That said, it’s done now and a massive 77 million people have had their personal information exposed.  We still don’t know how much information this includes and what it could be used for.  One thing is for certain, people such as the ‘security expert’ who went on the BBC this week and said if you haven’t seen fraudulent transactions on your credit card yet you’re probably safe, are just idiots.  How quickly do these people think criminals can get through 77 million records?

I thought I’d write up some strategies here to help keep you and your personal information safe online.  Some of these you will be able to implement and some you won’t, but in conjunction they ought to make you safer.

Keep your email and online files password safest

This isn’t just to do with Spam, it’s something I wrote about here a few days ago.  Create yourself a super-strong password (see below for advice on how to do this) that you use only for your email, contacts and anywhere that you store documents online, such as SkyDrive or DropBox.  It’s essential to keep this information safe.  You are being trusted by others with valuable contact information attached to your email account for, sometimes, several hundred other people including their full addresses, mobile phone numbers, dates of birth and more.  This isn’t to mention any personal financial or other sensitive data you’re storing in your online files.

Use different passwords in different places

This isn’t always easy to do as people have trouble remembering passwords so tend to have just one or two.  There’s nothing to stop you writing down a list of passwords in a file on your phone (if you have a code lock on the handset) or at home if you have them in code.  For instance you could have the letter s appended to the beginning of the password.  To any glancing eye it just looks like an extra letter on the code.  You will know that is the password you use for shopping websites.  A g could signify gaming websites and so on.  While remembering passwords might be a pain when away from home and on new computers, your own computer equipment will usually remember the passwords for you.

Create a strong password

The strongest and most secure password follow the same rules…

• Make it at least 10 characters in length
• Use a mixture of Lower and Upper-case letters
• Use numbers (you can substitute some for letters too, 0/o, 1/i/l, 5/s and so on)
• Use symbols (which you can also substitute for letters, $/s, _/L, #/o for instance)
• Do not ever use the following (common words, names, date of birth, the word password)

One thing to note with this is that many websites still won’t allow you to use certain characters (usually *) in passwords.

Never use your banking passwords or PIN

Your banking password and card PIN number are for your banking ONLY.  Do not ever use them on any other service or website!

Minimise the information you share

This can be difficult.  On websites such as social networking it’s easier to do and you should never share…

• Address
• Phone numbers
• Date of Birth

But sometimes, especially in the case of a website you’ll have financial dealings with this is unavoidable as they need your date of birth and address for security.  Go back to my previous rule about different passwords for different websites for this situation then.

If a web service is hacked though any and all information that you share is vulnerable.  If you must give away this information to validate yourself on a website can you remove or change it afterwards?  Will the website’s service still work for you if you later log into your account and either remove the information completely or change it, perhaps by changing the phone number to 12345?

Be careful with usernames and email addresses

You can inadvertantly share useful information in your email address and usernames.  It’s common for someone to append their date or year of birth to these.  Always avoid doing so!

Use online banking

If you use online banking you can keep a much closer eye on transactions on your accounts.  Rather than have to wait up to 30 days for your statement to arrive, online banking will usually show you the most recent transactions whenever you log in.  This is an excellent way to see if someone is fraudulently using your credit or debit cards so that you can inform the bank promptly and have those cards cancelled, minimising the economic effect on you.  Remember it can take the banks a while to refund money to you.

Reduce the surface area for attack

Again this is something I wrote about at the beginning of the week.  Try not to sign up for every website and web service going.  Don’t spread yourself out on the web so far that you’ll never remember where you have accounts.  Keep and eye on your email and junk folder.  Occasionally these websites will send you an email and you can use this as a reminder to go back there and either remove or replace any personal and sensitive information, or preferably, just close the account completely.

Be vigilant

To be honest there’s absolutely nothing you can do to prevent a hacking attack such as the one that recently hit Sony.  It could happen to any company at any time, no matter how big or small they are.  The trick is to not have the information that can be exploited avillable to begin with but this is rarely easy in today’s Internet age.  The best advice I can give is simply to be vigilant and aware of what’s going on with your banking and your accounts.  With these simple rules you won’t be completely protected, but you can at least minimise the damage if something does go wrong.

SafeOnline is a security program developed by Prevx that is available as a standalone software or as part of Prevx 3.0. This program, according to its developers, is able to protect PCs against many forms of phishing and pharming even if they are infected.

How is it done?

The core protection lies in the ability to block keyloggers, screen scrapers, man-in-the-browser attacks, session hijackers, clipboard grabbers, and a number of other threats commonly installed by trojans like SilentBanker, Bancos, Zeus, Torpig, and Curtwail onto thousands of PCs daily. Rather than focusing on being able to identify the threats themselves, SafeOnline works to isolate the browser from the rest of the system even if unknown threats exist that try to steal data from the user. System level malware generally attempts to read data from the browser but Prevx introduces a layer in-between the browser and the rest of the operating system, tricking the threats into thinking that they have successfully read and transmitted the user’s credentials outside of the system when they have not. Unlike other solutions, Prevx SafeOnline works with the user’s existing browser, without requiring the use of a specialized browser so there is no need for the user to change their browsing habits – protection is applied seamlessly and silently in the background.

This sounds like a reverse sandbox where the contents in the sandbox are protected from the rest of the computer system. According to Prevx it offers protection against

* Man-In-The-Browser
* Phishing attacks
* Keyloggers
* Screen Grabbers
* Cookie Stealers
* Info Stealing Trojans such as ZEUS, MBR, Goldun, and Silent Banker

Prevx has contacted several banks in the UK offering their product for free to the bank’s customers. Six banks so far have shown interest in the product. These banks had special requirements according to PC World that included that the product would work with other security software and would not force the banks to change their websites. The security product was able to meet all of these requirements.

Verdict: The main question here is if it is really safe. Will it really defeat all keyloggers and phishing attacks? What if the security software fails do to so? What if users feel overconfident using the software? It might work as an extra layer of defense on a PC system but it might take a while before the company can build enough trust in their product. Thanks Dante for the tip.

If you take a look at this list you see that all European and Canadian banks but one are offering (most require) SSL login pages and that about 50% of the US banks offer ssl only optional. This is in fact a great risk and could be reduced by simply deactivating normal http access to the login pages (or the complete website).

I would encourage everyone who has his account at a bank that is classified as optional to  write them an email asking them to remove that insecure access to their website.