Habits of a Careful Internet Citizen

The internet can be a hostile place, not just because of trolls and soul-crushing comments on youtube videos. Websites and internet-based services are being attacked and their users' personal information stolen by the millions. But we don't have to resign ourselves to being victims. We can protect ourselves. In this post, I will explain how you can minimize your risk and improve your security online.

Guard Your Personal Information

The best way to reduce the risk of your personal information being stolen, is to simply not give it out in the first place. Almost all websites and services these days will vacuum up as much personal user information as they can. This puts you at risk of your information being stolen by hackers. These hackers will re-package and sell your information to bad actors to be used in phishing scams, identity theft, and other nasty things. Practically speaking, it can be difficult to use a lot of websites and services without providing at least some personal information. Or is it?

If when you are filling out some form online (e.g for an order at an e-shop), certain information fields might be "required" for the form to be accepted (phone number, email, address, etc). However those fields might not actually be necessary to complete the order. It's very unlikely that they will really need your phone number or email address. And if they are not going to be shipping you a physical item by post, they don't need your real postal address either. So in these cases here are some tricks you can use:

• Email - Use a free, public email account from Mailinator. This is a quick, easy, and free way to get a real, functioning email address. This is nice because you don't have to sign-up or login to use it, and you can check all the emails that an account receives.
• Phone number - Input a fake, "real-looking" phone number. This is fine if you don't expect a phone-based account verification process and you don't need to receive text messages (SMS) from the website. If you need SMS capabilities, there are a few sites that allow you to receive SMS messages for free. These sites are like Mailinator, but for SMS:
  • www.receive-sms-online.info
  • smsreceivefree.com
• Postal Address - Look-up a real-world address in any location that makes sense. I like to use Google Maps for this because it's usually quick and easy.

You might be saying to yourself: "Wow, that's kind of extreme. And I don't like the idea of lying." Get over it. There's a battle happening every day for consumer's personal information. You can either be a victim or you can protect yourself.

Online Payments

If you're feeling adventurous, have a look at bitcoin. With bitcoin it is possible to transact on the internet without the need for banks or other intermediaries. This has many benefits, including protecting your privacy while making online purchases.

Otherwise if using a card to pay online (and you're in the United States), always use a credit card. The reason for this is that you are only liable for up to $50 in the case of fraudulent charges. Debit cards do not have this protection. If your debit card information is stolen and used fraudulently, the funds will be transferred out of your bank account and you will be forced to endure a lengthy process to have your money returned to you.

If you don't use a credit card, it might be a good idea to open a secondary checking account with a limited balance. This will allow you to transact online without exposing your full bank balance to the risk of fraudulant charges. Doing this likely will cost you some money every month in fees, but that could be a small price to pay for the added security and peace-of-mind.

Browser Choice and Setup

Use Firefox or Chromium (non-Googled version of Chrome) as your primary browser. On mobile, use Firefox because Chrome on mobile does not allow extensions to be installed. Must-have browser extensions:

• uBlock Origin (for Chrome and Firefox) - Blocks ads and most third-party tracking services. As a bonus it also makes pages load faster, reduces data usage, reduces power consumption, reduces visual clutter on the screen (so reading articles is easier), protects your privacy, blocks potential drive-by virus installers and other malicious code served by ad-networks.
• HTTPS Everywhere (for Chrome and Firefox) - Forces encrypted communications with many major websites.

Always use private browsing mode; in Chrome this is called "Incognito" mode. The reasoning here is that your browser will forget everything you've done when you close it. Yes, that means you will have to login to websites everytime you open your browser. But this also means that your accounts are protected against a whole class of browser-based vulnerabilities.

You may also want to consider disabling JavaScript in your browser. This makes pages load faster, saves your device's battery, and blocks most attack vectors. The down-side is that some website functions won't work, but you can easily white-list these sites as needed.

Chrome Settings

Firefox already does a good job of providing reasonable defaults to protect your privacy; Chrome not so much. Here are some settings you may want to change:

• Block third-party cookies - Can be found at chrome://settings/content/cookies
• The following settings under "Advanced" in chrome://settings:
  • "Use a web service to help resolve navigation errors"
  • "Use a prediction service to help complete searches and URLs typed in the address bar"
  • "Use a prediction service to load pages more quickly"
  • "Automatically send some system information and page content to Google to help detect dangerous apps and sites"
  • [ ✓ ] "Protect you and your device from dangerous sites"
  • "Automatically send usage statistics and crash reports to Google"
  • "Send a 'Do Not Track' request with your browsing traffic"
  • "Use a web service to help resolve spelling errors"
• Disable autofill - Can be found at chrome://settings/autofill
• Disable manage passwords - Can be found at chrome://settings/passwords

Use a Password Manager

Using a password manager is a critical step towards improving your security online. Some of the benefits of a password manager include:

• One password to remember - The only password you will need to remember is your password manager's master password.
• Stronger passwords - Humans are bad at creating strong, random passwords. This is why it's better to let your password manager do this for you.
• Unique password for each site - Since you don't need to remember them, you can use a unique password for each website. This is important because when a website is hacked, your accounts for other sites are not at risk of being compromised.

Recommended password managers:

• KeePassX
  • Available for Windows, Mac, and Linux
  • Free
  • Requires your own backup and syncing scheme
  • For Android support try one of the following apps: KeePassDroid, Keepass2Android
• 1Password
  • Available for Windows, Mac, Android, and iOS
  • $3 per month
  • Cloud-based backup and sync between devices

Two-factor Authentication

For your most important accounts (primary email, online banking, etc), you should think about enabling two-factor authentication (2FA). This typically involves a secondary device (e.g your phone) which generates a random code every 30 seconds that must be used in addition to your account password to login. This dramatically improves your account security because an attacker would have to know your password and also have access to the device that generates your second-factor authentication codes.

SMS-based 2FA should be avoided. Never link your phone number as a "backup/recovery" method on any of your accounts. Phone numbers can be hijacked via social engineering. A determined attacker can call your phone company, convince some unmotivated customer service representative that they are you, and then switch the phone number on your account to a new SIM card. Once they do that, they will be able to gain access to your accounts via the account recovery mechanism using a code sent via SMS.

Recommended 2FA apps:

• Google Authenticator (for Android and iOS)
• Authy

Conclusion

That's not everything, but it's a solid start to improving your defense posture online. Don't worry if you can't (or don't want to) change all of your habits right now. Pick a couple things today and do those. Maybe come back and add a few more in the future.

Until next time, good luck!