As the Internet has evolved, companies are finding new clever ways to track and profile you. Rather than explain the risks of advertising systems, web-bugs, etc., would you believe me if I told you it's bad? If so, here's what to do:
Of all the browsers out there, Firefox has the best combination of built-in protection for both security and privacy. It's open-source and not designed to favor one operating system or company over what should be its primary function: web browsing. Little by little Firefox has gained built-in phishing and malware protection, a "do not track me" function (though you have to turn the option on yourself — click here to see how), and multiple privacy options like "private browsing" and easy clearing of history and cache.
Use an ad-blocker
This advice at times causes some controversy, but let me summarize by saying that online ads are too often careless and abusive. Not only do they steal your attention and are evolving to be hidden in the content (e.g., Native Adverstising – A new branch of marketing focusing on masking ads as actual content), but they are also a vector for viruses and privacy invading web bugs and trackers.
Finding a blocker is as easy as searching for "adblock [name of broswer]" in a search engine, but here's a direct link to the Mozilla plugins page for one of the most popular versions (Mozilla created and maintains Firefox).
Other plugins I recommend are (click each image to load their homepage):
Both are made by the The Electronic Frontier Foundation (EFF) – a non-profit consumer group dedicated to protecting your privacy rights online. There are surely tons of other interesting ones out there (or that will be released in the future), but for now, these are the basic ones I use and recommend.
There are several reasons it's good to use more than one web-browser on your computer:
- There are times that websites just don't like certain browsers — or the various plugins that are working hard to prevent abuse and intrusive nonsense may cause a website to fail. If it's an important website, you can try disabling or putting in exceptions on your plugins one at a time until it works or diagnose what other problems there might be, but it's usually faster to load the site in a second browser instead.
- Certain kinds of hacks and privacy-invading technologies (cross-site scripting, web bugs, fingerprinting, etc.) depend on you browsing the Internet in the same browser you use to log into your email, bank, or social sites. By using one browser for any account requiring a sign-in and another for regular Internet browsing, you can reduce these threats.
- Activity separation. There's a growing trend of people using different browsers or profiles for keeping work and hobbies separated which makes sense when you have open tabs running in the 20s (or hundreds).
Though I once recommended Firefox and Chrome for this purpose, Chrome has always been iffy when it comes to privacy, but in 2019, there were signs they would implement changes to cripple ad-blocking. There are actually tons of options out there, but of the simplest to use and best supported, your best arrangement will be Firefox and Opera (the EFF plugins work for both browsers and Opera has built-in Adblock).
Private, Incognito, and various other forms of the same thing are a way to open a browser window that won't remember any history, cookies, cache, or other record of where you went or what you did. Of course you're not invisible to the websites you interact with (especially if you log in), but it does prevent your data from being exposed on the computer you're using. Here's why that matters:
I once gave an OPSEC briefing at an Air Force conference in Florida. Between sessions, I noticed there was a set of common-use computers set out for people to check their email and such. After waiting my turn, I sat down and tried opening Facebook. As I expected, I was in some poor Airman's account and could have done anything from simply embarrassing him to putting his clearance and job at risk).
It's really easy to forget to log out when using someone else's computer which is why private mode is awesome. Here's how it works:
- Right-click the browser icon on the taskbar and select "New private/incognito Window" (or if that doesn't work, check out this handy guide from HowToGeek on opening private browsing in any browser).
- Verify in the new window that you're in super-secret-spy mode and then open your email, social sites, or print your airline tickets like normal.
- When done, CLOSE ALL PRIVATE BROWSER WINDOWS AND TABS completely.
Fun fact: If you borrow a friend's computer to load email or social pages that your friend also uses, you don't have to log them out first because the browser treats a private session as completely separate.
Because your activity was confined only to short-term memory, anyone who opens the browser later or tries to find sensitive information in the history or system files won't find any. Just be aware that any public-use computer is risky due to the possibility of viruses or keystroke loggers, but if you determine it's necessary to take the risk, you're still better off using private mode.
Warning!Sometimes the best option to keep your information safe requires using non-factual information. Though it's solid security (and can be quite entertaining as well), I can't possibly advise you on the consequences of doing so for every situation. It is your responsibility to determine the legal, moral, and/or ethical repercussions of applying any of the below advice. Use your head, tread carefully, err on the side of caution.
- If a site wants your birthday, ask yourself why? If the goal is age verification, they don't need YOUR birthday; they need A birthday that verifies you're old enough.
- Some people like that old friends can find them on Facebook, but if you're not using it that way, why use your real name or picture? Facebook works just the same with fake information as real and considering their long and documented history of abusing your information, it's probably not a good idea to offer it up so easily.
- When you're setting up an account, you may not have to fill every field. Try clicking the submit button without entering anything and it will highlight the minimum required fields. For any data you can't identify a specific reason that they need it, fake it or find another site instead.
So what about those challenge questions. If I know your mothers' maiden name and your first pet's name, I can unlock your account, but no one knows that but you right? Except maybe for the family and friends I already talked about who are a risk. And there are all those other websites you gave the same information to… and the employees that work for them, the business they share data with, or possibly the rest of the world if they have a data breach.
Fake answers work just as well and can be changed to new fake data later (unlike true answers). In my encrypted file, I keep a list of the websites I care about the most, what password I used and what fake data I use in case I need it later. Though I can't counsel you on the legalities of faking challenge questions or other information, I can assure you that the challenge question system is weak, and easily abused (just ask Former President Obama and Singer Brittney Spears who's Twitter accounts were "hacked" by a French man who simply reset their passwords by answering the challenge questions).
It's time to stop ignoring the advice you've heard everywhere about not using the same password everywhere. I know it's a pain, but it's necessary. That's not to say there aren't a variety of ways to simplify the problem.
Though you could create unique passwords for every site and keep the information safe in an encrypted password file, one trick is to use password levels. For this, you use a simple name/password pattern for sites you truly don't care about – ones that aren't attached in any way to your money or reputation. For example, if you used the first four letters of the website and then append a math equation like so:
- http://www.somesite.com : Some3+4=7
- http://www.nothersite.com : Noth3+4=7
- http://www.thelastsite.com : Thel3+4=7
Because the pattern is easily understood if viewed, you wouldn't use it for important sites like your email, banking, job-search sites unless they have the option of two-factor authentication. 2FA (for short) is becoming far more common because it's just too hard to make and use good passwords everywhere. Instead, if you use a password AND a code that's texted to your phone or secondary email, hackers are far less likely to get in. Maybe you don't need to bother for low-importance sites, but for ones that matter, always enable 2FA if you can.
Another technique is to use password managers. These tools will create and store complex passwords for you and even autofill sites you visit with your login information. There's a lmited form of this built into most web browsers already, but there are paid options as well (which have the advantage of making passwords available on both your computer AND phone for example while a browser password manager is only good for the computer it's installed on). When choosing a password manager, make sure they encrypt passwords on the device before storing online so your passwords aren't exposed outside of your control. Also be sure you understand the process for recovering access if you forget or lose your master password.
Avoid cross-site login
Sometimes instead of making a new account, a website will let you login with Facebook or Twitter or some other website's information, but how do you know that form is actually doing what it says and not harvesting your logins and passwords? Who runs the site? Was it coded properly? Is your information exposed or stored in the process? There are many questions; all of which you can avoid by not giving up your login information.
That said, if the company really does have a partnership or is owned by the other, making a new account would be a waste of time. To find out, open a new tab and log into whatever service they said they're affiliated with, then go back to see if you're already logged in. For example:
- When you click "login" on Youtube, it redirects you to a Google login. What's Google trying to pull!?
- Assuming you already have a Google account and want to get into Youtube, don't enter it in the form provided. Instead, open a new tab and go to Google directly.
- Log in then go back to the other tab and go back to Youtube's main page. You'll see that you're already logged in.
It works because Google owns Youtube, but if it hadn't, there's no reasonable way to know if it's safe. Never enter a password to a website unless you're actually on the website the password belongs to.
Credit and debit cards
For the most part, you're covered under a federal law that limits your liability for unauthorized transactions, but only for actual credit cards. Banks have the discretion of whether to protect your debit cards at the same level or not so it's best to do your research or make most payments with credit card if you can. The liability protection is strong enough you don't have to be too careful (and are actually better off using credit cards for payment online), but it's still good not to be careless. Click here to read some ways to keep your credit card information out of the hands of bad guys.
- Download and install Firefox and Opera. Choose one for account logins and the other for open browsing. Note that some websites are so closely tied to browsing (Reddit, Pinterest, etc), it probably makes more sense to log into those in your browsing browser. That's ok. The more you segregate accounts needing a password, the better, but it doesn't have to be 100% for you to be safer.
- Click the links above in each browser to load up with adblock, HTTPS Everywhere, and Privacy Badger for both browsers. Note that Opera has a built-in adblock function so you can skip that part.
- If you've never opened private mode in a browser, do it now. Knowing how to do so from the taskbar (right click -> choose private mode (or similar) from the menu that pops up) or the menu (varies by browser) is important for when you're on someone else's computer at the least.
- For your most-used and most important accounts, review the passwords, challenge questions, and 2-factor authentication options. Always choose 2-factor if you can. Otherwise, make sure the challenge questions aren't easily guessed by people that know you. If you don't have a better system, use a word+math combination password system to make your passwords more secure than they are now.
Whew! Almost done!
Course Guide for: Goodbye Identity Theft
The best defense against non-credit ID Theft and a variety of other risks is to adopt a mindset of protection: Data Defense. Learn how to protect your information with simple and sometimes free countermeasures all based on a simple philosophy that the less people who have your information, the safer you are.