A client recently sent me an email asking about online privacy and security, so I’ve put together a list of my security recommendations. I want to point out that this is not an all-or-nothing thing. Don’t feel overwhelmed by this list and decide to make no changes: even if you adopt only some of these suggestions, you’ll still be improving your overall security.
Online account security
- Use strong passwords (see the above xkcd comic). I use keyboard patterns as passwords rather than words or phrases, which lets me rely on muscle memory (less fallible, I’ve found).
- If you have to share credentials with someone, send the password separately from the username (preferably over a different medium so that they don’t share context).
- Answer security questions with made up answers that are meaningful only to you (i.e. don’t ever use your maiden name or your mother’s maiden name – you’re not the only person that knows those answers).
- Your email address password and all banking passwords should be completely unique to each other. That way, if one account is hacked, the hacker doesn’t have the keys to the rest of your kingdom.
- If you get a suspicious email, hover over links before you click on them, to determine where they will take you. If the link is to an IP address, an exe file, or a site that doesn’t seem relevant to the email, don’t click on it. Better, if the email appears suspicious to you at all, don’t click on anything. Just delete/junk it. You should also check the sender email address (not just the sender name).
- Always be suspicious of attachments, even from contacts you know (they may have been hacked).
Safe browsing habits
- Never type your credit card information into a page that is not loaded over https. You should see blue or green highlighting in your address bar, or a lock, or something to that effect before you type your credit card info in. Some examples:
- When making an online purchase, try to use PayPal, Google Wallet, or Amazon Payments wherever possible. They really are safer.
- Discover used to offer a free service that allows you to generate one-time-use card numbers tied to your account for use online at retailers you may not fully trust with your credit card information. The beauty of this is that if the generated card number is stolen and the thief attempts to use it, the transaction will be automatically declined. If your credit card company offers a service like this, use it!
- If you can’t use any of those three payment obfuscators and must use your credit card, do not allow the site to store your credit card information for future uses.
- Don’t use old versions of Internet Explorer. Period. As of this writing, IE 11 is the most recent version, and if you’re not running it, you’re leaving yourself open. Same is true of the other browsers, but IE is the most glaring.
- You should have an antivirus and anti-malware software installed and scanning regularly; free versions of Avast, Comodo, etc. are sufficient. I’m not a fan of Norton or McAfee (they behave weirdly like viruses themselves – they won’t let you uninstall in some cases), but use them if you like them.
- Contrary to popular belief, a firewall is not required for your personal PC, as it is unlikely that you personally will suffer a brute force attempt to access your computer. Malicious people will attempt to infect your computer in a way that takes less effort on their part by tricking you into infecting yourself in some way. Brute forcing their way into your computer is not efficient.
- Monitor your credit card and bank statements for unfamiliar activity. If your card was stolen, don’t rely on the credit card company to detect the fraud. You’re the best person to know if you made that transaction or not.
- If you ever have the option to enable two-step authentication or enhanced security for a particularly important account (banking, email), do it. Two-step authentication means that you will need to provide not just a password, but some other form of identification as well, such as typing in a verification code that is texted to you. It’s more hassle, but it’s worth it. If you have a Google account at all, go do this now.
- Don’t install Java unless you absolutely have to.
- Keep your computer and all installed software patched and updated. I recently started using Secunia for this purpose, and I really like it so far. It’s like Windows Update but for all your software, not just Microsoft products, and it operates silently in the background as much as possible.
Of course, this is not an exhaustive list. What security measures do you follow in your daily online life?