Final Comments
Some of the above advice may seem rather extreme to those who aren't security geeks. Feel free to use whatever advice you think is best for you. But understand this: Everything I've mentioned above is borne from actual events. It's all happened before. These threats are all fairly easy to prevent; some are pretty unlikely in the first place, but some are difficult/impossible to mitigate once they occur. The time to safeguard is before something happens.
I can assist with pretty much everything you've read above. Or contact your favorite I.T. or security pro to help you.
Password Hygiene
This is the biggie. Here are my five recommendations for good password security. These are all important, but the first two especially so.
1. Passwords must be unique. You don't want a cybercriminal logging into your bank or Amazon account because you reused the password from some other web site that got hacked. Yet this happens all the time. By using a unique password for every account and website, then any password breach will be limited to just that one breached account. And it's not enough to just put a "1" at the end of your favorite, use-everywhere password.
2. Passwords must be long. Today's best passwords are a long string of uppercase letters, lowercase letters, and numerals. At 20+ length, you can do without special characters unless a website requires one. Non-complex passwords are easier to type, even if they are longer. My passwords are all 20+ characters long, depending on what the web site allows.
3. Use a Password Manager. We are long past the era for people needing to commit their passwords to memory. You should be using a password manager to do the remembering. And I don't mean putting them in your contacts, either! All browsers, iPhone, and Android phones have their own password managers baked-in. Use them!
Caveat: Password managers that are baked into the browser won't work with any other browser. If you use only one browser, such as Google Chrome, that's not a big deal. But if you like to have multiple browsers installed, as I do, and if you want your passwords to sync between them, then you'll need a 3rd party password manager that is browser agnostic, such as 1Password.
Another benefit to a password manager, either baked-in or 3rd party, is that it can detect a bogus, look-alike web page asking for credentials and refuse to provide them. You, silly human 😁, might easily be tricked by sophisticated and convincing (but bogus!) password prompts. But your password manager won't be tricked.
There's lots of 3rd party password managers. Here's a PC Magazine article outlining several. No, they aren't free. But the few dollars they cost is well worth the added protection you'll receive since you'll now be using strong and unique passwords. But, again, if you use only one browser, then you can simply use its free built-in password manager.
4. Fib when setting up your security questions. Most websites automate the "I forgot my password" self-recovery feature. When you first create an account, your bank, for example, they'll often ask you to provide answers to a menu of questions like your mother's maiden name, the street you lived on when you were a kid, the name of first pet, the name of your high school, stuff like that. Problem is, a lot of that information is discoverable online either through social media or from Big Data (more on that below).
But if you provide fake answers to these questions, then no one else can use the actual truthful answers to reset your password to gain access. Of course, you must write down those questions and fake answers you give in the dedicated password spiral notebook that you should have as a backup to the password manager.
5. Use Two Factor Authentication (2FA) when available. 2FA is when you type in a numeric code that's texted to your phone, or better yet, displayed by a code-generating app like Google Authenticator, when you log into an account that's 2FA protected. The idea is that even if a criminal figures out your password (like from a breach), they will then hit the second-factor roadblock. No phone, no code, no access! Rather than waste time, they'll usually move on to the next victim. It's not perfect, but it goes a long way to securing your account.
Some services, like Gmail, let you trust your commonly-used computers and devices so you aren't pestered for a 2FA code each time you login. But a login attempt from an untrusted computer, like a criminal using an internet cafe in Bangladesh, will prompt for the code -- and that's the protection. You can think of the 2FA code as a second, randomly generated password.
We've long since hit "peak password" -- the flaws are that obvious and glaring. Best security practices are, albeit very slowly, moving away from passwords. One approach is using the 2FA code as the primary, and only, passcode with various options for what to do if you lose your device.
Never store passwords in your phone's contacts or address book.
More on passwords here.
Security 101
Staying safe and maintaining privacy these days is difficult, to say the least. Nearly everyone is trying to get your data -- the more sensitive the better.
So here's an article that offers an overview of many things that'll help keep you safe and secure online, your computer and data safe, and privacy maintained. Well, at least better than it would be otherwise. We'll discuss a dozen-plus topics and go into some detail about each.
There's also some links to further reading in some of the topics.
I've arranged these more or less in order of importance, so you ought to do the higher-up things first. But, really, it's all important.
I mean, anything you can do to reduce the already significant chances of being swindled, having your private information breached, etc. is worth doing, yes?
Freeze Your Credit
One of the main reasons that identity theft happens is to establish credit in the victim's name. But freezing your credit file fixes that.
Forget LifeLock and other credit monitoring services. They are expensive and unnecessary. You can easily freeze your credit yourself with all three major credit bureaus at no charge. Why is this important? When your credit file is frozen, then potential lenders cannot examine your credit worthiness. So if a bad actor tries to get credit in your name, the credit grantor being applied-to cannot access your file. Application denied.
When you need to open a new line of credit, such as getting a car loan, applying for a mortgage, or a credit card, then you can temporarily lift the freeze for, say, 15-30 days. Then you can apply for the needed credit. The freeze is then automatically reapplied when the temporary lift expires.
Credit freezes have been around since the mid-aughts yet only around 17 percent of Americans have frozen their credit file. It's pretty dang disappointing that 83% of us aren't taking advantage of this free and extremely effective service. Don't be one of them.
Here's the links to freeze your credit file with the three major credit bureaus:
Backup Your Data
If you have locally stored data, such as pictures, videos, your taxes, and other important files, then you need a backup system to protect against loss.
Security software, like what is included with Windows and Mac, may help* protect you against malware, but it won't protect you from data loss due to fire, flood, theft, equipment failure, or even your own carelessness. For that, you need a data backup system. There are local solutions and cloud-based solutions, each with their own pros and cons. The time to backup is now before data loss occurs.
* Nothing is bulletproof. Having a backup may be the only way to recover from a ransomware infection.
Local solutions (external storage devices) are cheaper over the long run, are much faster, and, with the right software, will backup everything, including the operating system, data, applications, and all your settings.
Cloud solutions cost a lot more over the long run (they are subscription-based), take longer, especially for the first backup, and may not save every file. But depending on your use case, there may be reasons to consider a cloud-based backup as a secondary backup system.
More on data backup.
Secure Your Laptop
Laptop theft is rampant because it's so easy to pull off. A Kensington survey found that as many as 1 out of 10 laptops will be stolen during their lifetime. Gartner, a well-respected tech research firm, found that a laptop is stolen every 53 seconds. Whatever numbers you read, the takeaway is the same: Lots of laptops are stolen every year from airports (especially in the security screening area), cars, offices, and public places.
Laptop data security is an absolute must. Just having a login password won't cut it, either, because any half competent criminal (or an I.T. guy like me) can bypass that. Full disk encryption (such as BitLocker) combined with a strong password and aggressive lockout policy is the solution.
And don't think that having no user data on your laptop protects you. All your website bookmarks and stored passwords are (likely) on the laptop as well. And that's okay; stored passwords relieve you from having to remember passwords so they can be unique, longer, and more complex, which is a very good thing. But those stored passwords also let a criminal access your online accounts with ease. There's ways to fix that by using full disk encryption.
It's bad enough if a laptop with your personal info is stolen. But what if the laptop has sensitive client information on it? Or access to sensitive online accounts that contained such information? That could be a ruinously expensive, extinction-level event for your company. Upward 60% of companies, usually smaller ones, that experience a severe data breach are bankrupt within six months.
Laptop theft is just one of many ways that data can be breached. By properly securing your laptop, you eliminate that particular way as a possibility. Sure, you might lose the laptop. But that you can deal with. Loss or compromise of data is way worse.
The good news is that if your Windows laptop was purchased within the last few years, then it likely already has BitLocker enabled.
Multiple Email Identities
Using separate email addresses, just like using a unique password, can help protect you if a website password database is breached. I know, I know, I can hear you now... Unique passwords are already a pain. But unique email addresses, too!? Seriously??
But there's an elegant solution if you use an @gmail.com email address.
Gmail has a little-known yet incredibly useful email alias feature that lets you create special-use alias email addresses for certain online accounts. By using a unique Gmail alias for each of your sensitive accounts, then if another website is breached (usernames and passwords stolen), the bad guys will never know what the email aliases are. So they can't try to login as you even if they sussed out the password.
How is that?
For your bank account, consider this sample Gmail account: johndoe+chase@gmail.com The portion in red, +chase, is the alias. You can make the alias whatever you want. +PNC, +Chase, +BOA, or even a random silly word that pleases you. (The + must be the first character of the alias.)
Email sent to that address resolves to the root address johndoe@gmail.com and will land in the same inbox. If you use that alias for your bank login only, then no other web site will know that. So if some other website gets hacked, the bad guys won't know your bank alias, even if they know your root email address. Cool, huh?
The alias feature is already turned on and available to all @gmail.com addresses.
Here's how to set it up:
-
Log into whatever existing account you want to protect with an alias, like your bank.
-
Think up an alias such as +chase or whatever. Your email address just for this bank account becomes johndoe+chase@gmail.com
-
Go to your profile settings for your bank and change your login email address. It's probably in the same place where you'd change your password, phone number, etc.
-
You'll probably have to confirm the new email address. That confirmation will be sent to johndoe+chase@gmail.com and a warning might be sent to the original address, too. Since +chase is just an alias, then those emails will automatically land in your regular johndoe@gmail.com email inbox.
You should repeat this for all your important accounts, giving each one its own alias. For less important accounts, you can use your root email only. Note that some websites won't let you use a + symbol in your email address, so that trick won't work for them. But most will allow it. I make extensive use of this feature, even for non-important accounts as a tracer, of sorts, to see how my email address gets shared.
Another cool use for aliases is that you can filter incoming email for special processing that is sent to that particular alias, e.g., bypass the inbox, or mark it bright red to get your attention.
Just another of the many reasons to use Gmail.
Disable Lockscreen Notifications
Most of us like seeing our text messages and other notifications while our phone is locked. Problem is, that's good for thieves as well. If your phone is stolen, especially if it was a targeted theft, a thief who knows or susses out your email address could be inside your online accounts in minutes, including possibly your bank accounts. How?
When you, or a bad guy pretending to be you, uses the "forgot password" feature of most websites, one of the (several) self-recovery features is to send a one-time security code text message to your phone. We've all done this; you know how that works. That code is how you prove your identity. If your phone is set to display text messages while locked, then that code is visible to anyone holding your phone. They can use the security code to reset your passwords and gain access to whatever accounts they want.
Imagine this: If I personally know or specifically targeted you and stole your phone, chances are pretty good I could be inside your Amazon account in less than five minutes and having lots of nice expensive laptops shipped to a mail drop or to your home and ready to be intercepted by me when the UPS guy drives up in two days. Or, better yet, gift card instant delivery (ka-ching!) and you'll never know this happened because once I'm in your Amazon account, I'll be resetting your password, changing the email address, and changing all your account recovery options to make it that much harder for you to regain rightful access. All without ever unlocking your phone. Wow! Who knew?
Disable that feature. iPhone and Android have settings to prevent showing text messages while locked, so you'll want to ensure that's turned on. In fact, it'd be wise to disable all lock screen notifications except maybe calendar alerts, but especially text messages.
Allowing personal content to show on the lock screen undermines the entire point of having a lock screen in the first place. My phone shows that a message is waiting, but not the contents.
Examine Statements
How often do you examine your credit card statements? Probably never? I'm guilty of that, too. But you should. A lot of fraudulent charges are purposely small dollar amounts that aren't likely to be noticed if all you look at is the outstanding balance. Worse, your credit card company is less likely to catch or flag small dollar fraud. Although the likelihood is still small, you could be losing a couple of hundred dollars per year in small-dollar fraud. It's not at all common, but it happens.
Checking your statements is also a good way to make sure you aren't being overcharged for subscription services, paying for a service you no longer need and forgot about, or that a subscription service that you cancelled is indeed still cancelled and didn't somehow reincarnate.
You should also check on any investment and brokerage accounts. It takes just a few minutes each month to check over your statements.
Lockdown Bank Accounts
If you don't regularly perform wire transfers or other large money transfers, call your bank and ask them to place a notice on your account to disallow any telephone-originated money transfer orders. Ask that such transfers must be made in person at a branch office. Same thing with any investment and brokerage accounts, especially if there's a local office that you can visit.
This is also important for the elders in your life. More on elder abuse here.
Minimize IoT Gadgets
IoT stands for "Internet of Things." This is when an everyday appliance or gadget becomes "cloud-enabled," like thermostats, refrigerators, coffee makers, door locks, garage door openers, kids toys, and countless other things that never were before. It also applies to new things made possible because of the internet, such as Amazon Alexa and remote doorbell cameras.
These gadgets are often poorly designed, have crappy security, and, unbeknownst to you, may be recruited into a "botnet," attacking other users and websites on the internet.
More on the security hazards of IoT gadgets.
Stop or Reduce Using Social Media ... yeah, right
We all know that social media can't be trusted. Zuck and other Meta executives should probably be in prison for the data crimes they've committed. But Meta (nee Facebook) isn't unique. All social media companies make their money largely the same way: monetizing your data.
Remember what I said above: When something is free, like pretty much all social media, you aren't the customer; you are the product.
I know very well you aren't going to curtail social media use, so at least be aware of how invasive they really are.
More on social media privacy here. There's tons more information just a google search away.
And while we're on the topic of Big Data, let us not omit the huge data mining companies that you've probably never heard of. You know, household names like Acxiom, DataLogix, Epsilon Data Management, and Intelius, to name a few. Many of these Big Data companies have free opt-out features you can use. To the extent they offer these opt-outs, you should use them.
To see opt-out URLs for many Big Data repositories, click here and here.
Anti-Virus Software
Microsoft has finally beefed up the security for modern versions of Windows, especially 10 and later. Earler versions of Windows, especially farther back (XP, Vista, 7), were a virus-infested hellscape. Virus remediation was one of the most frequent calls for support that I received. Not anymore, thankfully. In addition to a better security product included in Windows, the OS itself is less vulnerable to exploit than ever before.
These two improvements have made third party AV products pretty much unnecessary for casual users. If you still want a third-party product, then I recommend Malwarebytes, which is designed to work alongside Windows Security.
I do not recommend McAfee or Norton. If you bought a computer that came with one of those preinstalled, delete it. If you actually paid money for these, cancel your subscription, then delete it.
Granting Unnecessary Permissions to Apps
Lots of phone apps ask for permissions they don't really need. You should deny those permissions. Here are three of the more sensitive permissions and what they can allow an app to do.
Access Contacts Permission
This permission is huge. You should never* grant this permission to an app. IMO, the contacts permission should never have been created in the first place. It's virtually impossible to use it ethically.
* The only apps that could rightly claim to need access to your contacts are email, the native dialer telephone app (not some 3rd party dialer), and calendar. Nothing else.
Wowzers! Why?
When you grant an app access to your contacts, you are allowing that app to read -- and upload! -- everything about those contacts that you have stored.
That could include the contact's...
-
Full name
-
Various phone numbers and types (mobile, office, home)
-
Various email addresses
-
Home and work physical addresses (to the extent you've stored that)
-
Profile picture and birthdate (if you have that stored)
-
Contact affinity grouping, e.g., family, friend, work associate, club, etc.
-
Any other random notes you may have included along with that contact
Make no mistake, it may be your address book, but it's filled with the personal information of other people. You almost certainly have not gained permission from any of your contacts, let alone all of them, to disclose their personal information to some random phone app you decided to download.
App makers and Big Data can use that information to create a comprehensive relationship graph among all the users of that app and of other apps as well. I cannot overstate how valuable that data is to app makers. And you, perhaps honestly not appreciating the gravity, provided it for free and without permission. You could possibly be personally liable if something bad came of it. Oof!
Each app's privacy policy should enumerate how they will use your contacts. But if time and experience have revealed anything, it's that a great number of app developers lie about their intentions. Or just (alas, accurately) expect that you'll never read those terms, thereby granting them permission to do what they may with that data.
Even if you did read the app's privacy policy (highly unlikely) and found that it promises not to share that data, that still doesn't give you the green light. You must have permission from everyone in your contacts to ethically allow that permission.
Sidebar: This is exactly why it's bad netiquette to send an email to a large group of people without using the BCC (blind carbon copy) feature. This is especially true if the recipients don't already know each other.
If you already gave contacts permission to an app, then go and remove it now. You can google how to do that. Yes, that damage was done and cannot be undone. But at least you can prevent any further sharing. That might make the app less convenient to use. Sorry about that, but you'll just have to cope. The data in your contacts is not yours to give.
I suspect the above may never have occurred to you. It quite likely never occurred to anyone. It's an obscure secondary consequence that no one even knows to think about.
But now you know 😊.
Location Permission
Some apps, like Google Maps, work far better when they know where you are. But for most location-aware apps, like shopping apps for local stores, weather apps, etc., just knowing your city or zipcode is usually sufficient. Granting location access to an app allows that app to track your whereabouts in real time. From that, a digital breadcrumb trail is established, giving the app maker bucket loads of incredibly valuable, and likely sensitive, information.
If you grant location permissions to an app while at home, then the app maker can quickly determine who you are, even without you disclosing that or signing up. Once the app knows who you are, it can suss out a lot of extremely valuable information about you as you move about. No, thank you.
You should be very cautious and wary about granting location permission. As a rule, I deny location permission to everything except certain mapping apps.
Background Processing Permission
This permission allows an app to run in the background while it's not on your screen. It's not super-sensitive per se, but allowing an app to run in the background can drain your phone battery, especially if it's up to no good. Crypto-mining malware is a thing, and it'll eat up a phone battery like a six year-old who finds the cookie jar. If you've also granted location permissions to that app, then it can track you 24/7.
Very few apps need background processing. You should disable that for most of the apps on your phone. Google for how to do that.
Table of Contents
Granting Unnecessary Permissions
Disable Lockscreen Notifications
Dodgy and Excessive Phone Apps
Add a PIN to your Mobile Carrier Account
Did you know that it's possible for someone to steal your mobile phone number? And once stolen, the bad guys will have access to all new incoming text messages, including those six digit security codes, making password resets a lot easier.
That's called "SIM swap fraud", and it is a serious breach since your phone is the focal point for many verification needs.
How does it work? Someone (the bad guy) calls your mobile carrier or visits your carrier's store and tricks* the employee into thinking it's you and says their phone was lost or stolen and needs to get a new SIM card (or eSIM) to assign to a new phone. Your legit phone stops working, and the bad guy now has your number on their phone. You can just imagine the headache that'll cause.
* If in person at a carrier's store, the bad actor might have a convincing fake ID or other documents. Via phone, the bad actor may have other personal information or otherwise play on the emotions of the agent to please please help. There have also been cases where the employee was in league with the bad actor, probably for a handsome bribe. Employee cooperation isn't common, however.
You can reduce the likelihood of this happening by setting up a carrier PIN or verbal code word. This isn't the same PIN used to unlock your phone. It's a separate PIN or code word that you'll be asked for before being allowed to make changes to your mobile account, especially SIM reassignments.
Depending on your carrier, you might be able to setup other verification methods, like requiring a harder-to-counterfeit government document such as a passport for in-store visits.
But whatever methods you choose or that are available to you, they must be in place before any SIM swap fraud happens, so you should get on this ASAP.
Dodgy and Excessive Phone Apps
I've visited clients whose phones were chock-a-block with apps, screen after screen. Although Apple's App Store is generally considered safer than Google Play, it's still not perfect. Apps with hidden malware have been discovered on both platforms.
Phone malware can do many things, including the ever-popular cryptocurrency mining, which can turn your phone into a pocket-sized hand warmer and slow it to a crawl.
It's best to keep your apps to a minimal number. Delete apps that you don't use at least once a month, and don't download new apps that have only comparatively few reviews, even if those reviews are good. This is especially true on Android because Google Play simply isn't as careful or extensive with vetting new apps. I'm always reading about some new Android malware. Apple, too, but not nearly as often.
You can always download the app again if you need it.
Also, if you've allowed an app background processing permissions, it can eat up the battery and data plan faster. Review all app permissions and deny the permissions the app has no business having, especially contacts, location, and background processing. If the app refuses to function after that, then remove it and say good riddance.
Remember, if it's free, then you aren't the customer; you are the product. "There ain't no such thing as a free lunch." That's such an old saying that it's sometimes abbreviated TANSTAAFL. That free app wants something from you. The developer didn't create it from the altruistic goodness in their heart. If you aren't giving them money, then you damn sure are giving them data. And often both.