WFH Daily #207: FF Recommends | How to make your online presence hack-proof

October 17, 2020: Once an email address you use to login and the password patterns are exposed, it leaves you vulnerable. Here’s how to minimise the risk

Founding Fuel

[Image by Robinraj Premchand from Pixabay]

Good morning,

Raghuram Rajan ends his most recent book The Third Pillar, which has a somewhat pessimistic subtitle, How Markets and the State Leave the Community Behind, with a positive note. He writes: 

“Our values are not static—they change. Dr Martin Luther King Jr. said, ‘The arc of the moral universe is long but it bends towards justice.’ When seen over short stretches, it seems that history repeats, that racism and militant nationalism erupt periodically in the world to sow hatred and spawn conflict. Yet the society that experiences these movements is not the same, it trends toward being more tolerant, more respectful, and more just. Around that trend line, we do go up and down. We may be down today, and we have a long way to go, but the distance we have come should give us hope. Let us not let the future surprise us. Instead, let us shape it. There is much to do. We have to, we must, choose wisely if we want to live together well and in peace.”

When we reflect on this passage, the underlying message is clear. Even in bad times, it’s important to feel optimistic. But the right to feel optimistic comes with the responsibility to act, to do something to make the world a better place. 

This weekend is a good time to reflect on this, and do let us know what you think. 

In this issue 

  • FF Recommends | Secure your digital presence
  • No free lunch

FF Recommends | How to make your online presence as hack-proof as possible

By Charles Assisi

A few days ago, I upgraded the software on my iPhone and discovered it contains a feature called “Detect Compromised Passwords”. 

“Nice!” I muttered. And then almost choked when the display showed I’m at risk on 89 sites, some of which I visit regularly. “This password has appeared in a data leak, which puts this account at high risk of compromise. You should change your password immediately,” the message read. How did this happen? I’m finicky about security. 

To find out, I called Achyut Nayak, a good friend, former colleague, and a geek. He wasn’t surprised and told me about this once when he had purchased something on an American site that got hacked into. That is where the problem begins, he said. The password he had used there got leaked and got into the digital underworld. What he had used was now available for unscrupulous elements of all kinds to see. They work their tools to create permutations and combinations of the patterns they can create out of it. 

Now, such hacks and leaks happen every day. 

The problem we face is, once an email address you use to login and the password patterns are exposed, it leaves you vulnerable. This is because much of our personal information that includes bank statements, credit and debit card data, health records and work records, among much else, resides digitally. 

With this information in hand, what is to stop someone in another part of the world from spoofing your identity? They could use it to make a purchase on, say Amazon, and ship it to an address of their choice. The company’s fraud alert systems don’t get triggered off in other parts of the world until the value of purchases in the cart exceeds a certain threshold. 

That is when Achyut and I started exchanging notes on what protocols must be followed as thumb rules when online. Our experience has it that most people don’t follow them. 

Your devices are personal: Because the data it contains is yours. So, don’t hand your devices to assistants (or children and friends) to handle. Think about it this way—you don’t undress in front of everyone, do you?  

Turn on two-factor authentication: If you want to be alerted when someone gains access to the locker where you store all things precious, you’re right about that. 

The digital equivalent is two-factor authentication. This service is offered by the credit card company. In the case of credit cards, it is the OTP required to complete the transaction. And, if someone attempts to access your email from a device you don’t use, you get alerted. I am terribly uncomfortable with this turned off.

Have a password policy: In spite of these precautions, people at work to break passwords deploy higher computing power and get better at figuring out patterns. That is why Achyut has set a reminder to change his password every few weeks. Click here for elementary tips on creating good passwords.

Update your software regularly: I’d have known 89 passwords were compromised earlier if I had applied the software update provided by Apple earlier. Inertia held me back. But security is a cat-and-mouse game. The onus is on us to stay up-to-speed.

Lock your screens: Your screens are places where all kinds of information is displayed. At times, I may be at work on something sensitive and I may need to walk away from my device for a while. That is why, I have set all my devices to turn the screen off when I’ve been inactive for over two minutes. To turn it on, I need to enter a password. This is something Achyut follows diligently as well.

Cover the camera: He has taped up the camera on his phone and laptop screens and takes it off only when doing video calls. The threat of somebody taking charge of your device remotely is very real. This is something I must  implement. Microphones are a problem too. And, assistants such as Alexa listening in to everything going on at home… (don’t get me going on that!)   

Public Wi-Fi is a no-no: Neither of us access free wi-fi, including what hotels offer as complimentary. This is because we cannot be too sure if the information being transmitted across these networks is securely encrypted. If it isn’t, rogue elements can read personally identifiable information. That is why neither of us would ever conduct a banking transaction or access our personal email on a public Wi-Fi network. We’d much rather use our phone as a hotspot.

Be wary of cloud backups: Conventional wisdom has it that we must back up all data. Achyut has often asked me how much data do we really need to maintain about our personal and work lives? I think he has a point. That is why he has turned off auto back-up on the Windows machine he works on. He has segregated what must be backed up, and maintains all of it in password protected folders he revisits often. This is because when auto backup is turned on, passwords are stored in nooks and crannies, and even inconsequential data such as logs of WhatsApp conversations gets backed up as plain text files. Whatsapp has a ‘back-up your messages’ feature that doesn't use end-to-end encryption. This is one case where automatic back-up is not a good idea. These text files, incidentally, are what got leaked on prime-time television and news anchors read out while attempting to outdo each other in covering the Sushant Singh Rajput case. 

That is also why you must keep an eye on files you maintain on the cloud—on GDrive, Dropbox, etc. Keep deleting what is unnecessary.  

Control all app permissions granted: Practically every site offers you an option to sign in using your Google, Facebook or LinkedIn credentials. Before doing that though, I look at their privacy policies. If it’s my name, location and age, I’m okay. This, because the law across many geographies mandates that most services must authenticate a user’s age. Anything over that, I begin to get queasy. 

Take credit bill payment apps such as CRED or PhonePe, for instance. While their offer to make life more convenient with reminders and rewards are tempting, they deploy software to read emails. Their argument is that only emails that need to be read are read by algorithms so they can craft a better experience for the user.

But here’s how to think about it: If somebody told you that they’d like to peer through your curtains when you are at home, and that their intent is to understand how you live so they can serve you better and nothing else, would you agree to it? 

Incidentally, I have created a Google ID just so I may subscribe to services whose privacy policies I am uncomfortable with. 

The Social Engineering: Achyut tells me as people lose their jobs, the more gullible among them will be attracted into social engineering. Operators in this space like the idea of scale and keep looking for blokes to execute their plans. 

We were witnesses to a “Deceptive Phishing” attack on our colleague. All information about him and the people he interacts with was stitched together from his social media profile. A desperate sounding note was then sent to him, seemingly from one of his friends, asking for funds that he promptly transferred. It was entirely coincidental that the both of them spoke a little later. 

When our colleague enquired if all is well, he was stunned to know all is indeed well and that his friend had not asked for any money. A police complaint was lodged, and the case was cracked. But not everyone gets lucky. If you may be keen to know some more about social engineering, click here.

Don’t cross all boxes: Then there are forms that come via email that pre-fill all the boxes for you. Most of it originates from banks and credit card companies seeking consent to add a top-up annual policy for “as little as Rs 2 per day” or sharing your data to third-party vendors. Uncheck it. You don’t have to cross all the boxes.

No free lunch

Or beer, if you notice the small print.

How much will you pay for one, if only you can go back to those good old days? Let us know on our Slack channel.

And if you missed previous editions of this newsletter, they’re all archived here.

Bookmark Founding Fuel’s special section on Thriving in Volatile Times. All our stories on how individuals and businesses are responding to the pandemic until now are posted there. 

Warm regards,

Team Founding Fuel 

Was this article useful? Sign up and we'll send you articles like this every week. Here's a sample

Comments

Login to comment