Personal Online security

A set of practices to adopt in India to protect yourself from unbridled digital enthusiasm of corporates.

Red pill or Blue pill is the question..

Dyou know that If you have a smartphone with a data connection, you have a digital account in today’s world ? That is the good part; Now it is in your best interest to protect and safeguard this digital account the way we protect our real life identity.

I thought it is worth our time to look at not only how each of us is inextricably intertwined in this digital web but more importantly how we can protect ourselves from the new risks out there.

Why is this important?

Your online presence allows you to do a lot of things — Express yourself on the internet via blogs and social media, keep in touch with friends and families via WhatsApp, Skype etc and take care of your financial transactions through banking apps / mutual fund apps and other trading apps.

Now imagine if your social media or WhatsApp accounts are compromised ie. a prankster posts content on your behalf, then you end up losing your reputation with your friends and family. Now imagine if the mobile apps or websites accounts are hacked, the resulting financial trouble could be potentially enormous.

We should practice good personal online security practices for our online digital identities in the new digital era.

Won’t the Bank/Some Authority protect me?

The answer is that they do in two ways. First they set up various barriers to access your account (bank or social media) so that when they see any kind of suspicious activity they will pose an additional challenge before you can access the account. You typically see this happen when you access your bank account from a new computer and it will prompt you for additional password or mother’s maiden name etc. before granting you access.

The second method is that they limit the liability of your loss (specifically financial ones) as long as the issue is reported. For example, credit cards may restrict your loss if you call in and report a stolen credit card as soon as possible.

While these protections exist, the onus of protecting one’s digital accounts solely rests on ourselves.

What do you secure?

Your collective set of online accounts across email, social media, banks, mutual funds and other such entities should be secured. The way you access them should be secured as well as the medium you use to access them. In this section we will discuss these three key areas namely, identification, touch points and connection for securing them.

Digital Accounts

Identify your digital footprint. Typically this would be

• Bank logins
• mutual funds
• trading accounts
• email accounts
• social media accounts
• Mobile Wallets

Photo by Web Hosting on Unsplash

This list has to be comprehensive for two reasons. If there is an account that you don’t use anymore, it still represents your accounts and it has a connection with your friends a few of them who will still be active on that platform. These friends don't know that you have stopped being active for a period of time. If such a dormant account is hacked, and your friends receive a message from “you” asking for urgent help or money, they would definitely respond.

The second reason to consider is that for financial accounts, dormancy is now both a compliance risk for the customer (you) and also a revenue generating mechanism for banks and other financial institutions. Your dormant account will face freezing / closure due to non-compliance (PAN updation, KYC compliance and so on) and will also include a simple recurring “dormancy” charge that provides a death by a thousand cuts.

A good place to start this identification process for financial accounts would be the eCAS statement provided by NSDL/CDSL. This is a comprehensive report on all your portfolio holdings consolidated by your PAN number and email address.

Touchpoints

The second step of what to secure would be your touch points to these accounts ie. the places where you access these accounts to perform day to day transactions. It would typically be a mobile device, website, phone and in-person visits. We will discuss in detail how to go about securing each touchpoint.

The Network

The third aspect of what we have to secure is the connection between the device and the account ie. the internet connection and from the touch point to the servers. While this is not really in our control we should at least take precautions on what kind of networks should be used and be aware of the risk of certain transactions on certain networks.

Common Concepts in security

Let us familiarise ourselves with the current techniques that are typically employed by websites/mobile devices and companies to protect ourselves.

Passwords and password managers

The first line of defence for everything today are the passwords. Suffice to say the top worst passwords are

1. Spouse and children names (your pet names for them!)
2. An important date such as birthdays
3. Another family member’s name
4. Your birthplace
5. The word “password” or what the IT guys think is secure “password123”

If you think for a minute from the point of view of an attacker, most of this data is available (google for Indian baby names list ) and can be used as a database of possibilities to be quickly cracked. Numbers are inherently weak as they have only 10 possibilities as compared to alphabets 26, so it is faster to try and crack it.

Passwords using words from a dictionary have the same failing. Easy enough to load an entire dictionary into a database and use it to crack your password.

So what truly works are random combination of letters and numbers with a few special characters (!@#$%…) thrown in. Those are not subject to some of these standard attacks. If you still believe that your password is unique, a great place to check whether your password is already been hacked is the Have I been Pwned site. Go submit your password there and see how many sites already have them and who else is using them :-)

If you are with me so far, the problem is how do you remember a password that looks like hocg04s#ujt935wq6rn72vyi!x ?

Thats where password managers to come into play!

Password managers

Imagine if there was an App on your phone that will safely store all your important passwords and PINs securely and also sits quietly in the background and whenever a screen appears that requires userid / password / PIN, it will be able to auto-fill the details and magically log you in!

The password manager at work on my android phone

As you can see in the picture above, the password manager in my phone is helping me fill in the password for a new Wifi connection from its database.

A password manager allows you to manage all your passwords in one place. It keeps all of your passwords in a secure fashion protected by ONE master password that you have to remember to use all other passwords. The passwords themselves are stored in a secure and encrypted container using a modern encryption algorithm against which no known hack / attack exists.

Additional advantages of a password manager are

• Your password for every site you have used in the past is instantly available
• Your passwords are easily accessible on all the devices you use. Your phone, your tablet and your laptop
• It can also optionally generate extremely complex passwords (like our old friend — hocg04s#ujt935wq6rn72vyi!x ) and keep it secure for you. Thus your accounts have unbreakable passwords.

Some of the popular password managers out there are

• 1password.com : Paid product with a subscription
• KeyPass : Open source product, free
• Lastpass : Freemium model

There are also products specific to one platform (Apple or Google) available as well. I would recommend picking a product that is cross-platform.

Two factor authorisation (2FA)

Brian Ronald [CC BY-SA 4.0 (https://creativecommons.org/licenses/by-sa/4.0)]

Two factor authorisation simply means having two types of passwords (factors) for a single account. The trick is that the passwords are of specific types — “What we know” and “What we have”.

• What we know — The first type of password is what we use regul as password.
• What we have — This is the extra security that refers to a software / app / device that we carry with ourselves securely. Traditionally it used to be a small keychain like device (as shown in the picture). Today the smartphone has replaced this device with an app.

To log in to an account we need both these factors, so even if our password is compromised in someway, the attacker cannot get into the account as she/he wont have access to the second factor ie “what we have”.

Enabling 2FA for your accounts

As a first step you will require a 2FA app on your phone. A very popular one is Authy. Once you install the App, please follow the instructions for popular platforms such as Facebook, Google, Instagram and Twitter.

OTP based 2FA

Indian financial systems have adopted 2FA in a slightly different fashion. When you login to a banking site and you will be sent an SMS with a unique code that is valid for a short period of time. This code should be entered into the App/site to obtain access. In this 2FA process, the code is sent by SMS to YOUR mobile phone. Thus the “What you have” in this case is your phone and the SMS that you receive.

The risk in the OTP based approach is that while the concept of “what you have” is supposed to be the phone, it is technically the SIM card within the phone that is controlling where the SMS is delivered. So if an attacker can compromise the SIM card or make a copy of it, he can get access to the OTP messages. While SIM-swap fraud is a reality, this is still a better protection than not having any kind of secondary authentication.

Backup codes during 2FA configuration

When you are enabling 2FA for accounts like Google or Facebook, they provide a set of “backup codes”. These are the equivalent of emergency passwords that you can use to unlock your account in case the cell phone is dead or your 2FA is not working. You should keep these backup codes securely and use them during emergencies.

Securing Digital Accounts

Let us explore some of the practices we can adopt to secure our digital accounts.

Secure your Passwords and PINs

Use a password manager and get your passwords and PINs stored securely. Use a strong master password, then you know your database is secure. Also remember to change the account passwords once every say 3 months. With a password manager this is dead simple.

Enable Two Factor

2FA should be enabled as the first line of protection to accounts that support it. The easiest way to find out is to search for “you favourite site 2FA” for example “yahoo 2FA”. Follow the instructions for that provider and enable it.

Additional Security “Features”

Mother’s maiden name : This really should not be your mother’s maiden name!. Use your password manager to create a complex password and use it as another password field. This rule applies to every other such special field such as your first car or first house.

Get notified when your accounts are hacked

Ensure that your email and or other social accounts are secure by registering for realtime updates with a service such as HaveIbeenPwned or Firefox Monitor. These sites will send you an email when they detect a breach with a recommendation of what you need to do.

Use a separate email for financial accounts

Having a separate email address for your financial accounts allows you to receive all your financial statements in one place instead of your regular email. Thus reducing clutter and also preventing that account from being hacked since it is usually not used in a popular social media profile that is more prone to hacking.

Have a separate phone + number for OTP

A smart phone with a million apps that have access to read all your SMS is a potential security risk. Ideally if you can use a simple feature phone to receive bank SMS and OTP SMS, it is the safest option. Given that UPI based services are tied to the SIM and they require a smart phone, this may not be a viable choice for people using UPI. Otherwise this would be the way to go.

Touchpoint Security

While we secure our digital accounts, we also have to secure the tools we use to access these accounts, ie phones, tablets, laptops and possibly even public internet access kiosks! We will collectively call these devices as “touchpoints” and discuss how to secure them.

Smartphone Security

Protecting your smart phone so that you can use it as a trusted device to perform online transactions would be the key goal.

1. Add a screen lock and password. This will prevent the phone from being misused when stolen. A strong password for screen lock with a time out would be important. Using fingerprints or pattern locks are less secure than passwords.
2. Turn off bluetooth when you are not using it. This will prevent bluejacking of your phone
3. Remove any unused or unnecessary (bloatware) apps from your phone. Even apps that are not actively used will have access to the data on your phone (phone records, text messages, photos, documents etc.. ) depending on the permissions given at the time of installation.
4. Disable location data addition in camera. Adding location data while taking pictures, while a nice feature, could potentially reveal your home location and address when these photos find their way to social media.
5. Restrict Apps from asking for unrelated permissions. I had an image scanner app that wanted “microphone” permission and “making a call permission”! Go back into the permissions screen and disable specific permissions for apps
6. Do not trust apps that ask for “Device Administrator” privileges. That gives the app an extremely deep level of access and unless it is really warranted, never allow such apps. Also don’t trust apps that ask for “Accessibility services”. It is a combination of that and other permissions that allow a specific hack to be performed on your phone. This rule is for Android phones. iPhone will have a similar set of rules as well.
7. Review the source of an application before installing them. There have been scams where slight variations of popular Apps are uploaded on the Playstore and will appear when you search for it. Before you go ahead and install a new financial / banking app, verify (by checking the company information) that the app is from the right source.
8. Never use Rooted Phones unless you have a PhD in computer science and work in mobile security!
9. Protecting your smartphone is very phone model specific and you should search for instructions that would apply to your phone model.
10. Finally, to manage a lost device, enable the “Find My device” service that allows you to track your device down and more importantly wipe all the data clean on it in case it is lost! Phones are easier to replace than your myriad digital identities!

Laptop/Desktop Security

Using a laptop / desktop requires a set of security measures more elaborate than a phone since there are additional ways to attack a computer than a phone.

1. If you are using Windows, a good commercial Antivirus is a must. Windows computers (all versions of them) have the highest number of viruses and the ilk coming after them. So a strong protection is a must.
2. Disable unnecessary plugins on your browser — Browser plugins — depending on the permissions obtained, as they have access to what you type on a web page. So to protect yourself, turn off all unused / unnecessary plugins.
3. Use a separate browser for financial transactions — Use say Chrome for your regular browsing and say firefox for financial transactions. So that if your main browser gets a dangerous plugin, it won’t affect your financial transactions. If a separate browser sounds infeasible, Use Firefox as your browser and take a look at Firefox containers a feature that allows isolation of websites from each other. If you create separate containers for sensitive websites, you can ensure that they are not tampered by other sites you visit.
4. Take any security warning by your browser seriously — There is a detailed article on Mozilla’s site that would help understand these warnings. Best advice I can offer at this point is that if you get an SSL warning from the browser about the site, avoid using it until the issue is fixed.
5. Avoid computers that use keyloggers : A keylogger is a software that will record every keystroke on a computer including user id and passwords. Some corporates use keyloggers as part of their audit and compliance policy. If you are aware of such a computer avoid using them. Also you can check and make sure you don’t have a keylogger on your computer.

Public Internet kiosks

Simple advice on internet kiosks. Don’t use them! There are enough potential risks associated with a public internet kiosk that it cant be used for any serious activity.

Network security

1. Avoid Public Wifi : Avoid using free public wifi sites and use mobile internet whenever you can. Your mobile internet is provided by your cell phone network while a public Wifi is free and open to hacking. Ideally you shouldn't be using a public network for any sensitive operation. If you really have to use a public network, use a VPN over it to secure the connection.
2. Secure your Home Wifi: Change your router’s default password if you haven’t changed it. Typically Home Routers come with default userid/password that can be found by searching on the internet for the model. Use it to login to your router and change the default password to something more secure.

Conclusion

Security of any form is not easy. It adds complexity to what we do (Who wants to learn passwords with one uppercase, one lower and so on!) and further, it will impose a set of tasks and extra work that is not easy and possibly wear us down — Every time you walk through security in an airport you know that you have to take off your shoes and belt etc., is an example.

As the world moves towards a digital future, we have to learn new concepts (2FA, OTP), follow a new set of processes (password management) and learn new tools (password managers) to protect ourselves in this brave new world. There is no easy way to address this beyond updating ourselves. I hope this article has served its purpose of giving you a set of tools and techniques to protect yourself.