The internet is a place where things can change quickly, one moment your password can be safe, the next it can be out in the public. Are you sure that your password aren’t easy to guess? How about changing it so you must another device to login to any account?
It’s known as two-factor authentication. Most sites have it, some sites make it easy to setup and some sites need you to go through 6 different pages. There is a central database available called Two Factor Auth List that allows you to see which companies have two-factor authentication and how to enable it.
Sometimes it’s as simple as putting in your phone number and saying you want text message, or phone call then hit ok. Sometimes it requires you to download an app such as Google Authenticator. In which you scan a code, and the code changes every minute. None of this is hard to do, you have to get in the habit of setting it up when you setup your account. If you have an existing account on a site then add two factor authentication and be sure your account is safe.
Now remember to put a password on your phone to ensure that someone can’t steal your phone and use it to login to your account. There are “easy” ways to get past two-factor authentication, they can either get your code (which I’ll talk about a little later) or bypass the account recovery system.
When you setup any account they will ask you to setup recovery questions, along with answers to ensure you can get back into your account. But that’s a way that hackers can get into your account, if they know enough about you they can guess your answer. Make sure you put random answers to your questions (and remember them by putting them in a password manager).
This brings me to the next point, intercepting your code. “Faced with an angry client, customer service reps will often give way, putting user satisfaction over the virtues of security.” says Russell Brandon, reporter at The Verge. Make sure to either have a code on your account that customer service must hear before they can give out any information (make sure it’s a code that only you know). You can also tell customer service to never allow changes over the phone. Once hackers have gotten into your phone account then they will redirect all phone calls and text messages to their own phone. Then they can get a code from any company and the code will go to their phone which has your phone number.
Now to protect your website, first thing you should do is make sure everyone who has an account on your website has a generated (and random) password that they use. You can force this with plugins like Wordfence (the free version works fine for this). Second, setup two factor authentication. If you have WordPress (and you most likely do on your website) then there are many plugins which offer to setup two-factor authentication, do a search for WordPress two-factor authentication plugin and find the one that best suits you and your business.
These are some simple steps to take, they also help to stop hackers from getting into your accounts. They seem complex at first, then it gets easier. Don’t think because you have two-factor that your hacker proof, a hacker can get into any account if they wanted to (even without you knowing). Think of this as a step to be less of a target.