Agile Tortoise
Greg Pierce’s blog
« Weblog II for Conversant BarCampDallas »
Concrete steps to protect yourself online
One area where we “geeks” in the culture are not doing a very good job lately, is in providing concrete advice to our friends and family about how to protect themselves online. Viruses, spyware and security breaches at large institutes make big news, but really the greater risks are from our own actions and practices online. In particular in exposing ourselves to identity theft and other crimes that are occurring on a smaller scale every day.
I wanted to draw attention to the selection and use of usernames and passwords for online services — particularly ones that are financial in nature. Increasingly we have a lot of these services in our lives. Also, increasingly, people need to remember a lot of different username and password combinations to access these services they use day-in and day-out. What I’ve found, in my experience at work and elsewhere, is that people are pretty lazy about how they choose passwords, and will generally simply use one or just a small number of select username/password combinations for just about every service they sign up for online. Often, they are lame passwords.
I have a nice “new user” form at work that I give to new employee to solicit information — including the selection of a password. It has a succinctly stated list of “Do’s and Don’t’s” for password selection. Yet, at least three quarters of these forms are returned to me with a password I could have guessed if I knew anything about the person. A child’s name, a dog’s name, etc.
On top of that, many financial institutions don’t help much by instating a policy of defaulting username to your social security number. A piece of information that’s become way to easy to attain.
Now consider your potential exposure. Perhaps, you are among the few who are meticulous about choosing and setting cryptic passwords and you are well setup. Perhaps not. How might you answer some of these questions:
- Do you use any passwords that are simple words or proper names?
- Do you use the same passwords at many sites?
- Do you use the same password at a financially-sensitive site such as a bank, credit card company, etc., that you have used elsewhere — ie, in a chat forum account?
- Do you use your social security number to login to any websites?
- Do you use the same password for a number of different financially sensitive sites, like at your bank, credit card and home loan companies websites?
- Do you use the same password at work that you use for personal accounts?
If you answered yes to any of these, consider your exposure. One certainly hopes they would not be the victim of identity theft, but if you were, how exposed are you to quick damage? Say your boss hires a seedy con-man by accident in the IT department who grabs a copy of the password and personnel files out of the DB. He’s got your social and your password. Could he get into your bank account online and empty it? Could he get into all your accounts and mess with them? Could he get into your gmail account and reply to confirmation emails on your behalf? Those are just examples, but I think you see what I’m getting at.
So why are we in this position? Why do we choose bad passwords? Convenience. We want to get into that online service when we want to where we want to without requesting a password reminder, or racking our brain to remember what the heck we used as a username — so we keep it simple and use the same thing over and over.
So, “What do I do?”, you say. Or maybe your just saying, “Greg, stop blabbing and remember you titled this post ‘Concrete steps…’”. I recommend you develop a personal password strategy. If you have a simple systematic way of choosing different but similar passwords, you can reduce your exposure and still remember your login credentials. Mind you, my recommendations are not going to be those of a high-security, paranoid freak. Security has to always be in-balance with convenience. Here’s some steps to take:
Step 1: Business, not pleasure
Do not intermingle passwords used for work with those used for personal data. Period. Nothing at your work is private. Certainly some companies are better than others, but don’t trust your employer to safeguard your information. Don’t conduct any personal business and correspondence using your work email address, as well.
Step 2: The One-off Account
There’s a benefit to having a simple, easy to remember generic account that you use for “one-off” type logins for sites that will not contain any important info about you. Example of where you would use this type of account would be:
- Posting a comment on a weblog or online forum
- Signing up for a software update download at a manufacturer that requires login
Basically, the worst that could happen if someone stole this login information from you would be to embarrass you online. Therefore, a simple, easy to remember and, more importantly, easy to type username/password combo is fine for these type of circumstances. Then when you return to, say, download the updated printer driver 6 months later and are asked to login, you have a pretty good idea what to use as a login.
Step 3: The Productivity Account
You are probably already using at least one online service that you use regularly and rely on that either that stores a lot of data that is important to you or somehow uniquely identifies you to an online community. If you are not yet, it’s likely you will be soon. By far, the most common thing in this category is online email and instant messaging. Yahoo! Mail, Gmail, Hotmail, etc. You may well also use online calendar tools, run a weblog, have .Mac accounts, etc. that contain some combination of personal and public data that you are in control of and that is important to you.
This is an interesting category, because convenience is important. In fact, most of these services address that by carrying a single set of login credentials across a wide array of services — like Yahoo!
For this category, I recommend you also pick a simple username that is consistent across services, but also use it in combination with an “good” password, which you change on a periodic basis. By “good” password, I mean a difficult to guess non-dictionary password. Make it something you can remember, but mix in some odd-capitalization or puncuation, like take your dog’s name, “Maxie” and make it “m@x!e,” etc.
Changing a password regularly is a generally good security measure, especially for a service like this where you might log in on a friends computer, or a public terminal which might be infected with a key-watcher or something, or otherwise leave behind a trace of the password. Since you use these accounts regularly, remembering a changed password isn’t such a big deal.
Step 4: Online shopping
Online shopping is increasingly prevalent, and more and more online retailers are trying to make it easier and easier for you to shop with them. Some would probably disagree with my recommendations for this class of services, but here’s what they are:
- Do not register for accounts with online retailers, unless you do a lot of business with them. Many online shops prompt you to setup an account, which will store your shipping info and often your credit card info, for future use. Almost all of these have a “not now” option on these pages that’s lets you make your purchase without setting up such an account. Go this road.
- For cases where the above doesn’t work for you, have a standard commerce login/password that is different from your other logins. Don’t try to use different ones at different stores, you’ll never remember them.
While you do carry some exposure here, it’s minimized by the protections provided by your credit card. Someone might get your login, and go on a shopping spree at several online retailers, but you would have some recourse on the fraudulent charges.
Step 5: The $$$ and stuff
Lastly, we have the class of services which require special treatment, such as those which contain financial, insurance and other sensitive personal information.
First thing to do with these accounts, is change your username if it was defaulted to your social security number. It may not be possible, but most sites that use that default will allow you to override it and select an alternate username.
Second, use a different “good” password for each service. “But I can’t remember all those passwords,” you say? Come up with a system for “same-but-different” passwords that you’ll be able to remember. For example, pick an obscure string for a base password, like “A!A@”, then append a prefix or suffix to it specific to the service, like maybe the first three characters of the institution’s name, so an account at “Citibank” would have a password “A!A@CIT.” This way, if one of your passwords is divulged in a hack attack, it won’t compromise accounts elsewhere.
Third, always LOGOUT from these services when you are finished using them, don’t just rely on your session to timeout. If there’s a “LOGOUT” link, click it!
Conclusion
What I’ve outlined above is a manageable strategy for protecting yourself online. I know I didn’t cover all the bases, but hopefully I at least got you thinking about it. My approach may not work for you, but try to think of one that does! We all like to think we’re smart enough not to fall for the latest greatest phishing scheme, or get infected with the latest worm, but in reality, we’re not…so if you take a few steps such as I’ve described you can at least decrease your exposure to severe harm.
Briefly, a couple of final “best-practices” notes for you:
- Be careful about what you let your browser do for you. Tell it not to remember passwords for higher security sites, even on your home computer.
- When using a computer other than your own, always remember to logout of sites you login to. You don’t want the next person walking up to the computer to be automatically logged into to your blog when they open the browser.
December 1st, 2005 at 12:22 pm
On 12/1/2005, Greg Pierce said:
>What I’ve outlined above is a manageable strategy for protecting
>yourself online. I know I didn’t cover all the bases, but hopefully I
>at least got you thinking about it. My approach may not work for
>you, but try to think of one that does! We all like to think we’re
>smart enough not to fall for the latest greatest phishing scheme, or
>get infected with the latest worm, but in reality, we’re not…so if
>you take a few steps such as I’ve described you can at least decrease
>your exposure to severe harm.
Excellent recommendations all, Greg!
In the quoted paragraph you mentioned Phishing, but only briefly.
That’s probably the most important topic you didn’t cover.
My brother is an eBay afficianado, and recently received an email
phishing for his password. It looked, acted, and felt exactly like a
real email from eBay. It even included the line that says, “we’ve
included your official ebay username so that you know this is really
from us.” He realized, just in time, that his username wasn’t actually
there (they said it was, but it wasn’t.)
My point is just that phishing is the number one way for people to
steal your passwords. If you get an email from a financial institution
with whom you do business, do NOT click any links. There’s a very good
chance you’ll end up at a website with a URL similar to your bank’s,
and which look’s identical to your bank, but is actually being run by
thieves.
That’s the whole tip, in fact. Just don’t click the links! Use your
bookmarks, or type in the bank’s (or ebay’s, or paypal’s, or whatever)
url.
My wife works for a super-tiny bank here in SE Connecticut. The
big-dogs in the industry do more business in an hour than this bank
does all year… yet we’ve both received phishy emails from scammers
who set up a clone site. (This really freaked out the bank officers, as
they were hoping they’d be safe because of their miniscule size.)
Seth
December 1st, 2005 at 3:02 pm
On Dec 1, 2005, at 12:22 PM, Seth Dillingham wrote:
> Excellent recommendations all, Greg!
Thanks.
> In the quoted paragraph you mentioned Phishing, but only briefly.
> That’s probably the most important topic you didn’t cover.
Well, it was getting pretty long. I want to do a couple of
additional installments — the next will deal with more specific
threats, like phishing. I totally agree. Don’t click on email links!
g.
December 1st, 2005 at 7:44 pm
And via Cryptogram:
"New Phishing Trick
Phishing schemes are all about deception, and recently some clever
phishers have added a new layer of subterfuge called the secure phish.
It uses the padlock icon indicating that your browser has established a
secure connection to a Web site to lull you into a false sense of
security. According to Internet security company SurfControl, phishers
have begun to outfit their counterfeit sites with self-generated Secure
Sockets Layer certificates. To distinguish an imposter from the genuine
article, you should carefully scan the security certificate prompt for
a reference to either "a self-issued certificate" or "an unknown
certificate authority.""
Bruce doesn’t think users will check certificates
Great review though, Greg.