Security Measures

Don't stay safe. Stay free.

When you get into a car, you wear your seat belt. When you're not at home, you close the doors and windows. We hardly think about either anymore, it's such a matter of course for us. But why are we often careless with our digital doors and windows and risk having our privacy invaded by unauthorized persons?

The ongoing digitization of society is creating more and more new IT applications for our everyday lives. It is possible that in the future many things will only be done digitally. But not everyone is equally comfortable with this constantly evolving technology. For many people, even starting up a smartphone safely is a real challenge, while others are online almost constantly and are very familiar with all the technologies. The level of competence may then vary greatly, but everyone should think about safe handling - ideally before something happens.

You don't have to be an expert in IT security to follow a few basic rules in responsible use of online services and Internet-enabled devices. Pay attention to online access for e-mail, online banking, online shopping or social networks. Sufficiently strong and complex passwords and, if possible, authentication with a second factor are of elementary importance. There should be no way around this.

And the device you use should also be well secured. Up-to-date virus protection including a firewall and the prompt (if possible automatic) installation of security updates are the most important tips here. These devices include not only the home router, laptops, smartphones or tablets. For other networked devices (Internet of Things) with Bluetooth or WLAN interfaces, such as surveillance cameras, drones, refrigerators or robot vacuum cleaners, it is also worth taking a look at regular updates and other security settings before buying or putting them into operation.


10 Tips For Safe Use Of The Internet

1. Customize your web browser and keep it up-to-date

You need a browser to browse the Internet. Extensions, add-ons, or even plug-ins are small programs that can add additional functionality to your browser. Deactivate or uninstall the programs that you do not absolutely need. This is often possible via the menu items of the same name in the settings of your browser. There you can also make further security and privacy settings that reduce the storage of confidential information and its transmission to third parties. Information that reveals information about you or your behavior on the network is considered confidential. "Private mode" or "Clear history", for example, prevent other users of the same device from seeing which web pages you have visited. "Do not allow third-party cookies" ensures that only websites you have actually visited can track your browsing behavior.

Also make sure that your web browser is always up to date. Updates also close security gaps.

Use an ad-blocking program to protect yourself from malvertising, i.e. the spread of malware via ads.

Enter the addresses for particularly security-critical websites, such as for online banking, carefully by hand in the address line of the browser first and save the address entered as a bookmark, which you use from then on for secure access.

2. Keep your operating system and other software up to date

Use a current version of the operating system and installed programs. If possible, use the automatic update feature. You can find out whether your computer's operating system is up to date in the settings under Update. Also look for notices about new versions of the operating system or applications.

Uninstall programs that you no longer use. The fewer applications you have installed, the smaller the attack surface of your entire system.

3. Use applications for virus protection and a firewall

Common operating systems have integrated virus protection and a firewall, which already make attacks from the Internet more difficult in the standard configuration. Activate these or use a virus protection program from another provider.

Keep in mind that this measure can only be effective as an accompanying measure. Its use does not diminish the importance of the other tips in this brochure. Do not be tempted to be careless by an activated virus protection or the firewall, they do not guarantee complete security.

4. Create different user accounts

Malicious programs have the same rights on the PC as the user account they used to access the computer. As an administrator, you have full access to almost all areas of your PC. Therefore, you should only work with administrator rights when it is absolutely necessary.

Set up different, password-protected user accounts for all users of the PC. Depending on the operating system, this can be done via the (system) settings or the control panel. Assign only the permissions for these accounts that the respective user requires. This also protects private files from access by others. Surf the Internet with a restricted user account and not in the role of administrator.

5. Protect your online and user accounts with strong passwords

Assign a separate, secure password for each online and user account, and change all passwords as soon as possible if they may have fallen into the wrong hands. Also, change any passwords preset by manufacturers or service providers after the first time you use them.

These criteria apply to a strong password:

  • You must be able to remember a password well.

  • The longer the password, the better.

  • The password should be at least eight characters long.

  • As a rule, all available characters can be used for a password, i.e. upper and lower case letters, digits and special characters.

  • The complete password should not be in the dictionary. Common number sequences or keyboard patterns are also out of the question as a secure password.

  • Adding simple numbers or special characters before or after a normal word is not recommended.

Where two-factor authentication (2FA) is offered, you can use it to further secure access to your online account. A password manager can make it easier to handle different passwords.

Especially important: Never share your passwords with third parties.

6. Be careful with e-mails and their attachments

If possible, refrain from displaying and creating emails in HTML format and use a plain text format instead. You can change the use of HTML format through the settings of your mail program. Be careful when opening e-mail attachments or clicking on a link, because malware is often spread via images or file attachments integrated into e-mails or hidden behind links. This is especially true for e-mails whose sender is unknown to you.

If an e-mail from a known sender seems strange to you, it is better to ask the sender whether the e-mail actually comes from him or her. However, do not use the contact options given in the e-mail. They could be falsified.

You can identify unsolicited or dangerous e-mails by some characteristics: For example, by hovering over or clicking on the sender, you can tell if the sender is fake. Look out for confused letter strings, swapping with visually similar letters or a foreign domain, i.e. the ending of the e-mail address. Also check the subject line and the text of the e-mail for sense and spelling. Fraudsters often make mistakes here. Also, be skeptical if a quick response is demanded from you.

7. Be careful with downloads, especially of programs

Be careful when downloading anything from the Internet, especially if it is a program. Avoid sources where you have doubts about their seriousness. Before downloading programs, make sure that the source is trustworthy. Use search engines to get more information about the manufacturer or to get testimonials from other users.

If possible, use the website of the respective manufacturer for the download and encrypted pages, which you can recognize by the abbreviation https in the address line of your browser.

8. Be cautious about disclosing personal data

Criminals on the Internet increase their success rates by targeting their victims individually: Previously spied data, such as surfing habits or names from the personal environment, are used to inspire trust. Personal data is considered currency on the Net today, and that's how it's traded. Think about which online services you want to entrust your personal data to.

You should also avoid sharing personal data unprotected on open unsecured networks.

9. Protect your data with encryption

Visit and enter your personal data only on Internet pages that offer an encrypted connection. If the page uses the secure communication protocol https, you can recognize this by the Internet address that is called up. It will always begin with https, and the address bar of your web browser will usually contain a small closed padlock symbol or a similar marking. Confidential e-mails can also be encrypted. Check the options offered by your e-mail provider.

If you use wireless LAN (WLAN) transmission technology to surf the Internet, pay particular attention to the encryption of the wireless network. Select the encryption standard WPA3 in your router or, if this is not yet supported, WPA2 for the time being. Choose a complex password that is at least 20 characters long. You can access the router via a specified Internet address, which is noted in the manual of your router.

If you have the option of connecting to your home network or its router via a virtual private network (VPN), you can also travel in public WLAN hotspots just as securely as you are used to at home. A VPN is a particularly secure connection between two points. It involves setting up a tunnel, e.g. from a smartphone through the public Internet to your home network, from where you can then use your own Internet access. Modern routers often offer the option of setting up a VPN.

10. Make regular backups

If, despite all protective measures, one of your devices becomes infected, important data may be lost. This also applies if a device is lost or otherwise defective. To minimize the damage, it is important to regularly create backup copies of your files on external hard disks or USB sticks. These data carriers should only be connected to the PC when necessary. Cloud services can be used for backup copies of encrypted data.

Restore only your data from the backup copy. When rebooting the device, do not take programs from a backup copy, as they might already be infected.


WLAN Protection

If you operate a WLAN yourself, the following recommendations should be followed:

  • The installation location should be chosen carefully (e.g., inside the building and not in the building perimeter/windows).

  • The WLAN router should not be configured via the WLAN but via a network cable. This applies in particular to the initial configuration, as encryption is usually not yet activated here.

  • Remote management for the WLAN router should be deactivated.

  • The factory-preconfigured WLAN network name (SSID/ESSID) should be changed. It should not be possible to identify the owner.

  • The default password of the WLAN router should be replaced by a secure (long) password; factory default passwords should not be retained.

  • Suitable encryption for data transmission should be selected. To do this, activate WPA2 encryption, with a secure password that is as long as possible (referred to here as a pre-shared key, recommendation approx. 20 digits).

  • The use of the WLAN should be restricted to the available devices (addresses) by setting up a MAC address filter.

  • The WLAN should be switched off when not in use.

  • The firewall usually present in the WLAN router for filtering data traffic should be activated.

  • The router should always be kept up to date with regular firmware updates.

If you use a third-party open WLAN, you should be aware that data communication is usually unencrypted and can be "overheard" relatively easily by other users of the WLAN. Setting up a "tunneled" connection by using a virtual private network (VPN) can help here.


Protection Against Phishing

With phishing, cyber criminals play on intimidation, lack of trust, and potential victims' lack of technical understanding. The scheme of phishing attacks is always the same: you receive a fake email containing links to equally fake websites or pop-up windows. There, you are asked to enter access or payment data under a pretext. In this way, criminals can obtain - sometimes unnoticed - your login data for online banking or web stores. As soon as you have a suspicion, you should ignore the received mail and delete it immediately. We show you 10 characteristics by which you can recognize phishing content:

  • Remember: banks, insurance companies or public authorities always choose the postal route for urgent matters or sensitive data.

  • Even the subject of the e-mail refers to an invoice, your personal data or special offers in order to inspire your confidence.

  • The salutation in the e-mail is impersonal ("Dear Customer", "Dear User").

  • There are threats or instructions for action in the e-mail ("If you do not transfer money within three days, then...").

  • The e-mail contains unusual spelling mistakes, twisted phrasing or awkwardly resolved umlauts (oe, ae instead of ö, ä, ü).

  • The text is written in poor language or in a foreign language, mostly English.

  • You are asked in the e-mail to enter your personal data such as TAN or PIN (banks and web stores would never do such a thing).

  • The web address of the accessed page has spelling errors or unusual additions (instead of: sparkasse.de, for example, 184tg.sparkasse.com).

  • A suspicious e-mail may also be an apparent reply to an e-mail supposedly sent by you. If you are sure that this cannot be the case, ignore or delete the e-mail.

  • Additional tip: You can also find out the real sender in the so-called mail header (or source text) of the suspicious e-mail.

Phishing e-mails are getting better and better and are difficult to recognize. The characteristics can appear all or only sporadically. Important: If you doubt the authenticity of an e-mail, do not respond to the e-mail, but contact your bank in person or by phone to verify the request.


Safe Online Shopping

Dangers and security measures

In addition to account data, passwords for online merchants are a popular target for so-called "phishers". With the "fished" data, criminals can order goods at your expense or misuse your credit card data for other purposes. Phishing is a major security risk for both online shopping and online banking. As a general rule, make sure your devices are adequately secured. You can find out which protective measures you need to implement to avoid this in our 10 tips for secure surfing.

Tip: Also, use a secure password for every online merchant that criminals can't easily crack.

Online merchant

Before making any purchase, you should check the relevant online retailer carefully. You'll probably find this easier when ordering from better-known, larger providers, as they are more in the focus of data and consumer protectors. Any shortcomings in the criteria of a "reputable online retailer" would immediately have massive adverse effects on the company (read also "Seal of approval for online retailers").

In the case of vendors you are unfamiliar with, you should definitely check the following information provided by the vendor before placing an order:

  1. Does the merchant provide a complete provider identification?

  • Surname, first name and full address of the supplier

  • Information for quick contact (telephone number, e-mail, fax)

  • Trade register and trade register number

  • Company name and legal form suffix

  • Sales tax identification number

  • Information on the supervisory authority (if the offer requires a license, e.g. pharmacist)

  1. Are the general terms and conditions available for inspection?

  2. Is information on data protection and data security available?

  3. Is information available on the right of withdrawal, right of return and purchase price refund?

  4. What different payment options are available?

  5. Are shipping costs, return costs and possible additional costs transparent?

  6. Is there an e-mail confirmation of the order process?

So-called fake stores, whose URL refers to a well-known brand, also appear on the Internet time and again. Among other things, they can be recognized by spelling mistakes in the descriptions, uniform and very low prices for all products, a missing imprint as well as limited contact options via e-mail possible or telephone numbers abroad.

In addition, you can usually get a good picture of a provider with the help of customer reviews or in forums. You can find relevant experiences in rating portals or research them using a search engine.

Encryption techniques

Regardless of the online store and the payment method you choose, always make sure that all data you transmit to an online store is encrypted. You will recognize this by messages such as "You have requested a protected document..." or "You are about to view pages over a secure connection...". In addition, if the data connection is encrypted, an "s" will appear after the letters "http" in the browser's address bar. Another indication of encryption: in many browsers, a small, closed padlock appears in the lower area or in the address line.

SSL certificates at online retailers

Some web stores try to symbolize a secure shopping experience with SSL certificates from independent certificate authorities. The website operators use so-called Extended Validation SSL certificates (EV SSL certificate). On the left side of the browser's address bar, a field is additionally displayed in which the certificate and domain owner are shown alternating with the certification authority. In addition, depending on the browser and/or add-on used, the address line is (partially) colored green. In this way, you can recognize even faster whether the visited website is "genuine" and can thus protect yourself even better against phishing attempts.

Providers of SSL certificates are, for example, the following companies: VeriSign, GoTrust, GlobalSign, TC TrustCenter Gmbh and Cacert. Companies receive an SSL certificate with unique and authenticated information. When issuing the certificate, the certification authorities verify the identity of the certificate owner. For example, VeriSign verifies the existence of the company, the domain owner, and the authority to request an SSL Certificate. If you arrive at an encrypted page that does not have a valid certificate, you will receive a warning message.

Seal of approval for online merchants

Another popular means used by online merchants to emphasize their own seriousness are cachets. These indicate that both the store provider and the various processes triggered by an order have been independently checked. The individual seals of approval distinguish different verification methods as well as quality requirements for online stores.

Therefore, they do not always provide reassurance about the security of the tested online retailer. Therefore, check which minimum requirements a seal of approval confirms before you trust an alleged quality mark. Also, be aware that online fraudsters also falsely and illegally mark websites with a seal in order to appear trustworthy. If in doubt, it is better to select an alternative store for your purchase.

Initiative D21, an association of information society experts from politics and business, has defined quality criteria for online retailers. Based on these criteria, Initiative D21 recommends the following seals of approval:

1. Trusted Shops

2. TÜV Süd Safer Shopping

3. internet Privacy Standards

4. Tested Online Shop

In any case, please note that the seal of approval providers only check the stores and ordering processes. A seal of approval cannot protect you from phishing, for example.

Stored data

Every time you place an order on the Internet, you must provide the online merchant with some personal information in addition to your credit card or bank data. Our recommendation: Make sure that you limit all information to the absolutely necessary data. Therefore, only fill out the mandatory fields. A trustworthy store provider will ask you at the end of an order process what is to be done with your data. You can usually object to your data being passed on in this way. If you wish to receive newsletters or promotional mailings, you must explicitly confirm this.

Unfortunately, it is not possible to prevent the store provider from storing the products and services you have ordered and thus automatically creating a profile of you. In addition to the product information stored by the provider, some providers combine this data with so-called cookies that allow statements about your surfing behavior. Thus, it is possible that after purchasing a certain product, when you log back into the webshop, you will receive a product recommendation or an offer that thematically matches your previous order or your surfing behavior recorded by the provider.

10 tips for online auctions

Online auction houses like eBay enjoy great popularity. When you buy goods at auction on the Internet, you have to pay attention to even more things than when you "usually" buy online. How you should proceed with online auctions:

  1. Check the ratings of sellers before you place a bid. Prefer auctions where the homepage or at least the address of the seller is known.

  2. Check the product data carefully and ask the seller in case of doubt. Ask for proof of origin or proof of purchase or guarantees, especially for higher-value products or new goods.

  3. Find out about the auction provider's security measures in the relevant section of the website, which are designed to keep out fraudsters.

  4. Before paying, check if you have received the seller's address information. If not, research them.

  5. When transferring money, make sure that the seller and the account holder are the same. Avoid foreign wire transfers.

  6. For higher value goods, use the escrow service of auction sellers - if possible. This way, the payment of the purchase price is withheld until you receive the goods.

  7. Be careful if a (supposed) seller wants to sell you goods directly after an auction - for example, on the grounds that a buyer has dropped out. Always ask the auction seller directly.

  8. If a seller seems suspicious to you, report this to the auction provider immediately. Contact the police if you have been defrauded of money. If you suspect that purchased goods are stolen goods, you should also report this to the police immediately - you may otherwise be liable to prosecution for receiving stolen goods.

  9. Be alarmed if a seller tries to persuade you to send him money via a payment method other than the one provided by the auction house.

  10. Do not comply with requests to submit a copy of your identification card. This applies regardless of whether you are the buyer or the seller.


Safe Smart Home

The field of smarthome includes all devices whose area of application is in your living space. There are systems that automatically open or close windows, doors and shutters - so-called home automation technology. But the smarthome also includes household appliances such as refrigerators that keep you informed about their contents, or consumer electronics such as smart TVs and networked speaker boxes with digital voice assistants.

Often, these systems can be controlled from anywhere. A smarthome can help you save energy, for example, by automatically turning off the heating when you open a window. Some devices are simply for personal convenience, such as turning music or lights on and off via voice control.

Many of these IoT devices are connected to the Internet. Therefore, the same risks apply to them as to other Internet-connected devices, such as computers or smartphones. In the following sections, you will learn how to get started with the smarthome as safely as possible.

Up-to-date software and security updates

Even before purchasing an IoT device, make sure the manufacturer will provide software updates over the expected typical life of the device. For each device, find out if and how the updates will be applied. In most cases, this is done automatically or manually via an associated app or the device's web interface. If possible, enable automatic updates on your device to keep its security features current.

IoT devices for which no updates are provided represent a security risk. With them, vulnerabilities remain open and can be exploited, and errors in the software cannot be corrected. Attackers can gain access to the devices in this way and possibly control them remotely. If your device is no longer receiving security updates, you should replace it.

Central firewall and router security

The firewall in your router protects your home network from attacks over the Internet. Check to see if your router has a firewall built in and enable it.

Also protect your router by changing the password preset there, applying available updates and making sure you have up-to-date firmware.

You can activate the firewall and change the password in the router settings. In the manual of your router you will find the internet address (often an IP number), which you have to visit from your LAN or WLAN to get direct access to the router.

Do not use default passwords

A much-used gateway for attackers are devices connected to the Internet that have no password protection or are only protected with preset default passwords. Such devices are particularly vulnerable to the unauthorized upload of malware. Infected devices can become part of a botnet, for example: This is a network of very many devices that attackers can remotely connect and use for various actions. In most cases, it is very difficult to trace whether a device is infected with malware. Therefore, make sure that you set your own individual password when connecting an IoT device for the first time. Never share your passwords with anyone.

What to look for when creating a strong password:

  • You need to be good at remembering a password.

  • The longer the password, the better.

  • The password should be at least eight characters long. For securing a WLAN, at least 20 characters are recommended.

  • As a rule, all available characters can be used for a password, i.e. upper and lower case letters, digits and special characters.

  • The complete password should not appear in the dictionary. Common number sequences or keyboard patterns are also out of the question as a secure password.

  • Adding simple numbers or special characters before or after a normal word is not recommended.

  • A password manager can make it easier to handle different passwords.

  • If two-factor authentication is offered, you can use it to additionally secure access to your device. In addition to the password entry, an additional factor is requested, for example in the form of a hardware component that acts as a key. This could be the smartphone, a chip card or a special USB stick. A fingerprint or an SMS sent by the provider with a one-time code can also be used as a second factor.

Encrypted communication and local use

Make sure your IoT devices communicate sensitive information in encrypted form. Third parties can otherwise intercept and read this data. Before purchasing, find out whether the device supports encrypted communication.

Only connect your smarthome to the Internet if remote access is absolutely necessary. In many cases, it is sufficient to access your IoT devices only within your home network. Of course, the smartphone or computer you use to control your IoT devices must also be directly connected to your home network. Some smarthome base stations offer the option to prevent communication with the Internet. A device that is not accessible via the Internet poses a much lower risk. For example, schedules and scenarios can be stored for shutters or lighting that allow control completely without an Internet connection. This makes it possible, for example, to feign the presence of residents during a vacation.

If the UPnP (Universal Plug and Play) setting is activated on your router, you should deactivate it so that your IoT devices cannot communicate uncontrolled to the Internet.

Set up VPN

A Virtual Private Network (VPN) is a particularly secure connection between two points. It involves establishing a tunnel from, for example, a smartphone through the public Internet to your home network or router.

The special feature of the VPN is that the established tunnel has only one input and one output and thus no data can flow out on the way. In addition, your home network is only accessible through the VPN with devices that you have enabled. Modern routers offer the possibility to set up a simple VPN.

Separate home network

The so-called segmentation of the network is already standard in industrial networks and can also be applied in the home network. Here, the IoT devices are operated in a separate network, which has no connection to sensitive data or devices such as your computer.

Many home routers offer the option of setting up a separate WLAN in which only IoT devices are then integrated. This is logically separated from your home network and is therefore an easy way to operate your IoT devices in a separate network. For devices that need access to data on your home network, moving them to a separate network does not make sense. An example of this is your smart TV if you also want to use it to access your media files stored on the network. If your router does not offer network segmentation, but does offer a guest WLAN, you can also consider integrating the IoT devices into it. In that case, however, the guest WLAN should be used exclusively for IoT devices and the credentials should not be shared with third parties.

Physical security

Make sure that strangers cannot gain physical access to your devices from the outside. USB or LAN ports should not be freely accessible, as these can serve as a gateway for third parties to enter your network and access your data.

Conscious use of IoT devices

Be aware of how your device works, what data you generate with the use of your device and where it is stored. This is an important foundation for conscious use of IoT devices.

The following questions are helpful in better assessing the device and the potential risks of its use:

  • What sensors, such as a camera or microphone, does the device have?

  • What data is recorded and stored?

  • Can it be traced where the data is stored?

  • Will this data be sent or shared with other applications?

  • What potential risks might be associated with using the device and am I willing to bear them?

The answers to these questions will also help you weigh convenience or functionality against aspects of security. Make a conscious decision about whether you want to sacrifice security in order to use certain functionalities.