Online Security Steps You’re Not Taking
Online security is way too hard, and you shouldn’t have to read this whole article, but here we are. It is, and you do.
Or you could read this one. Whatever.
Most of this article is about online, but some of it is computer-based. With no further ado, here are some of the precautions you should take…
Seriously, update your computer, update your anti-virus/malware, update your browser. Do it now. First, back up your computer. I’ll come back to backups later.
We’re going to get into the more regular online security stuff in a second, but the most basic thing you can do is update the things you use.
Breaking into LinkedIn to steal your password is hard, but exploiting an out of date browser is easy. Don’t make it easy.
Don’t Reuse Your Passwords
I know why you reuse your passwords, and I used to do this myself, but think of it this way: Imagine your post box key also opened the safe at your bank. Banks spend millions on security, and you spend… hundreds? And the same key opens both locks.
This is a real-world example of exactly what most people do. They use the same ‘key’ to open valuable online things as they do to open less valuable things.
All it takes is a hacker to copy the key to your post box, and they can get into your safe. As it were.
And it has already happened. Right now. Already. You can look yourself up here: pwnedornot.org
That website is full of old data; the new hacks haven’t been publicised yet.
Thankfully a solution exists: Password managers.
Manage Your Passwords
There are some great ones out there, KeePass, 1Password, LastPass and others. All with pros and cons.
The how-to-use guides on these vary, but here are some tips on password managers:
- Don’t use computer (Mac/Windows) based ones – you might switch or be forced to switch at work
2. Don’t use browser-based ones – same as #1 and browsers are designed for browsing first and if you’re lucky, security second
3. Make sure it has an app for iPhone and Android
3.a A universal browser plugin is very handy
4. Change it in stages. Start with having the password manager remember all your passwords and get comfortable using the system and the app. Then start changing your passwords to your high-value things such as your primary email address.
When you’re done, you’ll have unbreakable, unrememberable (?), unique passwords for everything you use and one very long master password for your password manager.
What if they get hacked? They have. But their business is completely devoted to security and the same can not be said of the hundred or so online sites you reuse passwords with.
There’s a saying/story in IT security:
There are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese and those who don’t know they have been hacked by the Chinese. – James Comey
So you’ve solved your first problem: your account getting hacked doesn’t give the hacker access to all your other accounts. Yay!
But you can take one more step to stay safe and make your account much harder to get into: use two-factor authentication (2FA).
You probably do this already with some online things such as banking.
You sign in with your details and (now) unique password, and then you receive an SMS with a code to type in.
You can turn this feature on with most of the big things you use online: your email, social media and more. Do this.
Your details are going to get hacked, but if they need to type in a code that only you have and is time-bound, you’ll be mostly ok.*
Problems With 2FA
*And this is where the caveats come in. Two-factor authentication has some significant problems.
The most obvious is that you may not have your phone with you. Another is, what if you travel overseas and don’t have global roaming? What if you lose your phone? What if you change numbers?
And I’ll add one less obvious one: What if hackers convince your phone company to send SMS’s to a new number and then they have your security SMS’s come to them and not you. True story. And an overseas example.
Sorry, this is messy, no way around it. You need a unique password AND you need to use 2FA. But 2FA has faults, so you need to take precautions.
Have A Backup Option For 2FA
The big accounts, email and Facebook, will let you use multiple 2FA options. And they will give you special backup codes for you to print out if you get stuck without your phone.
And you can often check a box when signing in to only need 2FA once every 30 days or on new sign-ins. Much better than having to do it every time.
Here’s the messy bit: You should avoid using SMS 2FA. The examples above are real. Thankfully there are better and safer options: ‘Authenticator’ apps. Google has a great one that you can use for multiple services.
I know, I know, this is getting messy. It’s pretty straightforward once you’re set up. So get a friend to help you.
Google authenticator is great as it is super easy to set up and use and, say for example you use it with Facebook, you can set it up so that your iPhone and iPad are both hooked in so if you lose one you can use the other.
Some sites won’t let you use an authenticator app, or have backup codes. My warnings above are not very regular occurrences, so chose wisely.
As an aside, there are physical authentication devices. YubiKey4 is one of them. You could use the authenticator app and this as a backup.
Ok, so you’ve locked down all your passwords, turned on app-based two-factor authentication for your important services like email. Now what?
Well, if your computer is up to date, as is your browser and you have unique passwords using 2FA, you can give yourself a pat on the back.
Done? Cool, here are some other things you can do that may or may not involve fashioning a tinfoil hat to keep out the mind control messages from aliens…
Pre-Paid Credit Card
Getting a prepaid credit card is trivial to do and you can use it for all your online purchases by topping it up when needed. That way if the online shopping site you use gets hacked and they get your password AND credit card details, you don’t lose much money.
This option has the bonus of avoiding spending money you don’t have!
Mailboxes are comically easy to get into. Add to that problem the fact that companies and governments insist on sending you documents with way too much info on them and you have an identity theft honey pot.
Do yourself a favour and get a PO Box.
Extra Email Addresses
If you can be bothered, you can create a ‘spam’ email address. Create a yournamegetsSPAMhere@hotmail.com email address for whenever some online site asks for an email address that they don’t need.
That way your mum can still send you chain mail, but you skip all the Viagra offers.
Google offers a neat trick to do this without creating a new account.
The other way you can do the extra email address is to have one for only password resets.
Most email services will ask for a backup email address in case you get locked out. Consider using one for this purpose, but don’t give out or use it for anything else. That way, no one will know what it is, it won’t have been used anywhere else online and you can get into it whenever you want.
VPN and HTTPS Everywhere
It’s all good and well to have strong, unique passwords, but if the wifi connection you’re using gets intercepted, you’re done.
That is, if you’re typing in a password or credit card number and your browser isn’t using HTTPS at the front (or you’re not using a VPN), then depending on where you are, you’re in trouble.
Cafes, for example, are a bad place to be using insecure connections, as are tourist places in any country.
Google ‘HTTPS Everywhere’ and use it.
Get yourself a VPN before travelling overseas.
While you’re at it, make sure your home router is using encryption (WPA2 for example). Your neighbour might be a little more unsavoury than you realise.
Fun Story: One of my neighbours was arrested for identity theft. He had the credit card details of thousands of people in his possession. Card skimming is fun and easy to do apparently. Jail, not so much.
Tinfoil Camera and Audio
I know a lot of people who cover the camera on their computers. Mark Zuckerberg does it. You can even buy special stickers to do it.
Hackers can turn on your camera without you being aware of it. Very creepy.
But what most people aren’t doing is turning off the microphone.
I don’t know about you, but the camera on my computer doesn’t stay pointing at things for long periods of time and when it does it’s just my face.
But the microphone? What room is yours in? Have you ever had a conversation that you wouldn’t want to be recorded?
Cameras are pretty easy. Physically cover them. Audio is trickier.
Here’s a trick you can do: Cut off the ends of your cheapest headphones (for example iPod earbuds). You’ll be left with a headphone jack you can plug in but just a short wire at the end.
Doing this (apparently) bypasses your internal microphone to the audio jack which now does not have a microphone. Problem solved.*
*I’m not a security expert, hacker or technical person, so take this advice with a grain of salt.
A fun new way to get burned online is for you to click a link you shouldn’t have and then your whole computer gets encrypted with a message telling you that you have X hours to pay up or all your data gets wiped. You know a great way to avoid this: Back up your computer. Do it on an external hard drive that you unplug and you’ll be pretty safe. Not completely safe, but better than most.
There is so much more to do if you want to, some of it basic (full disk encryption), some of it much harder and more technical (air gaps, custom operating systems on USB sticks).
We are at a stage where online security is mandatory and at the same time way too hard. This will change, but right now you need to change your passwords and set up two-factor authentication. And maybe get used to a tinfoil hat.