Too often, the same password is used for multiple online accounts—for instance, you might log in to your online banking site with the same password you use for your personal email account. In the McAfee Digital Assets survey from earlier this year, 37% of people reported that they use the same password for multiple online accounts. Using identical passwords is convenient for us as users, but it’s also convenient for any hacker trying to steal personal information—once a hacker has access to one of your accounts, he can use a recycled password to snoop around at will.

Certainly, using more than one password and pass phrases that include a mix of upper and lower case letters, numbers and symbols and is at least ten characters in length goes a long way towards keeping malicious people at bay, but unfortunately, merely adding variety to your login information doesn’t guarantee security.  In The Easiest Ways to Not Get Hacked, author Rebecca Greenfield included this chart showing just how much difference one character in length makes:

One of the most important accounts to keep secure is your primary email account—and here’s why: sooner or later, all of us have to use the “I forgot my password” option, which typically sends a password reset email. A whopping 79% of McAfee Digital Assets survey respondents said they’d used a “forgot password” button in the last six months. A hacker only needs to crack the password for your primary email account, and he’ll be able to access any of your other secure accounts simply by clicking the “forgot password” button when he sees it. This is what is known as a single point of failure, meaning it’s the one piece in any system that can bring down your whole system.

Establishing a separate email account for registration is one idea—in other words, your “I forgot my password” emails would all be sent to an account other than your primary email account. But even in that situation, there’s still only one password between a hacker and most of the data you want to keep out of a hacker’s hands—from financial accounts and bank access to your weekly grocery delivery service. So the real question, even if you’re savvy enough to have a separate email address for password rescue, is: how do you make any email account more secure?

Two-step verification (often referred to as two-factor authentication) is a system designed to give you an extra layer of security that’s easy to use and indispensible for commercial or highly sensitive accounts. Two-step verification protects your email with not only a password, but also by associating your account with a specific device or devices. A recent example of how this works comes from Google. In the case of Google’s two-step verification for Gmail accounts, a user simply re-authorizes the account every 30 days, by providing a numeric code that confirms the account.

The extra step and learning a new system of security sounds like an enormous hassle but Google has taken the pain out of the process by allowing you to obtain the code in one of three ways:

• Via text. You can have Google send you a text message containing the code.
• Via Smartphone App. You can download a free app that will generate a randomized code for at the time of sign in.
• Via landline. You can receive an automated voice message to a non-mobile phone that tells you the code.

This means that a hacker who wants to access your email account can only do so if he’s also got access to your text messages or your landline phone. It might not stop every cybercriminal, but it does make the average hacker’s job a lot harder.

This two-factor authentication, while not new, is making major inroads amongst websites, apps, and services that process critical information. Many corporations have used hardware-based secondary authentication codes for years, but Google and others (including Twitter) are working hard to make this enhanced authentication flow a more practical and accessible part of our working lives.

New biometric verification options, such as a retina or fingerprint scan, are also catching on among security-conscious consumers, and will likely be a feature on more devices in the future. As times change, and more sensitive information flows through these sites, we can be sure to see more of these processes put into place.

Malware is a generic term used to describe any type of software or code specifically designed to exploit a computer or the data it contains, without consent. Malware includes viruses, Trojans, spyware, adware, most rootkits and other malicious programs. Some malware is used as a one-time attack that just wipes your hard drive or sends all of your passwords to an unknown server. That kind of attack is a cakewalk in comparison to a type of malware called a Trojan.

A Trojan is a type of malware that leaves a backdoor open to your system for the hacker to access at any time. If someone steals all of your passwords in a one-time attack, the solution is easy: you just change your passwords. However, if you have a Trojan that steals your passwords, hackers will have your new passwords the second you change them. Trojans are an unending nightmare for your personal data.

With more people using mobile devices to orchestrate every detail of their lives, mobile Trojan malware is on the rise. Scarier still, these Trojans aren’t just after your excel sheets, they’re sending text messages on your behalf and gathering data on your location.

The newest iterations of malware are the most sophisticated and dangerous Trojans yet. One of the latest targets the Android operating system; McAfee Mobile Security detects it as Android/Obad.a via the cloud (other vendors refer to this as Backdoor.AndroidOS.Obad.a.) and is often simply called Obad.  Lianne Caetano has a more in-depth article about how Obad works.

Obad lets a hacker completely control your phone without you ever knowing about it and your phone can catch it just by standing next to someone with an infected phone.

Here are some ways you can protect your phone from Obad and other terrible Trojans that might be targeting your personal data:

• Get mobile security. Mobile security products scan your phone for malware and can remove suspicious software before you become the victim of an attack. Having an antivirus on your phone is the easiest and most basic security measure you can take, and as mobile devices become a hub for ever more important activities (including online banking and shopping,) protecting your personal information means installing comprehensive security on all of your devices, not just your PC or laptop. If you’d prefer to use one security solution for all of your devices, check out McAfee LiveSafe.
• Don’t download questionable apps! Before you download an app, take a second to check out reviews, or do a simple web search to see if it’s reputable. You should also carefully review permissions requests for any new app you download, and make sure you know whether your favorite new word game is accessing your email or social networks, or sharing your geographic location. Appearances can be misleading, and some apps install hidden malware on your mobile devices.
• Do not download files that you are not 100% certain of what they contain. Even trusted friends can unknowingly send you a file with hidden malware.
• Do not leave your Wi-Fi on. Manually connect to Wi-Fi before you use it every single time and only connect to trusted networks, like a password-protected wireless network in your home or office. It is an annoying inconvenience, but most phones are set to connect to any available Wi-Fi network—meaning the free internet at your local café could give hackers access to your phone even if you aren’t using it while you pick up coffee.
• Secure Bluetooth access with a password. Never leave your Bluetooth connections unprotected. As some unfortunate consumers have already discovered, Obad and other new Trojans can use Bluetooth to “jump” from one device to the next.

With mobile Trojans on the rise, you need to take precautions to protect your personal data. These simple measures will keep your information safe and your phone free of malicious software.

While it may be daunting to try and understand the ever-evolving nature of the Internet, parents shouldn’t shy away from making sure their children are always virtually protected. With summer vacation rolling around and screen time increasing dramatically, it’s imperative to teach kids safe online habits to maintain their privacy, reputation and safety.

What Happens on the Internet, Stays on the Internet (Forever)

Kids and teens should understand that their digital footprint lasts indefinitely. One inappropriate carefree summer photo – depicting alcohol abuse, excessive partying, or illegal behavior —– could cost your teen a future college education, internship or job. Facebook photos, for instance, can show up in search results for as long as seven years after they’ve been deleted from your account—better to never upload them in the first place. Give your kids a general code of conduct: no compromising photos, set all social networks to private and when in doubt, don’t post online what you wouldn’t want Grandma to see offline.

Keep Personal Information Private

Information is the commodity of the Internet and social networking sites and app developers are often guilty of sharing, trading and selling private information. The Federal Trade Commission (FTC) recently issued a report that concluded “neither the app stores nor the app developers provide the information parents need to determine what data is being collected from their children, how it is being shared, or who will have access to it.”

Suggest that your kids always check the privacy policy and settings to see what information is being accessed through various apps and social media sites.

Some common features that may endanger your child’s privacy include:

• Allowing contact with strangers
• Leveraging social networking services
• Collecting information about contacts and phone numbers
• Storing passwords or other unique identifiers
• Encouraging purchases, monetary upgrades and targeted advertising

Keep it Clean, Ensure Safe Surfing

Make sure your bored kid is surfing the Web responsibly this summer. While you can encourage your children to think critically about online browsing, it is also a good idea to curtail their access to unsavory information. Fortunately most web browsers like Safari, Chrome, Firefox and Internet Explorer have easy to use privacy settings and parental controls.

You can also filter search results with Google SafeSearch, which screens sites that contain questionable content and removes them from results. McAfee SiteAdvisor, which is part of the LiveSafe product package, assigns a safety rating to sites and search results for safer browsing. Keep an eye on your child’s browsing history. If this has been wiped clean, it may be a good time to sit the kids down for an open dialogue on Internet safety.

Teach Your Kids to Recognize Phishy Behavior

Children are more susceptible to phishing and malware scams, so educate them on what form these security scams come in. Unsolicited emails, attachments, free games, ring tones, and other download prompts could all result in a compromised computer and identity theft.

Always make sure you have security software installed and updated on all your computers. The proliferation of peer-to-peer file sharing amongst teens – for music, movies, even school projects – is also often a source of spyware. Show your child how to use your security software to scan any file before downloading, and teach kids to avoid file sharing sites for media (like music or television shows), which are often risky from a security standpoint, and remember that file sharing this type of content is almost always illegal.

From TED talks to online learning platforms like Coursera or Code Academy, the Internet can be a great resource for learning, exploring, and sharing. Just make sure you’re giving your kids the knowledge they need to surf the web wisely.

You may not be able to stop a dedicated hacker from compromising your online identity, but there are methods you can use to either stall or convince them that hacking you isn’t worth their time.

1) Use the right kind of password, and change it often

The right password can make all the difference. But for many the “right” password is actually wrong. Most passwords are too common, too closely associated with an account holder (like the birthdate of a relative or the name of their pet), or used across multiple websites.

The first thing to do is to use a unique, complex password for each account you have online. The password should use a random combination of upper and lowercase letters, numbers and symbols.  Most websites today require passwords to have minimum of six characters, but with the ability of even the most basic password cracking software, six character passwords, no matter how complex, can easily be decoded. To keep your passwords from being compromised, use at least 11 characters. The more characters you use, the more difficult it becomes for a hacker to crack.

Keeping track of passwords for online accounts can be a challenge, but writing them down for reference defeats the purpose altogether.  Try using a password manager, like McAfee SafeKey, to keep your passwords secure and protected without sacrificing your sanity

2) Don’t engage suspicious links

If your computer becomes infected with malware—dangerous software used to gather sensitive data from your computer—all the characters in the world won’t be able to protect you.

One of the more common methods hackers use today to compromise accounts is a method called “phishing.” Phishing scams usually involve hackers creating crafty emails, which convince users to either click on a malicious link or to give up personal information.

Avoid this and protect your information by not clicking on any links — highlighted text, which can take you to another part of the Internet with a simple click — contained in an email or online comment. Misspelled brand names, bad grammar and a comment with an all too salesman-y approach are some good indicators of ne’er do wells.  Ideally, you want to have a safe search tool like McAfee SiteAdvisor, that can not only provide safety ratings in search results, but also prevents you from going to known malicious sites.

3) Enable two-step verification if available

Two-step verification activates whenever a user, or a hacker, attempts to gain access to an account from an unfamiliar computer or mobile device. The service offering two-step verification, like Google, will then send the user a six-digit code to the associated device by either a text message or a phone call. Users will then enter that randomly generated six-digit code along with their password in order to confirm they are who they say they are.

While it may not be as convenient as a single password, it’s far more secure. More and more businesses are enabling this option, so always opt in when you can in order to keep your identity as secure as possible.

4) Use comprehensive security on all of your devices

Malware isn’t just restricted to PCs anymore. From smartphones to tablets, you should have security software installed on all of your devices. The Android system is a particularly tempting target, with many malicious apps waiting to steal your information—even some hiding in the legitimate Google Play store.

As the most basic step, make sure you use a PIN code or password to lock your mobile devices and make sure it’s set to auto-lock after a certain period of time. Software options like McAfee Mobile Security or McAfee LiveSafe (for all your devices) can protect you from threats and help you avoid risky websites as well as malicious apps. With this kind of fortification, your personal data will not only be safe in your hands, but also if a device falls into the wrong ones. In the event of loss or theft, security software should be able to remotely backup, lock and if necessary, wipe all the data from your mobile device.

5) Forget the ‘Remember me’ function

While it may be convenient, the ‘Remember me’ function on browsers and mobile devices can become a major threat to your digital identity. By saving your password cookies, the process is easier for you—as well as any hacker able to sniff your wireless network or gain access to your device.

Always log out of apps or important websites when you are finished, especially when it comes to online banking or social networks. This may seem like a fairly simple step, but anything that you can do to take yourself out of the low-hanging fruit category will go a long way towards deterring cybercriminals.

6) Set up a secret password account 

Nearly every website requiring passwords also contain a password reset feature. While convenient, this feature can also be used against you to gain access to all of your accounts, especially if you use different emails accounts to reset passwords to your account. If a hacker gains access to one email, they can falsely request password resets on other emails and accounts.

To avoid this snowballing effect, consolidate your password reset emails to one secure email account. As Slate’s Farhad Manjoo explains, a single email account dedicated to password resets can keep your online persona safe. You can make this account secure by using an account name with no recognizable relation to you, secure password (preferably with 11 or more characters) and enabling two-step verification.

Of course, with enough effort, hackers can bypass nearly any preventative measures you make with a variety of tools. But small steps like these can be an effective way to deter hackers from making your life miserable.

Liberty Reserve’s popularity was a direct result of its anonymity. Reputable online payment systems like PayPal require verification from users for security and tracking purposes, and help to keep personal financial data private. By contrast, account holders at Liberty Reserve were not required to provide proof of their identity when opening an account; with only an email address, anyone could begin moving money within the Liberty Reserve system, making transactions untraceable. This made the system downright irresistible to cybercriminals, which is part of the reason Liberty Reserve has had over a million users and served an estimated 55 million transactions since 2006.

In the short term, the closing of Liberty Reserve is a major blow to cybercriminals who have relied on the bank to fund illegal activities and receive payments. However, it won’t be long before other virtual money systems appear to fill the gap left behind.

Consumers like us can protect ourselves by being vigilant about who we do business with online and how we protect our information. Once credit card or other financial information is stolen, shady characters can buy, sell, and trade that information at will. To prevent this from happening to you:

1. Always confirm that the companies you are doing business with online are legitimate enterprises
2. Use secure passwords and change them frequently
3. Remember that legitimate financial institutions and organizations will not send you emails or text messages asking you to share your account numbers or passwords
4. Keep tabs on your financial records. Look for any transactions that seem out of the ordinary and question your bank about them immediately
5. Do your online banking only on a secure network. If you use a mobile device to access online banking, be sure to use your mobile data network (probably 3G or 4G) instead of open Wi-Fi
6. Install comprehensive security on all your devices, including smartphones or tablets, as well as on your computers that helps protect your identity and data, like McAfee® LiveSafe™.

For more on this topic and other security news and events, be sure to follow our team on Facebook and on Twitter at @McAfeeConsumer.

“Phishing” scams trick web users into downloading an infected file, clicking a toxic hyperlink, or giving up private information.  Increasingly, phony offers on social networking sites and text messages (also known as SMiShing) are also used to target mobile devices as well.  The end result of successful phishing attempts differs from one scam to the next, but the most common types of attack result in a hacker gaining access to sensitive information (like the password to your online banking site or your email account), access to the information you store on your laptop or mobile device, or even control of your device

Some phishing scams rely on widely recognized brand names to cash in on your trust, as in the case of the “Wallmart” phishing attack last week.  A more sophisticated strategy known as “spear phishing” targets people who are thought to be using a specific credit card, bank, or other online payment system before sending fraudulent messages.  Most of us are more likely to open a message we think is sent from our bank than from a bank we’ve never used.

As a rule of thumb, if you are at all unsure about the origin of your email (as with an unprompted “Thank you for your purchase!” message), do not click on links contained in that email. Instead, go directly to the website domain to check your account and search for the sale or offer described. And remember: If an offer sounds too good to be true, it probably is.

If you suspect you’ve been a victim

Realizing that you might have opened yourself to a phishing attempt can be pretty scary, so if you think you’ve downloaded a fishy file or clicked a dubious link, there are several steps you can take:

1.) Change your passwords. If you believe your email account, online banking or payments information, or social media account has been compromised, change your login information as soon as possible.  This could stop a phisher from accessing your account, or at least prevent him from doing any serious damage.

2.) Update your security software. Make sure that your antivirus or cross-device security software like McAfee LiveSafe is up-to-date on ALL of your devices (smartphones, laptops, PCs, Macs, or tablets).  And if you’ve downloaded a file or visited a website that might have infected your device, run a security scan and wipe any questionable items.

3.) Check your financial records. Even if you’re unaware of an initial phishing attack, your bank and credit card statements will reveal if your information was compromised. As a best practice, thoroughly check your statements each month, and if you suspect fraudulent activity, immediately contact your bank directly via phone to place a fraud alert on your account.

According to Barrett, while passwords are still required for so many applications and services, they have simply outlived their usefulness. Barrett predicted that we will all start moving towards alternative security measures sooner rather than later, one of those being a technology called biometric security.

Biometric security refers to identifying users based on their human traits or characteristics, such as a fingerprint or eye scan. Until recently, the concept has been primarily reserved for science fiction and spy movies, and existing technologies have proven to be either unreliable or too expensive to commercialize. Still, the concept has remained attractive for security researchers. After all, an eye or a fingerprint is definitely one password that you’ll never forget.

Currently, biometrics is used in a number of industries. For instance, the FBI has long been a leader in using biometrics such as fingerprint recognition and voice patterns. Biometrics has also been incorporated into a number of financial institutions. For example, Bank United has used iris scanners for ATM access, and Barclays has used voice recognition to verify customers over the phone.

Over the past few years, the industry has matured and biometric technology has evolved to become cheaper for device manufacturers and websites. Device users are also growing more eager to embrace the technology. A new survey by Nuance reports that 90% of smartphone users would prefer voice recognition authentication, with 85% being dissatisfied with current authentication methods such as pins and passwords.

Ultimately, users at home might be closer to using biometric security than they think. This week, we announced McAfee^® LiveSafe^™ service, the first unlimited cross-device security option to use McAfee® Personal Locker secure storage with facial and voice recognition technology. While broad adoption of biometric security options will take time, it is exciting to think about a future where our digital lives are secured through something as unique as our facial features or voice.

What are your thoughts towards biometrics? Let us know in the comments below.

For more on this topic and other security news and events, be sure to follow our team on Facebook and on Twitter at @McAfeeConsumer.

In the study released by IObit, they found that 30% of users always accept the “Keep me Logged-in” feature on Facebook, Twitter and Pinterest. The study also revealed that 45% of users only change their password when required to do so and that another 15% of users have never changed their passwords. This common user behavior leaves millions of social accounts susceptible to attack and personal information vulnerable to exposure. Those who use the same password for all of their online accounts are in even more danger, because once a hacker has access to one account, he/she can now access all of a user’s accounts that use the same password.

As our society becomes more and more connected through social media sites, it is important to remember that these sites are susceptible to attacks just like any other website. What the study reveals is that people aren’t aware that the tendency to “stay logged in” is putting their personal privacy and security in danger. Users shouldn’t wait until something bad happens before they take action. Having a strong password and updating it regularly is the simplest and most effective way to keep your digital accounts secure.

Unsure if your password is strong enough? Run it through the Intel Password Tool – as an added bonus, the service is currently running a sweepstakes for those who get their password graded and take steps to secure their accounts. For more information on best practices for password safety, you can also join us this afternoon for a Twitter Chat with Intel, the Department of Homeland Security and STOP. THINK. CONNECT. The chat starts at 3pm ET, and you can attend the event and participate by using the hashtag #ChatSTC.

If you’re the type who never changes passwords because you’re prone to forgetting them, check out our McAfee All Access product. It features the new McAfee SafeKey, allowing you to easily and securely store all of your usernames and passwords to various sites, while also offering one-click logins.

For more on this topic and other security news and events, be sure to follow our team on Facebook and on Twitter at @McAfeeConsumer.

Last week we saw an example of the impact of an account hack. On April 23^rd, the official Associated Press Twitter account (@AP) became compromised and sent out the following tweet at 1:07pm ET:

By 1:08pm ET the Dow Jones Industrial Average had plummeted by 150 points, losing more than $137 billion. Market turmoil lasted for approximately 5 minutes before representatives from The Associated Press and the White House confirmed that the tweet was a hoax and a result of the account being hacked. After the hack was debunked, the Dow Jones regained all of its losses; however, the incident casts a spotlight on the influence of robot traders (computers programmed to make stock trading decisions based on real-time data) and the weight of social media updates.

The attack also shows an evolution in the way cybercriminals can exploit technological weaknesses by manipulating social updates from influential accounts or profiles. Now, more than ever, it is imperative that you take an active approach to your online security. Here are a few tips to ensure that your social accounts remain yours:

1. Use Strong Passwords
   Get out of the habit of easily identifiable passwords. Keep in mind that the top 5 online passwords are:
   1. password
   2. 123456
   3. 12345678
   4. abc123
   5. qwerty

   If your password is on the above list or even similar, it’s time to update it immediately. Unsure if your password is strong enough? Run it through Intel’s password tool (plus you could win an Ultrabook!).

1. Change Your Password Often
   Try to change your login passwords at least 2 times a year. A good habit is to sync this up with changing your clocks and smoke detector batteries during the Daylight Savings Time switch. By changing your passwords regularly, you’re limiting the time that a hacker might have access to your account, if it were compromised without your knowledge.

1. Use Different Passwords for Each Site Login
   It can be tempting to use the same password for your Facebook, Twitter, email, online banking etc. accounts—especially if you’re prone to forgetting your passwords. Don’t do it! You should always have a separate password for each website login. At the very least, you should have different passwords for your non-commercial accounts (Facebook, Twitter, etc.) and your online financial accounts. If your passwords are the same and a hacker manages to steal the password for one account, then they now have access to all of your online accounts.

1. Monitor Your Apps and Keep Them Updated
   Having third-party apps connected to your social account can be a huge convenience, by allowing you to quickly log into websites using your social credentials. However, be sure to verify that a site or app is trustworthy before you allow authorization. Routinely check your list of connected apps to ensure you recognize them. Finally, if there are ever updates—accept them! Most app updates address bug fixes and security concerns.

1. Keep Updated on Password Safety Best Practices
   Staying informed of best practices will keep you security savvy. Join us for a Twitter chat on May 7^th at 3pm ET as we discuss password safety with Intel, the Department of Homeland Security and STOP.THINK.CONNECT. Attend the event and participate by using the hashtag #ChatSTC.

If you’re worried about forgetting or losing your passwords, check out our McAfee All Access product. It features the new McAfee SafeKey, allowing you to easily and securely store all of your usernames and passwords to various sites, while also offering one-click logins.

For more on this topic and other security news and events, be sure to follow our team on Facebook and on Twitter at @McAfeeConsumer.

However, with the help of website traffic visualization technology, VideoLAN Organization has been able to share a behind-the-scenes look at what actually happens to a website when it is being attacked.

What you’ll see in the video below is a record of the April 23^rd DDoS attack against VideoLAN:

In this video, each ball represents a server request, and the different colors represent the specific computers that sent each request. A server request occurs when you enter a web address in your browser to gain entry to a desired web page, and if too many requests are sent at once, the web page will become overwhelmed and fail to load.

In this visualization, the paddle you see is the server attempting to keep up with the requests (think of it like the classic game of Pong). During an attack, requests completely bombard the website with traffic at one specific chokepoint, leaving other legitimate requests (colored balls) to bounce away unfulfilled. In this way, a hacker can monopolize a server and effectively take down an entire website. If a site cannot keep up with a high number of requests, it will not work properly, and you will be greeted with an “Error Not Found” page instead.

For context, here is another traffic visualization for a site that isn’t experiencing an attack:

While it’s not yet clear why a hacker wanted to attack VideoLAN’s servers, DDoS attacks mainly affect organizations, businesses, and retail websites–not home computers. Still, the videos above provide a great visual resource to understand how these attacks work.

Do your part to stop DDoS attacks:

While your personal computer may not be the victim of a DDoS attack, if your computer becomes infected with malicious software, it could easily be used to assist cybercriminals in this type of disruption. As I stated above, one way that hackers generate this much traffic is through a botnet, or a network of infected computers. To ensure your computer doesn’t become part of a botnet, always keep security software like McAfee All Access up to date, and regularly scan your device for potential threats.

For more on this topic and other security news and events, be sure to follow our team on Facebook and on Twitter with @McAfeeConsumer.