Security in the Internet Age

I’ve been developing software since in was in 6th grade and was an early adopter of the Internet so I’ve had a lot of security experience. Here are a few tips:

1) Get a password manager app. I recommend 1Password. This makes it easy to have a long, meaningless and most importantly, different password for each and every website or social media app you use. Using a short password that has meaning like one of your kid’s birthdays, is convenient but incredibly insecure. Everything app or website needs a different one so that if one gets exposed, all haven’t been exposed. Password managers are easy to use. Yes it’s an extra step but if you ever get hacked (and social media is the least of your worries - think about your bank accounts) the time you would have spent on a password manager will seem like nothing.

2) Be skeptical of email. When you get emails from companies with whom you have an account asking you to reset your password or to just login to update some information, NEVER, EVER click on the links in these. Instead, go to your browser and manually type in the website address then navigate to wherever you need to go. If the email was legit, upon logging in, it should remind you of what the problem was. Emails far to often are phishing campaigns. This means some hacker sends you an email that to the untrained eye looks legit. You click on a link and up comes what appears to be the website login page you’d expect. So you enter your user name and password. The page tells you you made a mistake so you enter it again and this time, it works. You figure you just mistyped a character and go along your merry way.

What actually happened is that the link took you to a page that looks just like the one you were expecting but is in fact fake. You enter your user name and password so now the hacker has it. He then redirects you to the real page where you then enter it again and of course get in. So you think nothing of it but the hacker now has your login information.

I’ve seen emails, I’ve seen Facebook prompt me to login again, etc. Never ever trust any of these. One almost got me yesterday and I’m super paranoid about this stuff.

I had just used ApplePay to buy a few snacks from a vending machine and I had an issue with it. I was too far away and wearing my mask so FaceID wasn’t working. A few minutes later (probably coincidentally but I will never know) I got what appeared to be a legit email from Apple saying that my Apple ID was temporarily locked and I needed to update my billing address to keep it from being permanently locked. Now I know enough to know that Apple would never, ever send a message like this. But it looked very legit. I examined it very closely and because I know what I’m looking for, was able to figure out that it was a phishing campaign. What almost got me was it happening immediately after having trouble with ApplePay but again that was likely a coincidence.

3) Don’t participate quizzes. Stay away from the various quizzes you see on social media especially on Facebook that are designed to test your knowledge. Notice how everyone gets 100%? That’s because most of the time they are fake. They really just want to collect info about you.

4) Don’t ever use Facebook or Google to login to other sites. You are almost always giving those other sites permission to gain access to your Facebook or Google contacts and other information.

5) No legitimate company should ever call you asking you to authenticate yourself. For example, if you get a call from your bank telling you that there’s been fraud on your account and they need to you to tell them information to make sure you are you, instead hang up and call your bank then tell whomever answered what happened. They would then connect you to the fraud department so you can see if there really is an issue or if you were the subject of a phishing campaign.

6) Never, ever reuse a password. I know this is a hassle but again if you ever get hacked, you will have wish you followed this advice. Having the same password for lots of things means that once they have one, they have them all. A password manager like the one I mentioned above is great for making it easy to have a different password for every site.

7) Use long phrases for passwords. If you just can’t bring yourself to use one, use long phrases for passwords that have meaning that is not linked to you but is meaningfully connected to the site. For example, if you think about Netflix as a place to watch movies, ilovepopcorn might be a good password. Obviously don’t use this one, it’s just an example. By making the password a phrase, you make it long but in a way that is easy to remember. By making it connected meaningfully to the site (movies, popcorn) it becomes easy for your brain to connect the two.

Hackers sometimes run what is called a brute force attack where they automate the process of trying to get into your account. They have databases of the commonly used passwords. My company’s website won’t even allow you to use one of those for that exact reason. A long phrase is almost certainly not going to be in their database and won’t be generated by a dictionary attack app (where they are just using the words in the dictionary).

Take your home Wi-Fi. You could name the network after something from your favorite movie. Then make the password related. If your favorite movie is Star Wars, you could name your network “Chewbacca” and make the password “my favorite Wookiee”. These are connected and meaningful. Easy to remember yet hard to guess.

8) Don’t use real answers for security questions. Just make up answers and then store the made up answers in your password manager. That way if the company ever has a data breach, you haven’t provided hackers private information they can use against you to get into your other accounts. If they know just a little bit of private data, they can use this either if the security question/answer is the same one used on other sites (what is the name of your high school for example) then that makes it easy for them to reset your password and gain access to your accounts. They can also use this information to call the company and convince someone that they are you.

9) Use two-factor authentication when available. If the site provides two-factor authentication, take advantage of this and set it up. This is where in order to login, not only do you need your username and password but after entering them, they text you a code that must also be entered. That way a hacker would have to also have your phone which is unlikely of course.

10) If you use a password manager, you are only as secure as the password you use for it. So make sure it’s unique, long and memorable. Every character you add to your password makes it much more difficult to guess.

11) Use contactless payment systems like ApplePay, GooglePay and SamsungPay as they are far more secure.

12) Don’t use ATM machines or go to gas stations that don’t have someone watching the pumps. Thieves put fronts on these that you won’t notice. You put in your card and type in your PIN then the thief now has what they need to empty your bank account. I can’t believe these machines haven’t all gone to contactless and two-factor authentication yet.

The bottom line is that you, unfortunately, must be skeptical as wary all the time. Don’t trust anything. At least if you follow my advice but still get hacked, you’ve only let them in to one account, not all.

13) Be skeptical of messages through Facebook Messenger. I got one from a high
School friend that just didn’t seem right. I asked a question that they should have been able to easily answer and couldn’t or answered it wrong. Even better is to fake them out. For example, make up something that didn’t happen and see if they play along.

When I finally realized this person had hacked into my friend’s account, I called the friend and then I told the hacker I knew he wasn’t who he claimed to be. He actually admitted it and said that he as kids to feed. I suggested that he wasn’t setting a very good example for them and how would he feel if I stole from him.

Essentially, you have to be extra, extra careful when it comes to passwords or sensitive information. The schemes being used are very easy to fall for even for people who are paranoid about this stuff.

Last but not least, think about incentives. Google for example makes nearly all of their money still to this day from selling search advertising. Facebook, Instagram and Twitter as well. That means the more effective their ads are, the more money they will make. So they make the ads more effective by knowing as much about you as they possibly can.

As a result, I don’t use Google. I use DuckDuckGo for search because they don’t tract you. If you are a Mac/iPhone user, the Safari browser will let you set DuckDuckGo as your default search engine. I don’t use gmail anymore either. Since I’m an Apple customer I use the free iCloud.com address they provide.

Apple makes their money selling hardware and services. They are very aligned with my interests so they are far more trustworthy than most tech companies. IPhones snd Macs are IMHO worth the extra cost not only because they are higher quality hardware that will last longer and thus have a lower total cost of ownership but also because Apple doesn’t make their money with ads and thus has no incentive to learn as much about me as possible. They have the right incentives because they sell me things rather that use ads to make their living.

I hope all this was helpful. If you have specific questions, let me know. I’m happy to answer them.

The more you think about security, the more likely you will be just enough harder to attack that the hacker will move on to an easier target so don’t be that easier target.

ⓒ Geoff Perlman • All Rights Reserved • Content cannot be reproduced without prior consent.