-old and just keep asking "why?"

The main thing is to have the right attitude (which it seems you do) and not use "but I'm not computer savvy" as an excuse to be helpless.

Just looking through my previous post, someone might want to Google any of the following:

  • What is KeePass?
  • What is a portable app?
  • What is cloud storage?
  • What is a cache?
  • What is browser profile?
  • What is browser cookie?
  • What is browser fingerprinting? (Or "how do I defend against browser fingerprinting?")
  • What is CRSF attack? (I don't know the answer to this, except for being able to guess from context. And that's okay! Nobody knows everything.)
  • What is Disconnect?
  • What is a browsing session?
  • What is keylogger?
  • How do I backup my computer?
  • What is Debian?
  • What is a package manager repository?

It also doesn't hurt to just read about computers in general, even when you don't have a specific question. Slashdot, Reddit, TomsHardware, AnandTech, and lots of other sites are good choices for this. Just do like you do for MMM, except for computers.

Very good list of questions....

Just wanted to provide an answer to one...  CSRF -  Cross Site Request Forgery.

Simply put -  it is when a user executes an action on one site while browsing another site.  The user has no idea the action occurred until after the fact, if at all.  Think of it like real forgery.  Someone gets one of your credit card checks and uses it.  The recipient of the check doesn't do enough to confirm the buyer is really who they say they are.