Securing your digital life, part two:

The bigger picture and special

circumstances
We did the basics—now let's look at some more detailed steps to protect
yourself.
SEAN GALLAGHER - 10/27/2021

ANDRZEJ WOJCICKI / SCIENCE PHOTO LIBRARY / Getty Images

In the first half of this guide to personal digital security, I covered the basics of assessing digital
risks and protecting what you can control: your devices. But the physical devices you use
represent only a fraction of your overall digital exposure.

According to a report by Aite Group, nearly half of US consumers experienced some form of
identity theft over the last two years. Losses from these thefts are expected to reach $721.3
billion for 2021—and that’s only counting cases where criminals take over and abuse online
accounts. Other valuable parts of your digital life may not carry specific monetary risks to you
but could still have a tangible impact on your privacy, safety, and overall financial health.

Case in point: last September, my Twitter account was targeted for takeover by an unidentified
attacker. Even though I had taken multiple measures to prevent the theft of my account
(including two-factor authentication), the attacker made it impossible for me to log in (though
they were locked out of the account as well). It took several weeks and some high-level
communication with Twitter to restore my account. As someone whose livelihood is tied to
getting the word out about things with a verified Twitter account, this went beyond
inconvenience and was really screwing with my job.

The attacker found the email address associated with my Twitter account through a breach at
a data aggregator—information probably gleaned from other applications that I had linked to my
Twitter account at some point. No financial damage was done, but it made me take a long, hard
look at how I protect online accounts.

Oh hey, it's this guy again.

Aitor Diago / Getty Images
Some of the risk tied to your digital life is taken on by service providers who are more directly
impacted by fraud than you. Credit card companies, for example, have invested heavily in fraud
detection because their business is built on mitigating the risk of financial transactions. But other
organizations that handle your personal identifying information—information that proves you are
you to the rest of the digitally connected world—are just as big a target for cyber crime but may
not be as good at preventing fraud.

Everything counts in multiple accounts

You can do a number of things to reduce the risks posed by data breaches and identity fraud. The
first is to avoid accidentally exposing the credentials you use with accounts. A data breach of one
service provider is especially dangerous if you haven’t followed best practices in how you set up
credentials. These are some best practices to consider:

• Use a password manager that generates strong passwords you don’t have to remember.
This can be the manager built into your browser of choice, or it can be a standalone app.
Using a password manager ensures that you have a different password for every
account, so a breach of one account won’t spill over into others. (Sorry to again call out
the person reusing letmein123! for everything, but it's time to face the music.)
• When possible, use two-factor or multi-factor authentication ("2FA" or "MFA"). This
combines a password with a second, temporary code or acknowledgment from
someplace other than your web browser or app session. Two-factor authentication
ensures that someone who steals your password can’t use it to log in. If at all possible,
don’t use SMS-based 2FA, because this is more prone to interception (more on this in a
minute). Applications like Authy, Duo, Google Authenticator, or Microsoft
Authenticator can be paired with a wide variety of services to generate 2FA temporary
passwords or to send “push” notifications to your device so that you can approve a
login. You can also use a hardware key, such as a Yubico YubiKey, to further segment
authentication from your devices.
Artist's impression of how to troll your IT department.
vinnstock / Getty Images

• Set up a separate email address or email alias for your high-value web accounts so that
all email regarding them is segmented off from your usual email address. This way, if
your primary email address is caught up in a data leak, attackers won’t be able to use
that address to try to log in to accounts you care about. Using separate addresses for
each service also has the side benefit of letting you know if any of those services are
selling your personal information—just look at where and when spam starts showing up.
• If you're a US resident, make sure to claim an account for your Social Security
number (https://www.irs.gov/payments/view-your-tax-account) from the IRS for tax
information access and other purposes. Much of the refund and stimulus fraud over the
past few years has been related to scammers “claiming” accounts for SSNs that were
unregistered with the IRS and untangling that sort of thing can be painful.
• Register for account breach checkups, either through the service provided through your
browser (Firefox or Chrome) or through Troy Hunt’s haveIbeenpwned.com (or both!).
The browser services will check stored passwords against breach lists using a secure
protocol, and they can also point out risky reused credentials.
 • Consider locking your credit reports to reduce identity theft risks. Equifax provides an
app called Lock & Alert that allows you to lock your credit report from all but existing
creditors, then unlock it from the app before you apply for new credit. TransUnion has a
similar free app called TrueIdentity. Experian charges $24.99 a month to lock your credit
checks, and TransUnion has a “premium” version of its service that locks both
TransUnion and Equifax reports on demand for $24.95 a month. In other words, if you
want to have tight control over all your credit reports, you can do it for $300 a year.
(You can, with some searching, find the free versions of those credit freeze services—
here's Experian's (https://www.experian.com/freeze/center.html) and here's
TransUnion's (https://www.transunion.com/credit-freeze)—but man, those companies
really, really want to lift a giant pile of money out of your wallet in exchange for a bunch
of highly dubious "value-adds.")

When 2FA is not enough

Security measures vary. I discovered after my Twitter experience that setting up 2FA wasn’t
enough to protect my account—there’s another setting called “password protection” that
prevents password change requests without authentication through email. Sending a request to
reset my password and change the email account associated with it disabled my 2FA and reset
the password. Fortunately, the account was frozen after multiple reset requests, and the
attacker couldn’t gain control.

Artist's impression of two-factor authentication. In this example, you can't log in without both a password and a
code generated by your phone.
dcdp / Getty Images

This is an example of a situation where “normal” risk mitigation measures don’t stack up. In this
case, I was targeted because I had a verified account. You don’t necessarily have to be a
celebrity to be targeted by an attacker (I certainly don’t think of myself as one)—you just need to
have some information leaked that makes you a tempting target.

For example, earlier I mentioned that 2FA based on text messages is easier to bypass than app-
based 2FA. One targeted scam we see frequently in the security world is SIM cloning—where an
attacker convinces a mobile provider to send a new SIM card for an existing phone number and
uses the new SIM to hijack the number. If you're using SMS-based 2FA, a quick clone of your
mobile number means that an attacker now receives all your two-factor codes.

Additionally, weaknesses in the way SMS messages are routed have been used in the past to
send them to places they shouldn't go. Until earlier this year, some services could hijack text
messages, and all that was required was the destination phone number and $16. And there are
still flaws in Signaling System 7 (SS7), a key telephone network protocol, that can result in text
message rerouting if abused.

Social exposure
Social networks, online communities, and apps or services intended to foster social interaction
(such as dating) are a major source of information used in targeted attacks. Social media
accounts are frequent targets for takeover, and social media users all too often leave essential
information about themselves, their family and friends, their activities, and even their finances in
the open for others to see and potentially target. If you must use social media, here are some tips
to limit your exposure:

• I shouldn't have to say this, but I'm going to say it anyway: don’t post unredacted
pictures of driver's licenses, vaccination cards, credit cards, passports, or other
documents with PII on social media. There are no circumstances where this is a good
idea. Don't do it, even for a TikTok challenge.
• Lock down access to your social media accounts with 2FA and unique, strong passwords
to prevent "brute force" breaches and "password reuse" hacks.
• On Facebook, set the default privacy for posts to “friends only." This will prevent casual
leaks of information you don’t want anyone but friends and family to know about.
Yeah, don't do this. This is dumb.

• Do not use “precise location” information on posts that can be used to locate you in
real-time. If I’m posting a picture of a location, I typically wait until I’ve left the place to
post it to social media (especially Twitter or Instagram). If you've got someone stalking
you, the last thing you want to do is broadcast your precise location—with pictures,
even.
• Don’t post pictures with your home address or other identifying information about your
residence clearly visible. Your friends and family already know where you live. Nobody
else needs to.
• Don’t drop personal email addresses or phone numbers into public online
conversations.
• Don’t allow dating apps, ride-sharing apps, or any other apps that use your location data
to collect that data while you’re not actively using them. Time and time again, this data
has leaked, and it has been used to establish home addresses and patterns of life that
can make users vulnerable. I don’t care if Uber has apologized—it will happen again.
 • If you are sending your location to someone in one of these apps, make sure it is a
public place and that a friend or family member is in sight of that location, or at least
knows to check in with you shortly after the appointed meeting time. The Grindr
robbery and kidnapping cases in Texas are evidence enough of the importance of this.
You don’t need to tell anyone who or why you’re meeting—just ask for a call or text at a
certain time.

Cybercrime isn't just confined to cyberspace. Watch out for Mr. Steal-Your-Girl-Then-Steal-Your-Car here.
Nopphon Pattanasri / Getty Images

• Never take a conversation in one app over to another—say, from a dating app to
WhatsApp—before you’ve met a person in person and feel safe. This app-shifting move
is a signature part of romance scams and other fraud cases, intended to get the victim
out from under the moderation radar of the dating and social apps and into a more
private conversation. There, web links to downloads and other malicious or fraudulent
content can be shared.
• Be aware of links sent in Facebook Messenger and of friend requests claiming to be
from people you already know—but coming from new accounts. The first is a common
account-hacking scheme, and the second is often a sign of someone trying to create a
“clone” account to distribute fraudulent messages.
 • Don’t download and run anything from Discord without a malware scan. Discord is
convenient and handy and widely used, but it is also a veritable hive of scum and
villainy.

Or, instead of trying to follow all these suggestions, you could mitigate this entire category of
risks by never using social media again.

Some people evaluate the risks involved from a social media presence and do just that.
(Though in some countries, Facebook effectively is the Internet, which greatly complicates
things.)

Special cases
There's one oft-suggested technology that hasn't appeared on this list so far: the VPN or virtual
private network. I use VPNs for very specific purposes—namely, to keep the virtual machines I
use for malware hunting segmented from the rest of my network or to make them look like
they’re in different parts of the world so I can test malware targeting.

Some people use them to evade geographic content licensing restrictions, so they can get
their Dr. Who fix or watch The Mandalorian outside of the Disney Co-Prosperity Sphere. I will
not comment on those use cases.
Mando says that if you're going to sign up for a VPN, use referral code BABYYODA for a 10% discount for the first
six months!
EVGENIY SOFRONEYEV / Getty Images

But for everyday Internetting, you just don’t need VPNs that much anymore. Transport Layer
Security now encrypts a vast majority of Internet traffic, and it’s unlikely that someone is going
to grab your credit card data or other personal information off a public Wi-Fi network.

The same is true of the Tor protocol for anonymizing Internet traffic—odds are you won’t need it
daily, but there are times when it’s good to have. Tor and VPNs are most useful when you're
outside of your home and on a potentially hostile network (or on the Internet in a potentially
hostile country).

You’ll also want Tor or a VPN in situations where you’re on a network that has a TLS proxy that
breaks traditional HTTPS encryption by using proxy certificates to decrypt traffic in the middle.
At least in those scenarios, the worst that can happen is you can’t get an outbound connection.
Utilizing Tor allows you to hack into the Dark Web Matrix and contact Morpheus. (Note: Literally nothing in this
caption is true.)
seksan Mongkhonkhamsao / Getty Images

If you’re a whistleblower, you will want to use Tor—and you will want to use it
somewhere other than your work desktop. You can obscure your location with a VPN as well,
but Tor is better for hiding more important things like the browser signature, which could be
used to forensically track you from one IP address to another.

If you want to have assured private communications with someone (at least up to the point where
the person gets and potentially takes a picture of the message), there are a number of options.
Google Voice and other Voice-over-IP applications allow for the creation of a temporary phone
number; I’ve used mine mostly to prank family members into believing they’ve subscribed to
messages from Cat Facts.

For encrypted and verified communications with another specific person, Signal is the current
standard—it’s cross-platform and doesn’t even have an option for unencrypted storage or
transmission of text and voice. Lesser-known platforms such as Keybase and Wire offer
encrypted text communications as well, but a full discussion of encrypted voice and text
communications is a subject for another time.
Hackerman says, "Remember to practice good opsec, kids!”
Aitor Diago / Getty Images

Sometimes, the biggest threat comes from inside the house—a malicious partner with access to
your devices can use that access to further their stalking or abuse. A number of organizations can
help with these threats; one is Operation Safe Escape, which helps victims of domestic violence
or stalking who may have had their phones or computers tracked by their abusers. If you know
someone who may be the victim of digital stalking, direct them to help.