Monday, January 07, 2013

How do I protect my Paypal account?

A friend of Amber's recently asked an interesting question - how can you protect your Paypal account from being hacked?

Well, I may not work for Paypal (or any Internet finance company), but I do know a thing or two about security, so I figured I'd give a shot at providing some tips to keeping your account secure. The same tips can apply to just about any valuable Internet account you want to protect.

1. Use a unique password.
Your password should be something:
  • NOBODY else knows. Yes, not even your spouse, your kids, your tech support guy, or even your Mother. The more people that know, the higher the chances that at least one person will abuse the access, or even if they don't, will make a completely unintentional mistake that ends up exposing your password.
  • Is not used at ANY OTHER WEBSITE. It turns out that financial institutions (usually) do a pretty good job of protecting their users' passwords. However, FarmCityVampireTownVille, written entirely in Edgar's Mom's basement, is likely not quite as careful. Any two-bit hacker cracks the game's password file, then tries those passwords on more valuable websites like Paypal.
  • Is not blatantly obvious. While hackers may not know the name of your dog or your birthday, that angry ex-girlfriend probably remembers it acutely, and is eager to use that knowledge to steal every cent you have.
  • Is not written somewhere easy to access. Sticky notes (the real world kind) on the monitor are bad. A Notepad file on your desktop (the virtual kind now) is worse. Having the browser remember your password is just asking to get robbed. If you really want to save your passwords somewhere, there are specialized applications, eg. 1Password, which will allow you to save your passwords encrypted on your computer or phone. These applications can be a mixed blessing - the idea is that saving all your passwords under a single master password is worth the risk because it is then practical to use unique passwords for every website.
I specifically omitted any tips about having a "strong" password. While your password shouldn't be excessively short or common ("abc" or "dog" are probably not good choices), the gains from adding a bunch of numbers and punctuation are modest at best, and changing a password frequently (more than once every few months) is often more counter-productive than helpful. In my humble opinion, it's more important to have a unique password you can remember than what some security experts consider a "strong" password.

2. Use only computers you trust.
A compromised computer or device can easily steal your password.
  • Run anti-virus, and keep it up-to-date. You are susceptible to computer viruses. Period. I don't care how safe you think you are. I don't even care if you only surf news sites, or if you don't even have the Internet. You WILL eventually be exposed to a virus, and an effective anti-virus can protect you from most of them (blocking rates for most good anti-virus programs are in the mid-90%'s).
    If you don't have an anti-virus (or let your subscription lapse on the one you have), and don't feel like paying for one. Microsoft gives away a free anti-virus. Alternatively, if you have Windows 8, you already have anti-virus built in.
  • Don't use anyone else's computer to access your account. Don't log into Paypal from your friend's computer. Or your Mom's computer. Especially not an Internet kiosk, or at a store. I'd even warn against using your account on a shared computer at home, if you can avoid it. It is simply too hard for you to be sure that the computer you are using is trustworthy to not steal your passwords.
  • If your computer is behaving strangely, don't access your account. This is a bit more subjective - computers can often seem to act 'strangely' in completely normal circumstances. However, if your computer is displaying unexpected pop-ups, redirecting your Internet searches, running (unusually) slow, you should consider at least a virus scan before using your account. If you have been told that you have a virus, *never* use your account until your computer has been successfully cleaned by anti-virus software - and if possible, inspected by a professional.
What I didn't say here is "trusted networks". Go ahead and use your account on any Internet connection you can get - home, work, your hotel room, even public wireless. Any credible financial website these days will use encryption ("https"... usually indicated by some sort of padlock icon in your browser address bar). This means that, assuming your computer is otherwise trustworthy, that even if somebody is listening in on your connection, they can't see your password.

Note: while Paypal protects your entire session using encryption for privacy, other websites (eg. Gmail) only protect your password, then switch to an unencrypted connection. This means that anyone listening in will be able to see whatever you're browsing (for example, your emails), particularly on a wireless connection. If you value privacy, the EFF makes a great tool called HTTPS Everywhere that turns on encryption automatically for many common websites.

3. Protect your email account.
It turns out that your email account is one of your most valuable assets for security. When you click that "I forgot my password" link on your favorite website, usually they send you a password reset email. Even worse, your email likely has enough personal information (friends/family information, birthdays, account numbers, sometimes even passwords or security questions) to crack most every account you own, even ones that aren't on the Internet!

Take similar precautions with your email account as you would with your Paypal account, because the former may provide the keys to the latter.

Anyone else have good tips to protect your Paypal or other valuable Internet accounts? I'd love to hear about them in the comments.

No comments: