Bank machines being hacked, be careful of Android password managers and advice for using a password manager.
Welcome to Cyber Security Today. It’s Monday October 1st.
Today marks the start of Cyber Security Awareness Month. In addition to the latest news, I’ll regularly pass tips on how you can make your online activities more secure.
But first the news:
Almost everyone uses a bank machine. Criminals want to make withdrawals, too, by hacking ATMs. According to security writer Brian Krebs, the U.S. Secret Service is warning financial institutions about a new scam: Drilling a hole in the face of the machine so a gang member can insert a card skimmer onto the bank card reader inside. The hole is then covered up, and a pinhole camera is added so the thieves can see what PIN number you enter. Bank machines have protections mechanisms, but they might be bypassed. The best way for you to protect yourself is when entering your PIN number cover one hand with the other so no one can see the numbers you enter. And if you think a bank machine has been tampered with, report it to the bank and police.
With all the passwords most people have to register, password manager software is a good idea. It keeps track of your passwords, and most can generate safe, strong passwords and automatically enter them into forms. But European security researchers say password managers for Android devices may not be as secure as a desktop password manager. That’s because on a desktop you login through a website. With an Android password manager you login through an app – for example, a bank app – and apps can be spoofed. Security vendor Sophos says it’s unlikely you’ll be victimized this way, but if you’re worried you can turn off autofill on your Android password manager. Or don’t use a password manager for sensitive sites, like email or bank accounts.
For today’s security awareness tip I want to talk about password managers for desktop computers. They’re a good tool to control all the passwords you have. A number of companies offer them, including LastPass, 1Password, Dashlane, TrueKey and Keeper. They work the same way: All you have to do is remember the master password that opens the software. Then, when you want to log into a site the password manager fetches the password and fills in the login form. If you want, the manger can generate a scrambled password you’ll never remember. Password managers have one problem: If someone gets your master password, they have access to everything. So first, make sure you have a computer login password. If an attacker can’t log into the computer, they can’t get to the password manager. Turn your computer off when you don’t need it, like at night or during the day when you aren’t home. If you have a laptop, make sure when you close the lid it goes into hibernate mode and NOT sleep mode. If you are really security conscious, don’t put your bank password in the password manager.
Finally, remember that you really need complex and strong passwords only for sensitive sites – your email, social media, work and bank sites. If you’re a member of a sports or cooking discussion forum, for example, that doesn’t store personal information or a credit card, you don’t need a complex password but you do need one that is safe. A password like “Go Leafs Go” on a Canadian hockey forum isn’t safe. And remember not to use the same password on more than one site.
That’s it for Cyber Security Today. Subscribe on Apple Podcasts, Google Play, or add us to your Alexa Flash Briefing. Thanks for listening. I’m Howard Solomon.