Hacking an account on a freelance service is a thing as unpleasant as hacking, for example, an inbox or an account in a social network. Gaining access to the profile, the attacker can both steal the funds that are on the user’s account and begin to beg for money from everyone who corresponded with him.
To access your account, an attacker needs a password. Consider how an attacker manages to get it, and how to protect yourself from theft.
Please run your eyes over the information even if you think it may be known to you. If you still miss something, then correct the situation as soon as possible.
1. Simple password
Sometimes users do not want to think about the password for too long, they try to register as quickly as possible and already start working on the service.
The first thing that comes to their mind is to use for the password:
- login – they say, the simpler, the better;
- date of birth – at the same time and indicate it in the profile;
- your address or phone number – even if they are not posted in the public domain, this information can be obtained by people with whom further cooperation is underway; by the way, some users sometimes indicate the phone and other confidential information in social networks, then safely link the profile to the account on the service and do not suspect that it is unsafe to do this;
- passport number or current account number;
- the name of your website or company (even with the addition of the date of foundation) is easy to guess;
- its motto, status, slogan of the company (translated into the latin alphabet) – there is also nothing complicated in this.
Remember – never should the password coincide with personal data that is publicly available, or another person can get through communication, signing documents. The easier it is for you to remember the password, the easier it is for an attacker to pick it up.
2. Complex password, but the same on different services
Some users think that it is enough to come up with a complex password, say, of 16-25 characters, and it will never be hacked. The most surprising thing is that they use this password everywhere… Years.
But if you are active, you are in plain sight, sooner or later attackers may be interested in how to access your accounts. Having hacked one mail profile, Skype or social media account, he will immediately try to open all the others.
Please never use the same password in different accounts without changing it for a long time – even if you think it is very reliable, one day it can be picked up.
Used a public computer and forgot to log out of the account, or maybe clicked the “save my password” button? Well, this action can be ill-advised. Even if the computer will not be used by an attacker, the person who will later sit at the table may not be very honest:
- A student from a parallel stream, sitting at your table, can just play around.
- A user who sat down at a computer after you released it in some computer service may think: “That’s happiness!”
But in the end, it won’t make it any easier for you.
Working at someone else’s computer, remember that you need not only to log out of the account on the freelance service, but also to delete from the mail, to exit the authorization of the browser.
4. Duplicate password
There is another danger of using the same password. It is not a fact that an attacker monitors your activity and monitors all profiles. It can simply hack into one of the databases of services where you registered earlier, then compare profiles and go through, check whether it is possible to open a similar profile on another service with your password.
The recipe for protection is the same as in the previous case – sometimes change passwords, do not use the same in different accounts.
This is the name of another type of fraud on the Internet. The word comes from the English fishing – fishing. The essence of phishing is to throw users “bait” – a fake site with a login form in which the user leaves his real password.
How can I send a user to such a site? Through letters to the mail, messages in various instant messengers or SMS. They can contain a link that looks like a site or a link with a redirect (that is, redirects to another resource).
The message might look something like this:
“We have registered suspicious activity on your profile. If it was you, please confirm your details… »
The recipe for security in this case is simple – remember that employees of any resource never ask for anyone’s passwords. Also, do not forget to look at the link, whether it corresponds to the domain of the service on which you are served.
But that’s not all. The fact that being on the site is safe will be indicated by the inscription “Protected” and an icon in the form of a green lock next to the address bar. If you click on it, you can see additional information about the site, the validity of the certificate, configure notifications in the browser, and prevent pop-ups.
In addition, this sign means that the site has been issued a cryptographic key that allows you to encrypt the information received from the user. That is, everything that you write on such a resource, tables, forms that you fill out are not available to third parties, but only to you and the site. This is especially important if you’re using a public Wi-Fi network.
However, do not rush to relax, because the presence of such an icon does not mean that the site is not phishing. Attackers sometimes go to the expense and acquire a certificate to mislead network users when it comes to the possibility of a “large catch”. Therefore, be sure to check the domain for compliance, even if the site looks very similar to the resource that you are used to using – this will help you protect yourself.
Other reliable ways to protect yourself
To truly feel safe, it is recommended to use the following methods:
- Password manager programs.
- Multi-factor authentication.
- Hardware solutions , for example, tokens with support for FIDO U2F.
Let’s consider each of them in more detail.
Password manager software
This is software that makes it easier to work with passwords. Using them, you do not need to enter a long and strong password every time. It is saved by the password manager.
There are quite a lot of these programs, they are of several types:
- portable (store passwords on personal devices or USB),
- network (store passwords online, in browsers),
- in the form of desktop applications (passwords are stored on the computer’s hard drive).
We recommend using two of them: 1Password and LastPass. Despite the fact that they are not free, it is profitable to use them. After all, the monetary losses when hacking accounts can be much greater than a small fixed payment for your peace of mind. In addition, it is much more convenient to use them than to enter complex passwords every time.
It is these password managers that are attractive for the following reasons:
- 1Password — suitable for iOS, Mac, Windows, Android. The number of home devices on which you can use the program is unlimited. You can share passwords with family or team members. The first month of using the program is free. You can test it at this time and decide how convenient it is. Then you can choose a package for personal ($ 2.99 per month), family ($ 4.99 per month), team security ($ 3.99 per month) or business package ($ 7.99 per month).
- LastPass – unlike the previous service, there is a Russian version. Passwords are saved not only in iOS, Mac, Windows, Android, but also in Chrome, Firefox, Internet Explorer, Safari browsers. There are tariffs for individuals (from $ 2 per month) and for business (from $ 2.5 per month). You can also share passwords with family members. It is possible to buy an annual subscription from $ 24.
Google Two-Factor Authentication – Secure and Free
One of the most reliable methods is considered to be two-factor, multi-factor authentication Google. It is noteworthy that it was connected 7 years ago, but it is still very little used – less than 10% of a billion users.
Its essence lies in the fact that the identification of the user is carried out in several stages:
- First, the data on which the account was registered are entered – the user’s login and password.
- After that, you enter a dynamically changing every 30 with a password from the Google application (there are several types of them, you can connect one application to each account).
- Either the Google app comes up with a query with two buttons, “Yes, that’s me” or “ignore.”
- As an alternative or additional stage, confirmation is possible via SMS or mail, where a one-time password comes.
Can two-factor authentication be hacked?
Technically, it is possible, for example, to seize control over the phone number at the operator level. However, the method is not simple and expensive. Also, attackers can use phishing. That is, in fact, if you do not voluntarily tell the password to intruders, it is very difficult to crack such protection. Just don’t trust messages written in the style of:
Remember, if you see such messages, you should not react to them!
Hardware token solutions with FIDO U2F support
This method can be called enhanced protection. Especially suitable for business, when hacking accounts is simply unacceptable, and the owner himself needs to access the services quickly enough.
The method is based on the use of a USB token that helps to identify the owner and checks the authenticity of the site (at the moment the device works only with Google sites), protecting against phishing attacks and cookie theft.
Unlike mobile applications, the USB token works even if the phone is missing. Using such a key will cost less than the cost of password managers, as you will need to buy the device once. Its price starts at $5.99.
Let’s sum up
In order to secure the account, it is enough to follow a few rules:
- Use a complex password.
- Passwords must be different on all accounts.
- Do not enter data on suspicious sites where you went from letters, SMS or messages in instant messengers. Better yet, ignore such messages.
- Enable two-factor authentication or use fido U2F-enabled tokens.
- Use password managers.
In addition to all of these methods, we recommend that you check the statistics of logins to your account from time to time. This will allow you to make sure it’s okay or change your password if necessary.
That’s all we wanted to say today. We hope this information will help you protect your account and protect yourself on the Internet!