Online Security
These days, online security isn’t just a concern for the tech-savvy—it’s a regular worry for everyone. Back in 2010s, online threats seemed more targeted at people with risky online behaviors like registering credit cards on untrusted sites, clicking on suspicious emails, using common passwords, and sharing security information.
Since then, the landscape has drastically changed. Since I first drafted this note, TicketMaster was hacked, exposing about 500 million records, including 1.3 terabytes of user data with stored credit cards now up for sale. AT&T has reported that every one of their subscribers have been hacked. 23andMe, the IMF, U-Haul, and the MOAB “Mother of All Breaches” releasing 14 terabytes of information from Tencent, Weibo, Twitter, MySpace, Wattpad, LinkedIn, Adobe, Canva, MyFitnessPal, and government sites like Alabama.gov have all occurred in the last 6 months.
Strike 1: Equifax
The 2017 Equifax hack marked a turning point. Hundreds of millions of records were stolen, including sensitive information used to secure accounts, such as old addresses, names of family members, vehicles, credit card numbers, and credit union names. Post-breach, security systems stopped using questions like “Do you recognize this loan?” or “Pick which of these addresses you previously lived at” due to compromised data.
Strike 2: LastPass
The LastPass breach was perhaps the most significant security event affecting technology companies. LastPass was widely trusted for its features, such as auto-prompting and secure vaults that worked across platforms. However, outdated system code allowed a hacker to breach the system, initially thought to be limited to development servers. It was later revealed that almost all protected vaults were compromised. While passwords weren’t directly accessed, metadata stored with them, like ATM PINs in plain text, were exposed.
Strike 3: Artificial Intelligence
AI’s potential to exploit online information is alarming. An AI could systematically attack multiple endpoints like cloud services, backup email accounts, and old payroll accounts with reused passwords. Imagine receiving a call from your significant other asking for the network router password, only to find your entire life hacked. AI could sample your voice from a years-old YouTube video and use it to breach your security.
Proactive Security Measures
Despite these challenges, there are solutions to protect your digital life. In every security discussion, we address three key questions:
- What You Know
- Where You Are
- What You Have
What You Know
This includes usernames, emails, passwords, passphrases, maiden names, and former addresses—information used to verify your identity on websites. While essential for logging in, this data is also the easiest to steal or mine if stored online.
Where You Are
Geolocation information from your browser, mobile device, network router, and other sources can determine your physical location. Advanced systems maintain a list of ‘known locations’ and flag or challenge new logins from unfamiliar places. Though mostly reliant on other types of authentication, this method is rarely used to deny access.
What You Have
The most secure information is what you physically possess, often utilized in 2-Factor Authentication (2FA). This can be a text message sent to a registered phone, an authenticator key like a Yubikey, or an authentication app on your smartphone. These methods ensure that only someone with the physical key or device can access your account.
In most cases, “What You Have” provides the most robust security. However, frequent verification can become annoying, leading people to disable extra authentication layers for convenience. For instance, opening an authenticator app every time you log into Gmail can be tedious. Web site operators need to improve support for hardware keys, which reduces the number of steps.
My Security Strategy
I recommend using a hardware key—actually, two keys, one as a backup. Additionally, I use the Microsoft Authenticator app as a third method. All these rely on physical possession of a hardware key or my phone to access an account. My phone is protected by my passcode and facial recognition, so this is a legitimate end to end solution.
Setting up 2 Factor Authentication is straightforward. Each site you protect will handle the configuration slightly differently, but the typical path is: you’re asked to scan a QR code, or enter 2 sequences of numbers from an app, or insert your hardware key during the setup. This will confirm that you have access to the device. Upon setting up 2FA, you’ll be prompted the next time you log in to provide your 2FA key. If this is an app, you’ll open it and enter the 6 digit result code for the site. These change every couple minutes. If it’s a hardware key, you insert it into a USB port attached to your device, and physically touch a sensor on the key to activate.
Tip: many sites still don’t offer 2 Factor Authentication. For those sites, I recommend using a service such as PayPal. You can secure your PayPal account with a hardware or software 2 Factor setup, so using this method as your payment method keeps things secure if the website stores your information.
There’s a lot more that we do to secure your websites and manage your online security footprint. For more information don’t hesitate to contact me.