A record number of people have been shopping online this holiday season. The holidays are a time when people increasingly communicate with family and friends with always-connected devices. NPR has published a recent article referencing Mozilla’s “Privacy Not Included” guide, which reviews Internet-connected products based on the privacy features they provide. We recommend you read the article and check out the guide before you buy that newest must-have gift for friends and family.
We continue to make rapid advances in technology and we are spending more and more of our time online performing tasks that used to chain us to our computers at home. While we experience the freedom and increased productivity this brings, we need to be aware that we are increasingly exposing ourselves to possible attack over the internet. With much more powerful cell phones than even a decade ago, it’s become commonplace for most of us to bank and pay bills online, communicate with family, check our email, read news, and frequent social media sites.
It used to be that you only had to worry about security on your home network, but those times are long gone. Before we had faster cellular data speeds like 3G and 4G, users had to rely on public Wi-Fi. It used to be you’d have to go to a coffee shop or a hotel to find reliable(ish) Wi-Fi, but now you can hop on at most restaurants, retail stores, and even some outdoor public places. Most people don’t question connecting to these networks and don’t think about the digital trail they leave behind. Since we are doing so much more of our business––both personal and personal––on the go, how do we secure ourselves from malicious actors?
One of the easiest ways to enhance our personal network security, short of not jumping on public Wi-Fi at all, is to use a virtual private network, or VPN. Think of a VPN like a tunnel on the information superhighway, to use an old term. Using a VPN puts your data inside that tunnel so that nobody can see it, with the possible exception of the VPN provider (often your data is encrypted from the VPN provider as well). If, for example, you’re on a public network and someone was able to hijack the network and see all of the traffic, your activity would not be seen by the hacker because everything you send and receive through a VPN is in an encrypted tunnel.
Many online banking services and other activities of a more sensitive nature use HTTPS security on their sites which does encrypt activity between you and the website, but a hacker could still monitor what sites you are visiting even if they couldn’t see what data you are transmitting. More websites are using HTTPS, but it’s still a good idea to use a VPN in addition to secure browsing. A VPN hides and encrypts all network data traffic, not just web browsing.
There are free options when choosing a VPN, but you want to make sure the app you use is from a company you trust. Paid VPN apps exist as well; one app that is particularly easy to set up and use is Encrypt.me, formerly Cloak VPN. Setup is fairly straightforward, you can use it on multiple devices (e.g., phones, desktops, laptops, etc.) with one subscription, and you can set the app up to automatically connect to untrusted networks and add any trusted networks like your home network or a friend’s house, for example, to a list of networks that the app can ignore. The app has different tiers and pricing depending on your needs; you can even purchase a week or month long pass for trips.
No matter which VPN you choose (there are many!), make sure that you do your homework and read many reviews until you know you can trust the provider and that the app is easy for you to use. You can almost always try the app out for a trial period to see how you like it and see if it suits your needs.
I like to think of myself as pretty up to speed when it comes to online security. I use a VPN, don’t conduct any banking or other sensitive transactions on public wi-fi, use two-factor authentication whenever I can and I use a password manager. In spite of all the precautions I take, my information is still vulnerable. Why? Because companies sometimes don’t do a very good job of securing users’ data.
I found this out firsthand last week. I am a casual gamer (mostly console), and I received an email from a gaming company I have an account with stating that my account had been temporarily locked due to too many unsuccessful login attempts. I immediately start doing a mental inventory in my head: what, if any, banking accounts I have connected to my login (none, yay!); was the company recently a victim of hacking (yes, ugh); was my password compromised (no, just email addresses according to a report in March); should I look at any other of my 100+ accounts (probably not, since this seems to be a targeted hack at the company).
After a brief minute or so of reflection on the frailty of man’s existence in this cold, cold world, I decided that I need to log in once my account was unlocked, change my password, and enable two-factor authentication on the account, a feature that I was unaware they had until recently.
After doing some house cleaning, I was good to go.
So, what lessons can the not-as-paranoid learn from this? As a consumer of the Internet, you need to assume that you will get hacked sometime in the future. Count on it. Once you start from that perspective, there are a few key things you want to do, and these are by no means all inclusive:
- Enable two-factor authentication on any account you can. Google, Apple, Facebook, and others provide this as an added security feature. With it, a hacker must have access to your computer, phone, secondary email address, or authenticator app in order to login to your accounts. Using email and a password isn’t enough.
- Use strong passwords, change them regularly, and don’t use the same passwords for multiple accounts. PLEASE don’t use any permutation of “password”, 12345, ilikesportz, nothingcompares2. Use alphanumeric passwords that have a combination of uppercase and lowercase letters, numbers, and a special character. Keep in mind that not all sites have stringent password requirements, so you need to assume responsibility for your password’s security. Using a password manager like 1Password is an excellent way to create and store unique passwords (Remember my 100+ accounts? I use 1Password to help me remember all of those lovely strings of gibberish that I call my passwords).
- Refrain from using actual personal information in your secret questions. Hackers often will try to scrub social media accounts to obtain this kind of information. The less truthful your answers, the better. I tend to use nonsense answers like “Chalupa” when asked “What’s the middle name of your first child?” or “Burkina Faso” when asked “What is your mother’s maiden name?”. Nobody is going to guess that. Again, a reputable password manager is a great way to keep notes on these kinds of things.
Security online is becoming more and more important as we give companies increasing access to our data. Don’t assume that companies are keeping your usernames and passwords safe; security is a moving target and companies are often unwilling to spend what is necessary to be proactive. Taking a few extra minutes to better secure your information will save you a lot of headaches in the future.