As the field of risks in cyberspace expands more and more, it is imperative to understand these and reduce your areas of vulnerabilities.
From a consumer perspective this mostly touches on a few points:
- Reduce exposure
- Only provide what is required
- Secure credentials
- Maintain retention policies
- Change often and unique
So what do I mean by the above as these do not seem to be really “consumer” terminologies. Lets go through them one-by-one.
Exposure
The sheer amount of data that is sometimes requested/demanded by companies/websites is just astounding. In many cases, this goes way beyond what is actually required for that company to do business. If you want to buy a pair of socks or any other sort of “consumable” from an online retailer there is no need for them to know your date-of-birth, your mother’s maiden name, your dog’s name, or whatever and yet it is very often asked. “Why is that” you might ask. What they say is that for identification purposes they need this info in order to verify your identity in case you need to make any inquiries of an order. That in itself is no problem. What the problem is that this information is not tied to your order but is stored in your online profile with that retailer. This allows your information not only to be used for identity verification purposes but at some stage will also be integrated in the companies’ marketing rule-set. “How is that done then?”. If for example you select the question “What is your dogs name?” they already know you have a dog. When you start using their website there is a very big chance that in some banner at the top you will see products related to your dog. As a phishing exercise you might also see products related to other animals. If you decide to buy one of these products, additional tags will be set to your profile. You see where this is going. The issue becomes even more problematic when your data is not only stored with that particular retailer but also “shared” (bluntly put it is just sold to dedicated marketing firms) with companies who not only use this data as a single entity but will also “enrich” this with information they can link to you. If, for example, these marketing or data-enrichment firms, can link your personal data to other profiles they bought from other companies you may have dealt with in the past, that data becomes even more valuable for companies to tap into. “How is that done?” These marketing or data firms do not sell these entire databases. What they do is provide computer interfaces where other companies enter certain criteria which will yield a list of consumers (yes you could be among them) and these are then targeted for other marketing or sales campaigns.
As an example, I live on the Sunshine Coast in Australia. If I buy a car-battery online from a shop where I have to add my personal details, like First name, Last name, Address, DoB, Car I own (or registration details) etc , that data can then be linked to other shops where I may have put in other information like as the dog example above. A third company who sells pet travel products may then tap into these data-lakes from these marketing firms and request a list of names, addresses etc who live in the Sunshine Coast area with postcodes ranging from X to Y, have a car and have a pet. When my name is in that list, you can expect one or more emails, phone-calls, letters or whatever that company is willing to do to entice you to buy their products.
The scary thing is that there is not much legislation around the behaviour of obtaining and storing this data. Every company will publicly tell you that they do not store data that is not legally required or needed for their business purposes. Their “privacy policy” will outline this most often. The last point being “Business purposes” is however the greatest “get out of jail card” you can think of. It is not you that is given the decision what actual valid business purposes are, but the company itself is the gatekeeper of these criteria.
Name of the game is to provide as little as possible information.
Don’t give away your life
On many websites where you want to obtain some information, you’re required to provide your email address so that the information gets sent to you via email. This makes only sense when a company wants to keep your contact information for other purposes as well as otherwise they could’ve just provided you the document or another page where that info is. Again, it has all to do with marketing and being able to push out sales related material to a group as targeted as possible.
In many occasions however it is not only your email address what is asked for but you have to fill in an entire form outlining your life, company, spouse, pets, cars you had etc etc…. (You get the drift).
When you see this it is better to think twice if you really need that info they are going to send you. To work around this simply created a “trash” email address and make everyting up whatever is asked. This may seem like some sort of “stealing” information but on the flip-side you have no input of what is happening to your details. The “value for money” is most often massively skewed towards the company that provides you the information when they can sell your details for hundreds, even thousands, of times more that what they are actually providing.
The firefox webbrowser service has a relay servicce option where you can create a “fake” email address for exactly these purposes. When you subscribe to websites you’re most often sent a verification email where you have to click a link so that your account is created. After this you can either simply ignore all emails when you are not interested and either delete the fake email address or put it into “delete mode” where all emails received by this address are simply erased.
Another service that provides similar functionality is trashmail.com which has even some more functions at its disposal.
I want to make clear that many companies and organisations do have their act together when it comes to safeguarding your detail and very often there are legitimate reasons why companies want some information from you to provides their products or services. I’m not implying you should to the above on those websites. What I want you to do is really think before giving away information that has no relevance to the service you’re actually inquiring about.
Secure Credentials
Another expert in Cybersecurity, who actually lives on the other side of Brisbane, has almost made a living providing services that show which companies have suffered from a hack where personal identifiable data was exposed. (Have a look on https://haveibeenpwned.com)
When a company or institution claims that all your data is stored in an encrypted fashion, what does this actually mean? It gives a false sense of security as I explained in one of my earlier posts. In most cases the claim entails the way on how the data is physically stored on a storage medium. In case that medium gets stolen, no-one could theoretically access that data. The problem is however that the way it gets stored doesn’t matter in any way when the access to the data is exposed somewhere else.
In the above picture, you can see where the issue is. The companies’ server is connected to the internet, you enter your data through the web user interface (the stuff you see on your screen). This then gets handled by the application who’s doing the required tricks they need to do in order to verify, adjust, enrich and provide you the information etc after which it is handed to the operating system where the encryption and decryption is done and subsequently sent to the hardware where it will be stored on some sort of medium.
Be aware that these systems most often reside in extremely secure areas with armed guards and multiple levels of access controls, so even when you do get in, you don’t run out with a piece of hardware under your arms very easily. What actually happens in most data breaches is that some criminal has obtained access via either the normal web interface. By stealing your credentials, or by a somewhat more complex method using a software bug, which allows him/her to bypass any form of credential verification checks, he or she is not limited to accessing your data as he operated on the web-interface or application layer where all this data sits in non-encrypted format.
So even when a company claims they store your date in an encrypted format, the hackers that access the infrastructure in a way as displayed above could not care less.
Be aware that the above is a very over-simplified picture of the real world as there are many more layers and many more options and possibilities for companies to provide their services to you as well as handle the data encryption on various layers. The fact that data-breaches still occur is a very good reason for any consumer to be on the forefront of what they provide when it comes to your personal data.
So what should you provide? A rule of tumb is “a little as possible”. Unfortunately many companies design their websites in such a way that many form fields are flagged as “required” and thus you would not be able to get around that. There are however options that could help.
Username and Passwords
Let’s start with the most critical one. In most occasions these days, the username and password combination is still a requirement. As you most likely deal with dozens, if not hundreds, of websites, chances are you use the same username everywhere. Most often, this is also your email address. Remembering different passwords on more than ~5 sites becomes a real struggle so this leaves you with two options, 1. Use the same password on all sites or 2. Keep a notepad with the passwords next to your computer.
You can already see where the problem is. In both cases you are vulnerable, your credentials are going to be used either when one site gets compromised a hacker can easily use the same credentials on other sites you use. With the notepad option you really have to trust your spouse 🙂
A recommended way is using a password manager. This is a piece of software where you can enter your credentials and these get encrypted in a secure way BEFORE they are stored anywhere. All password managers offer the creation of secure passwords which means it generates a string of many different characters and character classes (lower-case, upper-case, numbers, punctuations and others) which you then use on that website and store in the password manager. Some password managers also have the option to store this encrypted information in the cloud and it can therefore be shared. By using a password manager, you only need to remember one password and that unlocks the rest of them. Plugin software in your browser can also be used for automatically signing in with the credentials that are stored in the passwords managers’ vault.
MFA / Multi Factor Authentication
Many websites these days offer the option of enabling MFA. What this does is adding a second layer of security on top of your username and password combination. It can do this in a couple of ways.
By using some sort of messaging service such as SMS which sends a code to your phone which you then have to enter in that secondary form field. If these match with what the website sent, it will proceed and allow you access.
A second form is the use of an authenticator app on your phone. When enabling the MFA option on a website it presents you with a QR code which you need to scan with that app. The app generates a new code every 30 seconds, which you need to enter when the website asks for it. The benefit of this option is that it does not rely on the security of your phone service provider. (Search SIM porting hack on Google if you want to know more about this). By using MFA, a hacker would not even have access to a website by impersonating you with your credentials, as he would not know what code got sent via SMS or which code got generated by the MFA app.
Maintain retention policies
What do I mean with this….
Whenever a website requires you to use information that ties to you try to ensure the information you provided is ephemeral. Things like your name, date of birth, address, phone number are relatively tied to you as a person. What you can do, if the website has that option, is to use information that is not tied to you as a person like for example the lotto numbers you used in a particular week or the street you lived in when you where at a certain age. You can even make this up by using a name of a street from your school. This data is basically useless (in most cases) for marketing companies as it does not provide any value and is basically “noise” for them. It even make their data less valuable as it requires a lot of effort to clean this and if they don’t, their customers would not buy this data.
Password retention may not be as useful as it used to be. It is better to use very long passwords or passphrases then a changing a short simple password very often. Computers are very good in decrypting simple passwords.
Using a password that got generated by a password manager would take care of this problem.
(Check on https://www.howsecuremypassword.com to verify yours.)
Change often and make it unique
This obviously contradicts the previous statement however it can never harm to change credentials. The main reason is not the fact that your passwords may be easily compromised by brute forcing it, or simply guessed, but more the fact that you don’t know which sites could’ve potentially exposed your details. If these passwords are not stored safely by that respective website they may end up everywhere and thus exposing you to all sort of nasty side effects. If you have a regime that would make you change your passwords, let’s say. every 3 to 6 months, your “exposure time” is greaty reduced.
Coming back to the password managers above, ensure that every website has it’s own unique password. It takes only one compromised website to have an onflow effect to many others when your credentials are not unique. Remember that the time it takes for hackers, spammers and other criminals to try and use your details is not determined by the number of people that are trying to use them but they have developed software to do that for them.
Making it hard to the extent it cost them more to get into your accounts than they get out of it, basically discurages that.
More to come.
Regards
Erwin
