I spend most of my time these days researching the ugliest side of digital life, examining the techniques, tools and practices of cybercriminals to help people better defend themselves against them. It’s not completely different from my days at Ars Technica, but it has given me a greater appreciation for how difficult it is for normal people to stay digitally “safe”.
Even those who consider themselves well-informed about cybercrime and security threats, and who do everything they have been taught to do, can (and do!) End up being victims. The truth is, with enough time, resources, and skill, anything can be hacked.
The key to protecting your digital life is to make it as expensive and impractical as possible for someone hell-bent on stealing the things most important to your safety, financial security, and privacy. If attackers find it too difficult or expensive to get your stuff, chances are they will just move on to an easier target. For that reason, it’s important to assess the ways in which vital information can be stolen or leaked, and to understand the limits to protecting that information.
In the first part of our guide to protecting your digital life, we’ll talk briefly about that process and the basic steps anyone can take to reduce the risks of their devices. In the second part, in a few days, we will address broader digital identity protection measures, along with some special measures for people who may face high risks. But if you are looking for advice on peanut butter sandwich dead drops to transfer data cards anonymously in exchange for cryptocurrency payments … we can’t help you, sorry.
You are not batman
A while ago, we covered threat modeling, a practice that encompasses part of what is described above. One of the most important aspects of threat modeling is defining your acceptable level of risk.
We do risk level assessments all the time, perhaps unconsciously, such as judging whether it is safe to cross the street. For totally remove the threat of being hit by a car, you would have to build a tunnel underneath or a bridge over the street, or you could completely ban cars. Such measures are excessive for a single person crossing the street when traffic is light, but could be an appropriate risk mitigation when many people need to cross a street, or if the street is essentially a pedestrian mall.
The same goes for modeling threats in your digital life. Unless you’re Batman, with vast reserves of resources, a secret identity to protect from criminals and all members of law enforcement, and life and death consequences if your information is exposed, you don’t need Batman’s safety. . measures. (Certainly, there are times when you need additional security even if you are not Batman; however, we will discuss those special circumstances in the second half of this guide.)
For those who want to lock things down without logging out and moving to a bunker in New Zealand, the first step is to assess the following:
- What in my digital life can reveal critical information related to my finances, privacy and security?
- What can I do to minimize those risks?
- How much risk reduction effort is commensurate with the risks I face?
- How much effort can I really afford?
Reduce your personal attack surface
The first question above has to do with taking an inventory of the parts of your digital life that could be exploited by a criminal (or an unscrupulous company, employer or similar) for profit at your expense or that could put you in a position vulnerable. A sample list may include your phone and other mobile devices, personal computer, home network, social media accounts, online banking and financial accounts, and your physical identification and credit cards. We are going to cover the first ones here; more will be covered in the second part.
Each of these elements offers an “attack surface”, an opportunity for someone to exploit that component to access your personal data. The amount of attack surface you present depends on many factors, but you can significantly reduce the chances of malicious exploitation of these things with a few basic countermeasures.
Mobile physical threats
Smartphones and tablets carry an important part of our digital identities. They also have a habit of falling outside of our direct physical control by being lost, stolen, or picked up doing nothing for others while we are not caring for them.
Defending against casual attempts to obtain personal data on a smartphone (as opposed to attempts by law enforcement, sophisticated criminals, or state agents) is fairly straightforward.
First, if you are not at home, you should always lock your device before leaving it, no exceptions. Your phone should be locked with the most secure method that you are comfortable with, as long as it is not a 4-digit PIN, which is not exactly useless, but it definitely is. adjacent to uselessness. For added security, use a password or passcode that is at least six characters long, preferably more. If you’re using facial recognition or a fingerprint unlock on your phone, this shouldn’t be too inconvenient.
Second, set your device to require a password immediately after it has been blocked. Delays mean that someone who snatches your phone can access your data if they open the screen in time. Also, make sure your device is set to erase its content after no more than 10 incorrect password attempts. This is especially important if you have not set a longer access code.
Also, back up your phone regularly. The safest way to back up your data if you are concerned about privacy is an encrypted backup on your personal computer; However, most iOS device owners can back up their data to iCloud with the confidence that it is end-to-end encrypted (as long as they have iOS 13 or later). Your mileage will vary with different Android implementations and backup apps.
Similarly, make sure you have installed the latest version of the phone’s operating system available to prevent someone from exploiting known security bypass. For iOS, this is generally simple: when your device prompts you to update, do it. The update situation on Android is somewhat more complicated, but the same general advice is valid: update as soon as possible, always. (There is a school of thought that says you should wait for the latest updates for bugs to be resolved, but following that advice will put you in a position where your device could have exploitable vulnerabilities. You can mitigate those vulnerabilities by improving.)