What is this and who is this for?

Those are my thoughts on “digital security” for normal people. This is not for journalists, politicians or anyone who think they could be a target of a powerful “actor”. This is more for normal people who care and try to protect themselves with the most with basic tools and techniques.

Note that this is not, at all, about privacy.

Finally, this is centered around the US, but most of the advices are valid everywhere else.

Web 101

What to do to properly secure your online accounts.

Passwords hygiene

  1. DO NOT reuse passwords. Why? Because poorly-secured websites get hacked and leack your stuff everyday. If you had an account there, your login/password pair is now probably public, or can be bought for 1$ on the “dark web”.
  2. Avoid very short or trivial passwords. My favorite: just pick three or four random words. Related XKCD post.
  3. Use a password manager to store all your unique passwords. The idea is to store all your passwords in an encrypted database readable by you only. Most have autofill features to make the workflow as easy as possible, and passwords generation features. Of course, a password manager means you do have to place some trust in it, especially if it’s commercial and/or closed sources. Some examples or relatively well known and trusted solutions:
    • Keepass (FOSS, Windows only, many forks for other platforms). A bit clunky but well trusted. Works with a local encrypted file that you can sync between devices with Dropbox or other.
    • 1password (Commercial, all platforms, pretty expensive). Sync across devices, very smooth interface. What I personally use.
    • Bitwarden (Commercial but open source, all platforms). Open source, sync across devices.
    • Lastpass (Commercial, free version, all platforms). Not a big fan of the interface, but fine.

Personally, I always thought Dashlane was very “fear-mongering” (they mix their password manager with “Dark web monitoring” and other “VPNs”), but that’s just my opinion. Finally, you can use Apple’s Keychain, or Chrome password manager. I personally prefer to keep my password manager separated from my Google/Apple accounts/devices, but that’s probably fine as well.

In the worst case, if you think your home is safe enough, a notebook can be pretty good. But not very convenient, and it better doesn’t get stolen.

Another related XKCD

Use 2FA everywhere

Use two factor authentication everywhere you can. It means to log in you will need something you know (your unique password) and something you have in your hand, typically your phone. You typically need to enter the second factor every month or so. The idea is to protect you if you password ever gets leaked, somehow. You have four possible choices:

  • A text send by SMS. Not great, because of the SIM porting issue. Better than nothing, but I would stay away from it. More below.
  • A one-time “pseudorandom” code generated by an app like Google authenticator. A fine option for most people.
  • A push sent to Duo or the app version of the website. Fine, but requires a new app for each website.
  • A security key implementing the U2F standard. The best, by far. See how It helped Google prevent phishing. Not all website support it, but many important ones (Google, Facebook, Microsoft, Dropbox, …) do.

Make sure you have backups of your 2FA (like 1 key and 1 app, or 2 keys, or 2 apps on 2 phones). You don’t want to get locked out because your account is too secure.

2FA

Why are security keys the best ? Basically, they are mini “crypto engines”. When you register the key with a website, the key will generate a public/private key pair, and send the public key to the website. Then, when logging in the next time, you can prove you are yourself by signing a message using the private key that only you have, and this private key never leaves the physical device (I am oversimplifying). This is similar to SSH keys, and infinitely superior to passwords, since you never share anything secret with anyone. It also enables powerful anti-phising features.

Avoid using your phone number for recovery/2FA

Phones companies are very, very bad at keeping accounts secure. The usual attack is someone calls your provider, claiming to be you, and asking to port your phone number to a new SIM card. If he’s convincing enough (your are a paying customer, after all), he may successfully convince the rep that he is you and port your phone number to another device. From there, all texts and calls will be redirected to the attacker’s device.

The worst is when the phone number is used for both password recovery and 2FA texts verification (that’s my Bank, SFCU, default…). In that case, it’s basically over, and the attacker has full access to your accounts. For those reasons, I would stay away from using your phone number for anything security related. The only good thing about phone # is that they are hard to loose (since, well, they can easily be ported).

This section relevance certainly varies depending on where you live. That being said, the issue with phone remains the same: you’re including a third-party in the loop (you have to trust, a lot, your carrier), which is better to avoid if you can.

Do periodic checks

Every 3 months or so, check all your important accounts (Google, Microsoft, Apple, Dropbox, Facebook, Instagram, …):

  • That all the recovery emails are up-to-date
  • That all 2FA methods are under your control and that you have backups of them
  • That you’re not connected to anything suspicious

Phones

  • Setup a “Porting PIN” or “Account PIN”. Regardless of the SIM porting issue, it’s a good idea to make sure you have a PIN to protect your account. Call you provider and set this up right now. It probably won’t prevent a very determined person, but that can help. Unless the criminal works for your carrier.
  • DO NOT ever trust a called ID (i.e., the number showing up on your phone when someone calls). Never provide confidential information by replying to a call. Hang up and call back the number by looking it up online or on your card/statements.

Random advices

  • Make sure you have backups of your laptop and phone. If you don’t, you will eventually lose (potentially important) data. It doesn’t just happen to others. What I personally have:
    • A (encrypted) 4 TB disk, next to my desk at home, backed up to using time machine;
    • A cloud backup using Backblaze.
  • Encrypt your phone, laptop and backup disks. It’s of limited use, but better than nothing. It’s by default on iOS, easy to set up on Android and Mac.
  • Enable auto-updates on your phone & laptop.
  • Put a 6-digits PIN on your phone. Forget those silly patterns, it’s way too easy to eavesdrop on.
  • Don’t enter any informations after having clicked on a link in emails (or SMS or texts). Or just don’t click on links in emails.

Credit Fraud (aka “Identity theft”)

I hate the word “Identity theft”. It’s a way for companies to shift the blame on you for them not doing their job properly. Your dog still recognizes you.

So what’s the issue? You have those companies, CRA’s (Credit Reporting Agencies - aka Equifax, Transunion and Experian, but also Innovis) that collect credit-related data on Bank’s customer. They get this info from the Banks directly. Typically, in the US, people are uniquely identified using their SSN (Social Security Number). Then, next time you ask for a loan, you will provide your name, a couple of info, and your SSN, and the bank will take a look at your file (what’s called a “Hard Pull”). They will also assume that if you have all that info, that’s enough to assume you are the one you claim you are.

The issue is that the SSN is basically public at this point. So the typical issue is a criminal will try to impersonate you, get a credit card “under your name”, buy a bunch of TV’s from Walmart and never pay the card. Eventually, debt collectors will start running after you. So, while you won’t be responsible for any debt assigned to you because of fraud, you will still be the one responsible for fixing it, somehow (since otherwise, delinquent debt will stay on your reports, and destroy your credit score). What can you do ?

  • Keep all confidential information secure. Don’t let your tax returns in the bin next to the printer.
  • Monitor your credit reports for anything suspicious. Federal Law (the Fair Credit Reporting Act) mandates those companies to give your your report for free every year. See the FTC’s website on free credit reports available here.
  • Freeze your credit with all those agencies. You will receive a PIN. Without lifting the freeze using this PIN, the creditors won’t be able to pull you report, usually preventing them to give credit to the criminal. It’s all (placing, lifting and removing the freeze) free by Law. See the FTC’s website on security freezes.

Finally,

  • Please, don’t pay those companies for “Monitoring” services. It’s like the mafia.
  • A “Credit Lock” is not the same as a “Credit Freeze”. The former is not regulated by law. The later is. Those shady companies are pushig for their home-cooked unregulated lock, because it’s, well, unregulated.
  • The issue shows up in other industries as well (defrauding the IRS to get a tax refund using your SSN, putting “utility bills” in your name, etc) but maybe less often. Just be aware that this is not only limited to the credit industry.
  • A very good blog about all sorts of security issues for “normal people”
  • A great website to check wether your email (or password) is involved in any known breach, by Troy Hunt