Securing your digital life, part two: The bigger picture—and special circumstances
We did the basics—now let's look at some more detailed steps to protect yourself.
"In the first half of this guide to personal digital security, I covered the basics of assessing digital risks and protecting what you can control: your devices. But the physical devices you use represent only a fraction of your overall digital exposure.
According to a report by Aite Group, nearly half of US consumers experienced some form of identity theft over the last two years. Losses from these thefts are expected to reach $721.3 billion for 2021—and that’s only counting cases where criminals take over and abuse online accounts. Other valuable parts of your digital life may not carry specific monetary risks to you but could still have a tangible impact on your privacy, safety, and overall financial health.
Case in point: last September, my Twitter account was targeted for takeover by an unidentified attacker. Even though I had taken multiple measures to prevent the theft of my account (including two-factor authentication), the attacker made it impossible for me to log in (though they were locked out of the account as well). It took several weeks and some high-level communication with Twitter to restore my account. As someone whose livelihood is tied to getting the word out about things with a verified Twitter account, this went beyond inconvenience and was really screwing with my job.
The attacker found the email address associated with my Twitter account through a breach at a data aggregator—information probably gleaned from other applications that I had linked to my Twitter account at some point. No financial damage was done, but it made me take a long, hard look at how I protect online accounts.
h hey, it's this guy again. (Maybe this is the guy who tried to get into my Twitter account?)Aitor Diago / Getty Images
Some of the risk tied to your digital life is taken on by service providers who are more directly impacted by fraud than you. Credit card companies, for example, have invested heavily in fraud detection because their business is built on mitigating the risk of financial transactions. But other organizations that handle your personal identifying information—information that proves you are you to the rest of the digitally connected world—are just as big a target for cyber crime but may not be as good at preventing fraud.
Everything counts in multiple accounts
You can do a number of things to reduce the risks posed by data breaches and identity fraud. The first is to avoid accidentally exposing the credentials you use with accounts. A data breach of one service provider is especially dangerous if you haven’t followed best practices in how you set up credentials. These are some best practices to consider:
- Use a password manager that generates strong passwords you don’t have to remember. This can be the manager built into your browser of choice, or it can be a standalone app. Using a password manager ensures that you have a different password for every account, so a breach of one account won’t spill over into others. (Sorry to again call out the person reusing
letmein123!
for everything, but it's time to face the music.) - When possible, use two-factor or multi-factor authentication ("2FA" or "MFA"). This combines a password with a second, temporary code or acknowledgment from someplace other than your web browser or app session. Two-factor authentication ensures that someone who steals your password can’t use it to log in. If at all possible, don’t use SMS-based 2FA, because this is more prone to interception (more on this in a minute). Applications like Authy, Duo, Google Authenticator, or Microsoft Authenticator can be paired with a wide variety of services to generate 2FA temporary passwords or to send “push” notifications to your device so that you can approve a login. You can also use a hardware key, such as a Yubico YubiKey, to further segment authentication from your devices.
Special cases
There's one oft-suggested technology that hasn't appeared on this list so far: the VPN or virtual private network. I use VPNs for very specific purposes—namely, to keep the virtual machines I use for malware hunting segmented from the rest of my network or to make them look like they’re in different parts of the world so I can test malware targeting.
Some people use them to evade geographic content licensing restrictions, so they can get their Dr. Who fix or watch The Mandalorian outside of the Disney Co-Prosperity Sphere. I will not comment on those use cases.
When 2FA is not enough
Security measures vary. I discovered after my Twitter experience that setting up 2FA wasn’t enough to protect my account—there’s another setting called “password protection” that prevents password change requests without authentication through email. Sending a request to reset my password and change the email account associated with it disabled my 2FA and reset the password. Fortunately, the account was frozen after multiple reset requests, and the attacker couldn’t gain control.Further Reading
Securing your digital life, part one: The basicsSocial exposure
Social networks, online communities, and apps or services intended to foster social interaction (such as dating) are a major source of information used in targeted attacks. Social media accounts are frequent targets for takeover, and social media users all too often leave essential information about themselves, their family and friends, their activities, and even their finances in the open for others to see and potentially target. If you must use social media, here are some tips to limit your exposure:
- I shouldn't have to say this, but I'm going to say it anyway: don’t post unredacted pictures of driver's licenses, vaccination cards, credit cards, passports, or other documents with PII on social media. There are no circumstances where this is a good idea. Don't do it, even for a TikTok challenge.
- Lock down access to your social media accounts with 2FA and unique, strong passwords to prevent "brute force" breaches and "password reuse" hacks.
- On Facebook, set the default privacy for posts to “friends only." This will prevent casual leaks of information you don’t want anyone but friends and family to know about.
No comments:
Post a Comment