7 Stupid Online Security Mistakes You're Probably Making

A new study National Cyber Security Alliance says that you’re probably making one of these 7 stupid mistakes when it comes to your own online security. The study shows that when Symantec, polled 3,000 online users and scanned the computers of 400 of them, 81 percent of respondents said they were using a firewall, but only 42 percent indeed had a firewall installed on their computer. Whoops.

Consumer Reports posted a list of 7 common online security mistakes that you might be making — and assuming you were protected was #1. Now, we know our readers aren’t making these mistakes because they are so responsible and awesome, but maybe you have a family member who keeps sending money to Nigeria and wondering why Bank of America keeps emailing when they don’t have an account. Maybe you could send this their way?

7. Shopping online like you do in stores. Avoid using a debit card and always look for the “https” in the website’s address. You can get a virtual account number from your credit-card company. It’s good for only one purchase from a specific vendor.

6. Clicking on a pop-up that tells you your PC is secure. CR’s survey showed “that 13 percent of respondents who saw such a pop-up tried to close it but launched it instead; 3 percent clicked on a pop-up and got a malware infection.” Block pop-ups and/or be very careful to click the X, not the ad.

5. Thinking your Mac protects you from everything. Mac users fall prey to phishing scams at about the same rate as Windows users, says CR.

4. Downloading Free Software. “Fish-tank screen savers and smiley faces” are the enemy of everything good in the world. Download software from reputable sites (Download.com), and check out our sister site Lifehacker to see if they have any recommendations.

3. Using one password for everything.
Dumb! Here’s some advice for creating and managing good passwords.

2. Accessing your account through email links. Don’t do this. Don’t. Please stop. Stop! CR says: No matter how official an e-mail message looks, trying to access a financial account by clicking on embedded Web links is risky. If the e-mail message is fraudulent, a cybercriminal could use the account number and password you enter to steal your identity or empty your bank account.

1. Assuming your security software is working. CR says: “Renew the subscription when the software prompts you. Make sure your security software is active when you’re online and that it has been updated within the past week or so.”

Read the full article here.

7 online blunders
[Consumer Reports]
(Photo: Getty)


Edit Your Comment

  1. shufflemoomin says:

    All basic and good tips I guess. Not all people use software firewalls installed on the local machine, some people use their routers firewall and only turn on Windows firewall when they get sick of Windows telling them it’s off and saying ‘surely it’s a mistake, surely you wouldn’t use anything else? :*(‘

    I would add people who follow links to log into an account simply check the domain to make sure they’re logging into the correct site and not a spoofed site at a close typo domain.

    • unbelievable says:

      @shufflemoomin: Simply checking the domain is not good enough either. There are a number of characters in non-English alphabets that look like English letters. It is relatively straight-forward to register a domain with a name that _looks_ like the correct site, but actually is not.

      • shufflemoomin says:

        @unbelievable: To the best of my technical knowledge, domain names are currently unable to use non-english characters. As much talk as there is of such a standard, to my knowledge, there are no domains using foreign characters such as ø, æ, å and so on. Unless you can point me to one?

  2. socalrob of the 24 and a half century says:

    I believe the problem here is that the users polled were all people who use symantec software. It has to be a huge percentage number that the people that use that probably have it installed because geek squad or dell put it on for them. Thats just a red flag of they do not know what is going on with security of their computer anyhow.

  3. freelunch says:

    81 percent of respondents said they were using a firewall, but only 42 percent indeed had a firewall installed on their computer. Whoops.

    What is to say that they are not using a firewall/router and 2nd system for firewall? I don’t have a 3rd party firewall on my system, but anyone on my homenetwork is covered by my linux system.

  4. veronykah says:

    If there could be a STANDARD somehow with regards to passwords it would make it a lot easier. They always say to not use the same password or something you could actually remember, don’t store them on your computer, don’t write them down.
    So exactly HOW am I supposed to remember all these passwords?
    Seriously, I have 27 logins written on a notecard, these are the IMPORTANT sites [banking, web hosting, utilities…] I need to remember this info for. What about all the other ones as well [Gweker, craigslist, myspace, pretty much ALL sites require a login now…]?
    If there was a standard, say every site agreed passwords could be up to 10 letters long, include #s and symbols as well as being case sensitive it might make it easier. Some sites make you have a capital, others aren’t case sensistive, some require numbers others don’t allow them…
    Its ultimately very frustrating.

    • ORPat says:

      I hear you. I have hundreds written down in my date book. I have a spread sheet on my thumb drive to keep track of all the network,Isp,e-mail,and so on for my job. And those are all supposed to change every few months for safety.

      }}}Pulling hair our{{{{{{{

    • @veronykah: Use a program like RoboForm (Win) or 1Password (Mac). Guard that program with a secure and complicated password that you do remember. Keep that password to yourself.

    • MercuryPDX says:

      @veronykah: Set your own standard. Just come up with a format. Here’s an example:

      first initial, 2 digit birth month, first three letters of last name in caps, 2 digit birth date, first three letters of website you’re visiting, non-letter/number character.

      so John Smith, 11/18, visiting Consumerist would be:

      at hotmail:

      at Yahoo:

    • @veronykah: Have a system. Here’s how I do it: Come up with a number of words that begin with different letters, and a number of number-combinations. So, say your words are “Donkey”, “Porn” and “SarahPalin”; and your numbers are “555”, “122333” and “00”.

      Memorize them — maybe keep the list written down in your underwear drawer or something. Then use them for all your passwords. Write down, wherever you like, the first letter/number of each piece of your password.

      So you may have a sticky-note on your computer that says “R5”, or have “S1” as your password hint. You can basically write your passwords in plain sight and only you’ll know what they mean.

      (Plus, it’s very scalable — just add more words/numbers as needed.)

    • randomangela47 says:

      @veronykah: My question would be, who really cares if you use the same password for craigslist, myspace, facebook, and yahoo mail (assuming that account is only used for junk)?

      Basically, if I’m not using that account for anything sensitive, is it really that big of a security risk? Sure, they could spam my friends, but they’re not getting my bank info (which I protect with stronger and different passwords)…

      I’m not trying to be snide, just really curious.

    • alstein says:


      What’s the point of the security if you keep forgetting the damn passwords. The military had that many passwords, and most of the people in the squadron just wrote them down anyways to avoid taking 30mins to an hour to retrieve forgotten passwords.

      The key is just common sense. Don’t use obvious words.

    • lordargent says:


      Heh, I don’t use one password for everything, I use five root passwords of varying strength for everything.

      From weakest to strongest.

      #1: Throwaway password (for things I don’t really care about). IE, stupid sites that force me to sign up for information that I need. (for example, a training site for a piece of software) mostly used on sites that I’m only going to log into once or twice.

      #2: Regular password (for message boards, such as the consumerist, fark, hard OCP, etc).

      #3: Shopping Password, For sites where I buy stuff (dell, amazon, etc)

      #3: Secure password (for bank accounts)

      #4: Super secure password (Money market accounts, mutual funds, stock, CDs, 401k, etc)

  5. TVarmy says:

    I’d like to mention that OpenDNS is a great tweak for anyone worried about phishing, since it maintains a database of the fake sites phishers use (The faster DNS retrieval isn’t bad, either). Coupled with Firefox or Chrome’s databases that also detect bad sites, this could be a good thing. Of course, fraudulent emails and sites too new for the databases are still an issue, so this should not cause a false sense of security.

    My general strategy when helping people develop a more secure network is to implement the OpenDNS and Firefox installation, and tell them about every benefit those services offer except for phishing protection. Then, I explain what phishing is and imply that they alone are responsible for detecting it. That way, I have their paranoia and software working for them.

  6. Juliekins says:

    Happy Cybersecurity Awareness Month, everyone! I am neck deep in a security awareness campaign at work.

    A tip on password management for Mac users: Keychain is great, but make sure you do two things:

    1) Disable automatic logins for your system. If your Mac boots up and just lets you start using it without logging in, you’ve got automatic logins enabled.

    2) Change your Keychain password so that it does not match the password you use to log in to your Mac.

    Windows users, KeePass and PasswordSafe are both great password management apps, and they’re free.

  7. Raekwon says:

    It’s amazing how many computers I work on and find screensavers, smileys, themes, and backgrounds on them. Almost guaranteed to then find Mywebsearch and other spyware on them.

  8. axiomatic says:

    This should be the #1 tip.

    BUY A ROUTER with a built in firewall!!!! Don’t just use the cable modem or DSL modem hooked up directly to the PC.

    • Juliekins says:

      @axiomatic: Excellent advice. I promise I will stop pimping my work materials after this, but I teach a system/network hardening workshop that’s aimed at home users as part of my job. By far, everyone’s favorite handout from the workshop is router hardening worksheet. It’s very basic, vendor neutral, and I’ve found that even relative neophytes have used it to successfully harden their routers.

      • HogwartsAlum says:


        COOL! Thanks, Juliekins!

      • godlyfrog says:

        @Juliekins: Good PDF, though I should point out that MAC address filtering is a lot of work for little benefit. Any serious cracker can get a valid MAC address and spoof it in no time, and regular encryption is enough to repel most people just trying to connect to broadcasting wireless. There’s no harm in doing it, of course, but isn’t much of a security measure.

        • Juliekins says:

          @godlyfrog: That’s why it isn’t the only thing I advocate for people to use. It’s all part of a good security stance. During my workshops, I repeat several times “XYZ is a good practice but won’t keep you secure all by itself. This is just once piece of the puzzle.” I still maintain it is a good practice for the home user to engage in.

    • TVarmy says:

      @veronykah: It’d be cool if there were a Firefox extension that would hash your password based on the site’s URL and a master password. That way, an outside observer would not have all your accounts if they compromise one, and it would be a string of random letters and numbers rather than a dictionary word at each site. Also, the person using the computer would only need to know one password and could move to another computer with Firefox if they installed the extension.

      • johnva says:

        @TVarmy: There is. It’s called PwdHash, and you can download it here. It was written by some well-known computer security researchers at Stanford; you can read their paper on it at the same site. I haven’t actually tried it myself, but I’ve heard about it.

  9. Kaisum says:

    “DO write down your passwords if that is the only way you’ll remember them. Wait a minute-isn’t that dangerous? The conventional wisdom is that this is a no-no. But according to Microsoft, passwords on paper are “more difficult to compromise across the Internet” than those that are stored electronically.”

    Fucking genius guys! No shit! Did they really have to ask Microsoft, the security hole kings, THAT question?

  10. emilymarion333 says:

    I do have to say I’m shocked with myself today – I do not do anything of these things!

  11. RobinBulbus says:

    Why the sudden “don’t use debit cards” this is the 5th time this week I’ve been ‘warned’ against using my debit card online ? wouldn’t you be safer using a debit card than a credit card ? my debit card has a much much smaller limit compared to my credit card – if my info got stolen I’d much rather it was my debit card

    • dewsipper says:

      @RobinBulbus: With the debit card they have YOUR money, plus if you don’t have sufficient funds, you now OWE the bank money. If you have bills to pay, and the money isn’t there, you’re pretty much stuck. Also, I seems harder to fight to get your funds back. On the other hand, if they have your credit card, they have the BANK’s money, and I believe you’re only on the hook for $50 max, if you’re on the hook at all.

  12. LeoSolaris says:

    I used to be a Windows user… I was sick of all of the anti spyware, malware, greyware, adware, viruses, trogens, and all of the other safety concerns.

    With Linux, I have a few security concerns like direct hack attempts or something, but no real worries about viruses or any of the *wares. I still have to look out for spoofs, and phishing, but that is just standard web protocol. Heck the NSA wrote one of the Linux firewalls.

    Now I am not saying Linux is for everyone, or that it is perfect, but it is very good, very secure, and usually free for home users. Corporations usually pay for Technical Support, which is what keeps the bigger Linux distro programmers employed. Smaller ones are usually made by hobbyists and volunteers.

    If ya want a good starter Linux distro, google Ubuntu. They have stellar forum support for the new people and Ubuntu strives to be the most user friendly distro. (Like a seven click basic install.)

    Best part… you can try it out from the CD you legally burn of it before ever even installing anything on your computer, and it as all of the Linux versions of the tools that most people buy for Windows or Mac available for the first boot of the LiveCD.

    /end of obligatory Linux Security plug

    • yagisencho says:


      How does changing your OS change the environment your computer operates in? Your computer is either on a network or it isn’t. You either treat your personal and financial info carefully or you don’t. The key factor isn’t the OS, it’s your computing habits.

      (Still running nothing but Windows here, virus and malware free for the past half decade.)

  13. NotYou007 says:

    Software firewalls suck, use a real hardware one. Get NOD32, best Anti-Virus on the market. Use Spybot and Ad-Aware, both are free. Get a good pop-up blocker. I use PopUpCop which does a decent job and you can customize the crap out of it.

    Most of that stuff though is commmon sense and I have used my debit card for online orders. Saying don’t use your debit card in my opinion is just dumb. For very small and simple orders from Amazon I will use my debit card. They don’t have access to my PIN number and I’m not going to get into a debate about a 12 dollar HDMI cable if something goes wrong.

    Sadly most of the advice given should be common sense but a lot of people lack that and they lack computer sense as well. A lot of people also get thier computers wacked via visiting shady porn sites, they won’t admit it, but i’ve cleaned up enough of them over the years to know the truth.

    Still, get a hardware firewall. You won’t regret it.

    • @NotYou007: Yeah, I don’t get the “don’t use your debit card online” thing. Both debit and credit cards have federal laws protecting you from being held responsible for charges you didn’t make. (EFTA for debit cards and FCBA for credit cards). If you use a debit card, you are expected to dispute fraudulent charges more immediately than credit cards, but other than that there really is no difference.

      • johnva says:

        @IamNotToddDavis: Debit cards have potentially unlimited liability for the consumer. The banks can spin that all they want, but it’s true.

        • Juliekins says:

          @johnva: Word. I’d rather put someone else’s money (the CC company) at risk rather than mine. With a CC, something hinky happens, I dispute the charge and move on with my life. With a debit card, I’m out my money out of my bank account. No thank you.

  14. proskills says:

    I think this article fails to point out one of the best attitudes to have when approaching internet shopping: Unless you know someone who has successfully used the service, you have been to the store IRL, or Consumerist/engadget/Cnn/WSJ tells you it’s legit, assume it’s not.

    • narf says:

      @proskills: Yep … I’m not sway so much by the lowest price as I am by reputation of the vendor.

      New site that promises the lowest price? No thanks … I’ll stick to more tried-and-true sites instead, knowing that I’m not about to be screwed over and see fraudulent charges on my credit card.

      Sadly, in general, common sense isn’t really all that common.

  15. madog says:

    5. Thinking your Mac protects you from everything. Mac users fall prey to phishing scams at about the same rate as Windows users, says CR.

    Stupid is stupid. Doesn’t matter what kind of computer you have.

    • Oshawapilot says:


      That’s exactly what I was going to say. To narrow out Macs and suggest that by using one you are not protected against *everything* is asinine. You could be a Linux user and still fall prey to phishing if your foolish enough to click on a suspect link.

      Yes, a Mac will protect you against drive-by spyware/malware installations, most virus, etc simply because they’re not as vulnerable, but they can’t protect you from your own stupidity if you voluntarily click on bad links, which is the category that phishing falls under.

      How about rewording that better so that it doesn’t come across in a misleading way?

  16. bwcbwc says:

    All good basic recommendations. I would add:
    1) Buy a router/firewall (or verify that your cable/DSL modem includes a router/firewall) even if you only have one computer. That will block at least some malicious traffic.
    2) Another option for the “reputable free software sites” is to go to open source sites like sourceforge.net. That way, you (or your techie friend) can scan the source code if you have to.
    3) Rather than just paying the renewal price for my security software, I find that I usually get a better deal looking for discounts on the package in stores. The renewal will usually knock about 20-25% off of the full retail, while the best discounts in stores can be 50% (or higher with rebates).

  17. ajlei says:

    I was gonna say “wow, a lot of these look (and sound) just like what I read in Consumer Reports the other day!”.. and then I finished reading. Personally, I tend to fall prey to 1, 3 and 7. 1, I just don’t want to shell out the money, which is my own damn fault. 3, I have a few different ones but I could be way more secure. And 7, I’ve never looked into the whole virtual-account thing but I know my debit card number by heart and it’s really more of a convenience thing.

    I guess I need to work harder on being a good consumer!

  18. metaslugx says:

    Jesus Christ guys, put a firewall on your router and cover everyone, including your guests without the bloat on your own pc.

    Seriously, I used to never run a anti-virus, I’d just do a scan twice a year to validate my 1337 anti-virus skills. The only reason I have now is because AVG has screwed up a few of it’s files (read: my fault) and now it’s always on. I have to play whack-a-mole with it’s processes every time I want to disable it.

    Though I need to investigate whether my router is the cause of my latency issues right now.

  19. tsume says:

    One of the most important things about security is to secure things based on their sensitivity.

    For example, I have throwaway passwords for most message boards since they aren’t critical. My bank passwords are extremely complicated and impossible for someone else to get though.

    My 2nd job I was tech support for a subdivision of a large government contractor. We were pretty much the only division that sold in the private sector, but we still had some classified data on our computers since we shared our designs with the branches that worked with the government. One year, the gate was busted open every week and thieves stole thousands of dollars in copper. I warned IT that eventually they will break into the building, and they should put Truecrypt on all their systems. They laughed at me and said no. A week after, the crooks drove through the gate with a truck, drove through one of the big garage doors in the back, and stole all the laptops.

    They are still kicking themselves in the face to this day.

  20. pantsonfire says:

    Does anyone know if virtual account numbers are available for American Express Corporate accounts? I can’t seem to get an answer out of the CSRs.

  21. manhattan says:

    I agress about having the same password for every account. I know many people around me to whom I try to educate on the evils out there. But they do not seem to listen. A good tactic is to create a password which relates to the place where you are signing up. For ex. if you are going to make a pasword for google… then try something like email30985… :)

  22. DawnPavo says:

    #8 is that nobody backs up their data. Having a good backup that’s not where you or your computer are protects you even when your system get’s whacked by a virus, malware, or (like me) the “Fickle Fat Finger of Delete”.

    I put cloudbackup.openrsm.com on my system and it backs up my Macbook Air, the Mrs Windows machine and my Linux box all on the same account. It’s saved my butt a couple times.

    Anyway, #8 should be “backup early and often”

  23. ice_cold_irony says:

    2. Accessing your account through email links.

    What do you do in the case of an email money transfer?

    Is there anyway around clicking the Gateway link?

    I mean, I wouldn’t click through on an money transfer I didn’t know was coming because I don’t get free money nearly often enough, but there’s always someone…any suggestions?

  24. redkamel says:

    Some of them are good, but they sound more like “basic mistakes my mom is making on the internet”. downloading free software? using email links? “assuming” software is working (when it tells you if it is…)? It should be more general..I mean, each of those mistakes relates to a principle. I have taken it upon myself to make my own, better list, based on what I see people do.

    7 basic mistakes should really be

    7. using the same 1-2 passwords for everything, and answering security questions truthfully (vs answering them using made up/friends info, so no one can guess it)
    6. not reading questions your browser asks you during web surfing
    5. not knowing how a virus get onto a computer
    4. not thinking while accepting offers/clicking links
    3. using internet explorer
    2. not cleaning spyware out once a month
    1. not having an email address you can use everytime you think you might get spammed.

  25. mike says:

    A note on virtual account numbers: Some account numbers are actually permanent. Discover Card, for example, creates account numbers that are attached to your account. As far as I know, there is no way to actually delete these numbers.

    Also, be careful when purchasing something to pick-up at a store. Places like Circuit City require the credit card you used to make the purchase.

  26. blackmage439 says:

    “2. Accessing your account through email links.”

    This would be easy to do if 90% of companies and even financial institutions didn’t have those horrendously insecure “click the link in the email to activate your account” or “click the link to reset your password” procedures. A MUCH more intelligent and logical answer would be a random number generated that you have to copy & paste into their website. Some companies already do this, but not enough of them. Only when companies start being smarter themselves is when we’ll see a decline in phishing scams.

  27. GreatWhiteNorth says:

    Great list… Unfortunately, in a corporate environment the folks with the most to lose have the biggest egos and therefore are also the laziest when it comes to security… Two years ago I left a huge multinational corporation and I bet I could still predict the passwords of senior people. Example, one of the VP’s uses his daughters name followed by an incrementing number.

    Of course when he becomes the source of the security breach he will pass the buck to IT claiming that IT dropped the ball. When reality is IT had to follow his rules.

    Anyway, for regular home users, be paranoid. I refuse to do online banking and although I will shop online, I buy over the phone or in person.

    Finally, for those folks who insist on doing online banking type activities, consider setting aside an inexpensive (or older) laptop with up to day security, AV (Avast, AVG), and just use that machine for banking. Do all your regular web shopping, porn cruising, news reading on another machine.

    Although the possibility is there to boot your regular machine with a linux live cd in order to do banking through linux… Anyone out there have a suggestion on how secure this could be?

  28. HarcourtArmstrong says:

    Yes, sourceforge.net is the best place for free software. Back in the day, I received quite a bit of spyware/adware from download.com. However, I hear they have cleaned things up in recent years.

  29. rawsteak says:

    #6. Sometimes the window doesn’t have a title bar with an [X], or in the case of an internet ad, it’s just a . If the cursor turns into a hand when you hover over the [X], don’t click it! Close the entire webpage and save yourself the trouble. You’re obviously on a sketchy website to begin with if it’s trying to trick you like that.