Cyber security is more than just your PINs and your passwords
Posted: March 22nd, 2010 | Author: Wade | Filed under: Security, Software, Technology, Web | Tags: Business, Insurance, Security | 1 Comment »I expect that not many of you are being kept awake at night by fears of a cyber attack, but we should at least all be aware of the scope of the threats that exist to photographers on the internet, and that there are some pretty straightforward countermeasures available to us.
The online bits of any small business are susceptible to risks which are compounded by the fact most of us are not IT experts and therefore don’t even know what they are, let alone how we might defend ourselves against them.
Having robust passwords is a simple way to make a big difference. Finding your account compromised by a hacker because you chose a password based on a dictionary word, for instance, is simply a matter of “when” and not “if”. Once in, the perpetrator may not commit malicious damage so as to avoid detection by you, in order that they can continue to use your account to spam your friends as a trustworthy sender. A friend of mine discovered that his hotmail account had been accessed by Chinese hackers many times and over many months. They were able to do this because his password was weak and could be defeated by a brute force attack.
Consider protecting your email accounts, Facebook page, Twitter ID and all your other online identities with a password manager application. I use 1Password which allows me to set ridiculously long and complex passwords without having to remember them. 1Password remembers all of my individual passwords while I need only commit to memory the one master password. It then authorises 1Password to supply the ultra-secure long passwords for each online account when prompted to by the respective login page.
A compromised email account might cause you more trouble than just the inconvenience of having to explain to your friends and clients why you were spamming them. For instance, how much brand value is invested in your domain name and what would it mean should you lose it? At the very least you’re paying for new stationary and finding another email address. But if you’ve paid for some serious Search Engine Optimisation to be done and are now recruiting clients from the web because of it, losing your web address could really hurt your bottom line. All the details needed for someone to take control of your domain name are very possibly sitting in your email inbox right now (see “WARNING: Google’s Gmail security failure leaves my business sabotaged“).
If you engage a designer to build your website, consider taking care of the initial domain name registration yourself. Or at least ensure that it’s registered in your name from the outset and that the admin contact email address that is supplied is your own. That way, should your working relationship with that designer ever sour, your domain name does not become a pawn in any difficult negotiations that may follow. If you are the registered admin contact, it is relatively straight forward to change the account password through the lost password procedure, and thereby regain control.
More fundamental, of course, is ensuring your domain name gets renewed when it falls due, and doesn’t get poached by squatters because you missed the deadline.
But online security is more than just PINs and passwords. Many photographers now maintain digital archives with online services and while they might operate in professionally equipped, properly maintained server farms with multiple redundandancies and be generally all confidence-inspiring, I have two words for you – “Digital Railroad”.
Digital Railroad was a high-end outfit with all the bells and whistles, backed by millions in venture capital, that hosted the archives of some of the foremost agencies and individuals in our industry. But in 2008 it very suddenly went broke. The company was offline before I for one could move to safety the 20GBs I had stored with them. During a 24 hour period, almost all of its clients were desperately and simultaneously trying to move their archives elsewhere, with the clock ticking and the receivers ready to disconnect the power.
While I might have lost dozens of hours of captioning and key wording, of course I had my pictures stored elsewhere, too. The Digital Railroad example highlights how we must safeguard against the potential economic frailties of the third parties we engage to maintain our web presence.
Social networking has a lot of traction in marketing circles at the moment, and there’s no telling whether it’s a fad or if it’s here to stay. But what’s for certain is the business intelligence goldmine. By allowing your peers access to your Linkedin profile, for instance, you might be handing them a complete client list with the names and numbers for all the key people at each company you work for. Perhaps keeping Linkedin for work and Facebook for friends is a wise practice.
Everyone’s doing their banking online these days, so the fraudsters have followed suit. Banks want you to feel confident when you use their websites because this reduces their need for staff, so they tend not to publicise incidences of online theft, and the truth is they’ll almost always refund your loses if you get stung. Better to avoid the inconvenience I say, so start by registering your mobile phone with your bank for SMS verification. That way any attempt to add a new payee or to transfer cash to a new bank account will require SMS verification first. Your bank might also be able to provide you with a SecurID FOB or similar. This attaches nicely to your keyring, and its purpose in life is to generate a constantly changing code that becomes another layer of security your bank uses for authentication each time you log into your account.
Are you a member of either Nikon or Canon’s Professional Services programmes? Register your equipment serial numbers with them straight away – you can do it online right now. Both companies check serial numbers for repair jobs against these records, and in the case of my colleague who had a lens stolen two years prior, it was returned to him after the thief sent it in to Nikon for service.
Unless you actually operate a studio, it’s probably best not to advertise your address online – particularly if you work from home. Thieves have targetted photographers who have revealed this information on Craigslist or on their individual websites. So rent a post office box and you can even have your mail diverted from it to your home address if you wish.
There are countless online scams that target photographers. The most common is the over-payment scam, where a prospective “client” contacts you saying they really want you for “this” campaign or “that” project and – by the way – where do I send the deposit? It arrives as a money order and you discover it’s for slightly more than was agreed to, so the sender asks you to wire the change back to them. The bank has accepted the money order, and it seems to clear alright, so you think “what’s the harm?”. But once the bank discovers that the money order was counterfeit – and they do – the deposit is reversed, and the money that you refunded to the client is long gone – as are they.
The over payment scam is adapted to all manner of goods and service provider, but in our case there are some warning signs. The nature of the assignment on offer might be unlike the sort of work you’re known for and it might even surprise you that the client chose you in the first place. That’s because the scammers are sending the same email to thousands of photographers, and will not have bothered to tailor it to each.
The offer will also try to offset any doubts with the temptation of a very generous fee. So the overpayment scam is a case of that what appears too good to be true probably is.
Photographers travel more than most people. If you are a Qantas Frequent Flyer, don’t leave your boarding pass behind on the seat when you deplane. I hope Qantas have changed their procedures by now, but there have been cases where people have telephoned the airline claiming to be who they are not, pretending to have forgotten the password to their online account. Details readily found on a discarded boarding pass were enough for Qantas to reset it and the imposter could then go ahead and transfer frequent flyer points to another account or redeem them for whitegoods or golf clubs.
Remember you don’t need to be BHP or General Electric to find yourself the target of an online attack or to be susceptible to the other frailties of the web. And unlike the big multinationals, a cyber-attack or the loss of their entire web presence could ultimately send a small business to the wall.
One Comment on “Cyber security is more than just your PINs and your passwords”
Leave a Reply