People who would never leave their front door unlocked can be dangerously lax about their online security. To be safe, follow these rules
You’ll never have more ideas about how to protect your identity than the minute after you realise it’s been stolen. Suddenly, you can see in painful detail all the doors left unlocked and breadcrumbs scattered across the internet for a hungry thief to find. It’s a strange reality that there are people who will lock, alarm, and stress about their front door at home but blithely post sensitive information online that is in effect the key to their accounts.
We should all be guarding our information with the feverish paranoia of a top-ranking politician with a whole family of skeletons in the closet. Because no matter who you are, there are people who’d benefit from stealing your identity, and right now they know a lot more about it than you do.
Admittedly, some of the holes in online information security are absolutely not your fault. Surprising numbers of household-name companies use poor or even actively unhelpful security protocols. But this is zero comfort when you’ve been hijacked, so while it’s not always your fault, it’s still your responsibility to protect yourself. Fiercely.
1. Don’t play social media games
One of the most notorious information security holes is the secret question and answer. What was your first rabbit’s middle name? Which footballer did you least want to be when you grew up? These kinds of checks are very weak in terms of security, and are often the tool used to crack open people’s accounts. You could have the most secure password in the world, but if you’ve filled in the name of your high school on your LinkedIn profile and that’s one of your security answers … we have a problem.
Predictably, your secret answers are a common target for ID thieves – and the ways they go about getting them are so sneaky they’re almost impressive. For instance, it’s a common game on social networks to post your “porn-star name,” “Brexit name” and so on, which usually involves combining something like the name of your first teacher with the place you met your partner. While “Hagrid McDonald’s” might seem hilarious to you, the criminals are also laughing – because you’ve just given them the answers to two commonly asked security questions.
2. Don’t take dodgy online quizzes
People love to take online tests that say something about them, and post the results on their social media. It’s easy to see why: they have intriguing titles like “What will your last words be?” These require you to log in or “authenticate” using one of your accounts, usually Facebook. It’ll be explained as “we just need to see your posts to guess your last words” – but connecting the site to your Facebook account gives them (limited) access. Do you know who runs the site? Because you’ve just handed them a bunch of your information.
One way to check trustworthiness is to look at the URL (internet address) the quiz came from before you click it – if it’s not a recognised, reputable name (like Buzzfeed), don’t take the risk. But malicious sites can also disguise their web addresses, so if you can avoid it, it’s best not to do those quizzes at all.
3. Don’t accept friend requests from strangers
Every time you accept a friend request on Facebook, you’re giving them access to every status update you’ve ever made. If you don’t know the person, or not well, that could cause problems for you if they ever turn malicious. LinkedIn is particularly bad for requests from random people.
Even if you have no rogue agents in your connections, five years from now a vengeful ex with too much time on their hands could sift through your Facebook posts – or, even easier, search them for relevant keywords – and find what they need to get their hands on your identity. So give your friends list a severe pruning, then go to the security settings and set all previous posts to “friends only”. This ensures there aren’t any public posts lurking about that a dedicated thief could find.
4. Delete old posts
In a perfect world, it’d be great to go through all your past Facebook updates and delete anything that could be used against you – bearing in mind that even something like a screenshot of an ancient tweet where you called someone an offensive name can be problematic – but since most of us won’t find the time, there’s a lower-effort fix. Facebook has a daily memories feature called On This Day that shows you what you posted on this day every year since you started using the site. Take this as your daily prompt to review your posts: every day, check for things that might – in the most paranoid possible light – become problematic later. Then delete them.
5. Use a password manager
We all know not to use the same password for every site, but we’re still humans who have trouble remembering scores of random character strings – and that puts us at risk. Brianna Wu, a well-known coder and games developer, who has had to get very good at protecting herself online after being targeted countless times, says that “everyone should download either 1Password or LastPass and start making random passwords for every site. My suggestion is, next time you get a phone or a computer, start fresh and change account passwords as you add them.
“If you’re a person of any degree of prominence, you have to get very paranoid about who you give information to,” says Wu. “I was one of the primary targets of Gamergate, a hate group targeting women speaking out for inclusion in the videogame industry. Gamergate was the prototype for what became the alt-right.
“I’ve had hacking attempts on my bank account. I’ve had my Apple ID hacked, and had to work with Apple to get it back. I’ve had people send me links to spoofed websites, trying to get me to enter personal information. Even if you’re not a target today, you never know where you’ll be in five years. It’s best to start these habits now.”
6. Turn on two-factor authentication
It might have an awkward name, but two-factor authentication (or 2FA, or TFA) is a way of adding an extra layer of security to your accounts. When you log in, you get a one-time passcode sent to your mobile phone – or even better, an authenticator app such as Google Authenticator (people’s phones are sometimes hijacked to steal the code – Black Lives Matter activist DeRay Mckesson was a target, for example).
Alternatively, some people use a separate phone or number to receive the code: Wu says: “I carry two cell phones. One is the number I give people – the second is my two-factor authentication phone, which I have never shared with anyone.”
If you lose the phone or no longer have access to the app, you can get backup codes from all the services that offer 2FA (which is most of them: Google, Facebook, Twitter, Dropbox and so on). Since you may not have access to your online services in the event of a hack, don’t store the backup codes there. It’s best to print them and hide them somewhere physical that no one else can access.
7. Don’t be scared out of doing anything
All this security doom-mongering can be very off-putting, because it sounds big and scary and unfixable. But realistically, it’s rare for people to fall victim to persistent targeted attacks – they’re usually more opportunistic (unless, of course, you’re prominent or controversial in some way, or have a desirable username on a popular service).
• Holly Brockwell is a freelance technology journalist and editor of Gadgette, an online magazine about tech
guardian.co.uk © Guardian News & Media Limited 2010