With all the talk about security services spying on you, cybercrime and web services getting hacked, you be forgiven for thinking there’s no safe place left on the internet. And you’d probably be right. If someone really wants to get your online data, and is really determined, there’s probably not a lot you can do to stop them.
Fortunately, not many people are the subject of such laser-targeted hack attacks. Most of us end up getting scammed online because we do something silly like fall for a scam or click on a phishing link and our data gets harvested just because we’re easy targets. Make things even remotely hard and the chances are you’ll avoid 99/100 attempts to fleece you of information or money online.
And here’s a few tips for obfuscating your information in ways that make it really hard to get to.
Let’s get one thing out of the way – there is no substitute for proper security practices and complex passwords. If you use “123456” or “password” as your means of securing your online accounts, you deserve what is coming. Hackers and cybercriminals don’t take prisoners; they don’t care that you are just an innocent internet user who dutifully checks email and reads the news.
There’s no compassion because in the virtuality of the internet, these are just victimless crimes.
However, the fact is that even those with the most thorough security measures in place are at risk. You might have 50-character passwords, firewalls, security software, and one-time PIN codes – but if the weakness lies with the party that’s in charge of your details, you’re in the same boat as the guy who browses the web using Internet Explorer on Windows XP.
When sites get hacked, and account details leak, everybody is affected and potentially in danger. Thankfully, there are some less-than-obvious steps to be taken to help secure your accounts for when that happens. Sure, some of these will make life a little less convenient, since they require a lot of effort, but rather safe than sorry – right?
1) Mask your mail
One of the most common things seen in both targeted attacks as well as leaks is the use of primary email addresses from free providers. Most people can’t be blamed for using Gmail, Yahoo Mail, or Microsoft’s Hotmail replacement, Outlook. They’re convenient, free, and can be accessed from anywhere.
The problem is, though, that once [email protected] is in an attacker’s hands, they have half of what they need to log in to most other places. Worse than that – if they get access to your email account itself, since they now have half the login details, they can wreak even more havoc.
So far the best solution is to use masked email addresses or aliases for online services. One such service is MaskMe, which lets you set up anonymous aliases when signing up for mailing lists. This effective spam-prevention technique can also be used to protect your own email address: an attacker can not log in to your email if he has a random email address from MaskMe. The service also lets you generate and manage multiple addresses, so you can have separate anonymous email addresses for the different services you sign up for. (Granted, this does mean that if MaskMe gets hacked, your details are exposed.)
Other workarounds include using an email forwarding service, or setting up your own aliases if you own an email domain. [email protected] might be what you use to log in to your mailbox, but [email protected] cannot be used to log in to any mailbox. The idea here is to secure the email address that’s used as a login name, thereby protecting the contents of your mailbox and preventing attackers from impersonating you.
2) Copy and paste your credit cards
It might not be that obvious right now, but think about it: what’s the most obvious reason for attackers to gain access to a stash of accounts on Amazon.com, or any other online retailer or service provider?
Most people take advantage of the convenience of having their credit card details saved by online retailers, and for the most part it’s fairly safe. The good, security-conscious sites will be super secure and store details in encrypted databases. In most cases it’s also not possible to see credit card details in full, even when logged in. Sites will obscure the first 12 of the 16 digits, leaving only the last four visible for identification purposes.
But these can still be abused. If not by an attacker who gets into your account and buys a bunch of stuff with the saved credit card, those last four numbers can be used in some social engineering. Posing as you, the attacker can provide support consultants with enough information to make them believe they’re talking to the legitimate account holder.
The simplest way to nip this in the bud is by not storing your details, and deleting any stored credit card information after completing a purchase. Sure, it means you have to enter them again when you next buy something online, but unless you’re buying things every day or every week, entering your credit card details once or twice a month won’t kill you.
3) Prepay your way
Ok, fine. Entering credit card details is a huge hassle to you. Thankfully there’s still another way. Sign up for a virtual, prepaid credit card using services like US Unlocked or Entropay and leave your credit card details saved online, with relative impunity.
Virtual prepaid cards are legal to use, and can be topped up in dollars or rands using your current credit card. Load up one of these with R1 000 or R2 000, and the most you stand to lose – should your account or card number be compromised – will be whatever is left on the card. This isn’t ideal, but risk is what you’ll carry with the convenience of having your card details stored for those essential one-click purchases.
For the less paranoid the real bonus here is that if your prepaid card details do get leaked, you simply report it and cancel it with the provider. Issuing a new virtual card is free, while your bank charges you for new credit cards to be issued.
4) Share sparingly
This should go without saying but sometimes it’s just a case of not really considering the possible outcomes of a data breach. When you sign up for web services and online shops, be sparse with details. Unless you really have to, don’t write your full name on forms. Sure, your address has to be present so that you can get your goods, but that’s only for online shops. If you sign up for an online forum or a social network think about why you’d need your personal details there, and apply discretion.
In one of the recent high-profile targeted hacks the attackers were able to use the victim’s former physical address, which was stored on his Amazon account as an address he often sends packages to. Through this they were able to identify him and gain even more access to his virtual records.
The same goes for domains you register. It’s common to get anonymous registrars, nowadays, but if you don’t opt in to this then your home or office address, phone numbers, and email addresses are published in a publicly searchable database. If you absolutely have no choice but to enter details, just make note of where you do provide them so that you can have more secure passwords for those sites and services, as well as changing the passwords often (which you should do anyway).
The less information there is to tie virtual you to real-life you, the better.
5) Hit the mute button
Social engineering is something you won’t get away from. Companies that have your details have email and phone support systems in place to help you recover your passwords and regain access to your account. Those can also be used by others as soon as they have enough details about you.
To combat this, simply contact the sites and services you use and ask them to not allow any telephonic password-reset requests. This does mean that you limit your options when you legitimately forget your password or lose access to your account, so just make doubly sure you’ve got your passwords written down in a secure password app, like 1Password or LastPass.
One the plus side, it completely removes an attack vector for somebody who might have access to your other details, but needs the cooperation of an unwitting call centre agent to get even more dirt on you.
You might think it’s not going to happen to you. But then again this is the security guide for paranoid people who don’t trust anybody.