Being Online: Wolf in Sheep's Computer - DRAFT

Being Online: Wolf in Sheep's Computer - DRAFT

Even technologists such as myself are not immune to hackers.  Two of my credit cards were replaced because of the back-to-back Target and Home Depot hacks.  I’ve avoided outright fraudulent purchases and identity theft but I know folks who've succomb to these. The essential rule for safely browsing online is: perseverance. With new technology come new tricks that protect your modern, online browsing. Gone are the days of simply installing anti-virus and changing your passwords. I’m sharing some these latest tricks here in the simplistic way I can. Let's start with a "Do / Don't Do" list, with more justification as an Appendix.

First up -- Passwords are OUT! DON'T just change your passwords.

1. DO setup Multi-Factor or 2-way Authentication, DON'T just use passphrases
2. DO keep Passphrases in Your Head, DON'T blindly trust password managers or vaults
3. DO Pay Online with Layered Accounts, DON'T pay via Debit Cards, Checks, or Bank Accounts
4. DO pour on Layers of Security, DON'T just trust one website

1. Multi-Factor or 2-way Authentication

Over a decade ago, technologists productized something that supplanted the old school username/password paradigm.  Technologists have blasted passwords as a single point of failure for a long time. It's a weak form of protecting your identity online. We introduced 2-way or Multi-Factor Authentication (2FA/MFA) because it added a 2nd (or Multiple) way for you to login.  Imagine 2FA/MFA with this analogy:

You walk up to a closed door with key in hand.  You try to turn the door handle but it’s locked so you put your key in and turn.  When you turn the handle and push the door, the door doesn’t open.  Instead you hear a latch open up next to your ear and see eyes peering out at you through a slit in the door that the latch opened.  You hear the girl behind the door say “Violet”, so you say “Yes”.  Now you hear the girl turn a hidden deadbolt on her side of the door.  You push the door again and it opens!  

Putting your key in the door and turning its handle is the old school username/password paradigm.  The girl saying a secret word that you acknowledge and her unlocking a deadbolt on the hidden side of the door is the new paradigm: 2FA/MFA.  You cannot get the door open with just your key but must also let the girl behind the door see you and respond correctly.  Pretty cool!

Modern technology has enabled common devices, like your phone itself, to be a 2nd way of authenticating online because you almost always carry your phone around.  Your dumbphone or smartphone receives a secret code, either via SMS txt or a mobile app, when you attempt to identify yourself online.  You use this secret code from your phone alongside your username/password in a typical website logon.  This new sequence means that a hacker must both: 1) find your username/password, AND 2) steal/unlock your phone.  

It's also important to note that the secret codes we’re discussing are temporary, unlike passwords that are seldom changed. They're much like the 007 motto "this message will self-destruct" because a hacker doesn’t have the right secret code if they look over your shoulder or make a guess like they can do for passwords.  These 2FA/MFA secret codes are quickly randomized, usually every minute.

A Picture is Worth every Pixel

A phone isn’t always required.  Some 2FA/MFA technologies use your web browser as an alternative to make the 2nd verification without sending a secret code.  These browser options include asking you to verify a picture code or to answer personal questions, like “What is the name of your preferred charity?”  Word of caution on setting up these alternatives to secret codes: personally identifiable information (PII) is not a good choice for 2FA/MFA setup.  A hacker can usually figure out your PII.  For example, figuring out where you were born is trivial so that question should be avoided.

2FA/MFA provides another layer of headache for a hacker to ruin your life. Gone are the days of simply securing your online identity with a “strong” password.  Sadly, online technologies have only recently begun to adopt 2FA/MFA after mulling around the elite halls of computer nerds but I’ve found the most popular online services have gotten aboard.

Here are popular online websites that allow you to setup 2-way or Multi-Factor Authentication via your smartphone:

Social media:

Facebook

Twitter

Apple ID

Google+

Linkedin

Microsoft Live

Banks:

Bank of America

JP Morgan Chase

Barclays

Payment processors:

Visa

Discover

Paypal

Cloud storage:

Dropbox

Evernote

iCloud

Google Drive

OneDrive/SkyDrive

(*from personal experience and from https://twofactorauth.org/)

2. Passphrases in Your Head

"The 4 frogs farted!" is a silly phrase that is more secure than "Jr1981" as a passphrase. Even spaces are valid in passphrases, hence technologists prefer call your login credential a "passphrase" instead of "password".

A Pyramid of Passphrases

Keep passphrases in your head. I'm not abandoning old school password tips entirely but don't let 20th century best practices give you any kind of comfort. We are dealing with a whole new set of technology in the 21st century. Any password that is written down, even in your Evernote/Dropbox/Drive digital notepad, is a sitting duck for hackers.  

You should be grumbling about having too many passwords to remember, all while IT nerds demand that you keep creating more and more of them and higher and higher complexity!  I’m one technologist who admittedly recommends using only as many passphrases as you can actually remember. Why? There is no reliable way to forcibly extract a passphrase that is just a bunch of neurons in your brain. There are means, even if difficult or improbable, to break into locked drawers full of password notes and even hack into password managers that magically hold all those passphrases for you. Just keep passphrase management to yourself.

I recommend creating a 3 tiered pyramid of passphrases for all your online activity.  

Bottom Tier

Imagine the bottom of this pyramid being a ton of websites that you visit that require you to create some kind of account but keep very little or even no personal information about you. Online forums are a great example of this bottom tier of our pyramid. Many online forums don't let you search their topics or threads unless you create an account on their website, even if that account doesn't require your address, or age, or really much of anything other than a username. Keep a throw away passphrase for this bottom tier of websites.  

Middle Tier

Next is the middle tier of the pyramid. Here sit a sizable amount of websites or apps that require some personal information about you. Most social media sits here, both in website and app forms. Create a

Top Tier

Finally, the small top tier of your pyramid. These are your online crown jewels -- Bank websites and apps, for example. These websites and apps not only require and maintain personal information about you but access to them has real life affect, like paying bills, filing claims, etc. Some may put their social media accounts in this tier instead of the middle tier. I'm making no rules but the model should fit your risk tolerance. The less tolerance your life has for someone hacking into a tier -- say a violent ex hacking into your Facebook -- the more reason to put that website or app into your top tier. There is one caveat: you must trust your top tier with your most confidential information. If you don't trust the institution or their own online presence, then your account with them should not be part of your top tier. Take online credit card accounts as an example. Credit cards are famous for not only informing their consumers of fraudulent activity but many have even limited your peronsal liability for fraudulent charges with legalese. I've found their commitment to securing your account with them in my credit card contract. For me, that kind of legal commitment implies trust in their online account security.

4. Layers of Security

Try hacking into yourself online. Ask a flesh-and-blood friend of yours to "Unfriend" you from Facebook, Google+, Twitter, or some other social media. After being "unfriended", see how much information your flesh-and-blood friend can find out about you via their own account. This exercise is simulating how online hackers find personal or private information about you, and the results from this self-hack will shock you. Yet, there's plenty of fixes available that don't require the Nuclear Option -- you don't have to go offline. Go back into your social media account and fix the privacy or security settings around each bit of personal or private information your "Unfriend" found. After fixing up your privacy and security leaks, try hacking into yourself again. Rinse and repeat until you've clamped down on any information leaks.

MasterCard SecureCode

Verified by VISA

http://usa.visa.com/personal/security/security-program/verified-by-visa.jsp?n=1

Masquerade Cards

Bank of America has an online service that generates an ad hoc, temporary credit card that is backed by your actual credit card.  This service, called “ShopSafe”, ensures that the online merchant’s payment system never actually sees your real credit card data.  The Bank processes the transaction on their side by acting as a proxy for your card.  This service can also generate a “masquerade” credit card data for recurring, online bill payments.

Pictures at Logon

Yet Another Layer

Services using Paypal Payment /  VISA Checkout

eBay

HuluPlus

Netflix

Paypal also offers a Credit Card to front any payments that accept credit, which is basically everyone.