6 Tips for Living a Healthy Digital Life and Avoiding Credential Theft This Holiday Season

Posted by Eran Cohen on Nov 29, 2018 7:51:00 AM
Find me on:

Most of us still dream practical, down to earth, old fashioned dreams. And I’d place a bet that not many people, if any, dream about their credentials being stolen.  Almost all of my memories from the last 15 years or so are stored digitally. The majority of my day to day activity is managed online. My online persona is almost identical to my physical one. I imagine that  many of you are in the same situation.
Phishing

So why don't I dream about my life be taken over, erased on online, encrypted by a malicious actor or my liberty compromised? Not to mention, why am I not overly concerned about my financial assets being managed online?

While in university, I took a popular psychology class and learned that repression is the key to coping with bad things we don’t want to think about. We know we all going to die sometime and repression helps us deal with it. A bit dramatic? Perhaps. You could also quote Thomas Gray and say  “Ignorance is Bliss”-- or, what you don’t know cannot hurt you.

Unfortunately, credential theft is very real and can be quite costly to the victim. I believe that we need to starting thinking about our digital life much like we think about our physical life. In our physical life, we know how to avoid risky and dangerous situations and we know there are actions we can take to improve the quality and length of our life. For example, to stay healthy, we need to regularly exercise, eat right, sleep well, watch our diet and take vitamins.

With our digital lives now so intertwined with our physical one, I think it’s time we look at what we need to regularly do in the digital world to stay healthy. To do this, here are a few quick tips for a healthy digital life.

1. Say Yes to Multi-Factor Authentication

Use your mobile device as an authentication device. Look for software and applications that offer multi-factor authentication. This can help protect your identity, and it’s something you are already somewhat used to. You just need to apply it in other ways. For example we typically use our debit card as first factor then a pin code as second. Today, just about everyone has a personal mobile device on them throughout the dayThis device can be used for second factor authentication purposes. So when you have the opportunity to do a second authentication on your mobile device, turn it on.

You can also consider the use of security keys such as the Titan Security Key or YubiKey (FIDO compliant), which provide additional levels of phishing-resistant two-factor authentication.

2. Look for Scams and Don't Click That Link

Let me tell you about a few wide open secrets, that unfortunately some people still fall for

  1. There is no such thing as losing half of your weight in 7 days while keeping healthy

  2. The IRS will not accept payments for your federal taxes owed with gift cards

  3. A Nigerian prince probably does not need your loan

In other words,  beware of phishing emails.  Phishing remains the predominant method for compromising identity. As a rule of thumb: don’t click and don’t follow links. Even emails that look legitimate can be phishing attempts. For example, I received an email looking like it was from my bank telling me that I needed to update my password and some personal information and to click the link to do so. It looked very legitimate. Had their logo. Spoofed the email. But it was a fake. If you aren’t sure, call the company. Or best, open your browser and manually type the address of the site you want to visit. You should apply this to emails as well: if an email looks funny, carefully check the address, not just the sender name (especially when on your mobile device, which may not display the address by default).

According to the Verizon DBIR 2016 report: “Phishing, as a leading action, provides a number of advantages over many other exploit approaches. The time to compromise can be extremely quick and it provides a mechanism for attackers to target specific people in an organization. And by using a service that is necessary for business communication to the internet, it allows an attacker to bypass many security devices and gain a foothold on an endpoint in the organization from a remote attack.”

3. Embrace Secret Questions

Many online services or applications ask you to add secret questions as a way to further protect your identity. Enjoy the benefit of secret questions and answer them in a way only you can answer them. If you use "easy to guess" questions just to get it over and done with, you put yourself at risk and did nothing.

Try not to pick questions where there could be a variation of answers as this can cause you problems later on. Most people have secrets or things no one else knows about them. It's not a bad thing. Use it. There are some sites that allow users to define the secret question. This is great. Don't be shy mentioning your favorite singer is Diana Ross. No one will guess it about you --  probably not even the hacker. You will be thankful for this, especially in cases of mailbox recovery or if someone tries to bruteforce your account.

4. Be Original

Crossfit is a great example of originality. It mixes things up and constantly challenges you. It just makes sense and it’s an excellent way to exercise and keep healthy.  Be innovative when it come to your first factor or password. Do not use your personal details -- this is really lame and weak. Persistent attackers will be able to figure them out. And if you need a little more persuading, you may want to watch one of my  favorite videos with Jimmy Kimmel on "What is your password."   You may also want to consider using a password manager.

5. Restrain Your Social Media Usage

Have restraint with the data you share in social media channels. Some use it more than others and many share TMI. Yes, simply too much of anything is a bad thing. Use the privacy settings and whenever possible set your profile to private. What's the point of sharing your travel plans and personal information with everyone? Whether online or over the phone, it can be used against you, and it can be dangerous. In 2016,we saw infamous reality star Kim Karadashian become victim to a heist while in Paris for fashion week. Her own tweets and posts telling the world where she was and what she was wearing made her a target for thieves. Always question yourself about what the benefit of sharing the information is. If it is not a must, don’t.  

6. Be Careful with Public Wi-Fi

Be careful in Public WiFi settings where you can easily become victim to a man-in-the-middle attack. Use known hot spots. If you must use a public Wi-Fi, use secured sites and secure email.  

In Summary

Many times credential theft is confused with identity theft. This is just one of the possible outcomes of credential theft. Stolen credentials are typically used to serve 4 main goals:

  • Unauthorized use of an account

  • Taking over identity

  • Fraud

  • Breach

Verizon’s 2017 DBIR report found “81 percent of hacking-related breaches leveraged stolen and/or weak passwords.” Credentials are problematic by definition. We all know that and we all deal with it on a daily basis in today's digital world. On the one hand using strong passwords is good practice and will probably slow down or prevent bruteforce. On the other hand it is useless against types of malware which read password from memory, keylog or running on behalf.

So to maintain a healthy digital life, be sure to use a combination of methods, such as those described above, to help reduce exposure and keep your digital persona safe. Just like our physical life, you can’t just practice living healthy every once in a while. It needs to be practiced daily.

Editor’s note: a version of this post originally appeared Dec 22, 2016

Topics: Credential Compromise