Online Security

In today’s digital age, online security isn’t just a concern for the tech-savvy—it’s a daily worry for everyone. Back in 2017, online threats seemed more targeted at people with risky behaviors like registering credit cards on untrusted sites, clicking on suspicious emails, using common passwords, and sharing security information.

Since then, the landscape has drastically changed. Since this note was first drafted, TicketMaster was hacked, exposing about 500 million records, including 1.3 terabytes of user data with stored credit cards now up for sale.

Strike 1: Equifax

The 2017 Equifax hack marked a turning point. Hundreds of millions of records were stolen, including sensitive information used to secure accounts, such as old addresses, names of family members, vehicles, credit card numbers, and credit union names. Post-breach, security systems stopped using questions like “Do you recognize this loan?” or “Pick which of these addresses you previously lived at” due to compromised data.

Strike 2: LastPass

The LastPass breach was perhaps the most significant security event affecting technology companies. LastPass was widely trusted for its features, such as auto-prompting and secure vaults that worked across platforms. However, outdated system code allowed a hacker to breach the system, initially thought to be limited to development servers. It was later revealed that almost all protected vaults were compromised. While passwords weren’t directly accessed, metadata stored with them, like ATM PINs in plain text, were exposed.

Multiple attach vectors with AI

Strike 3: Artificial Intelligence

AI’s potential to exploit online information is alarming. An AI could systematically attack multiple endpoints like cloud services, backup email accounts, and old payroll accounts with reused passwords. Imagine receiving a call from your significant other asking for the network router password, only to find your entire life hacked. AI could sample your voice from a years-old YouTube video and use it to breach your security.

Proactive Security Measures

Despite these challenges, there are solutions to protect your digital life. In every security discussion, we address three key questions:

  1. What You Know
  2. Where You Are
  3. What You Have

What You Know

This includes usernames, emails, passwords, passphrases, maiden names, and former addresses—information used to verify your identity on websites. While essential for logging in, this data is also the easiest to steal if stored online.

Where You Are

Geolocation information from your browser, mobile device, network router, and other sources can determine your physical location. Advanced systems maintain a list of ‘known locations’ and flag or challenge new logins from unfamiliar places. Though mostly reliant on other types of authentication, this method is rarely used to deny access.

What You Have

The most secure information is what you physically possess, often utilized in 2-Factor Authentication (2FA). This can be a text message sent to a registered phone, an authenticator key like a Yubikey, or an authentication app on your smartphone. These methods ensure that only someone with the physical key or device can access your account.

In most cases, “What You Have” provides the most robust security. However, frequent verification can become annoying, leading people to disable extra authentication layers for convenience. For instance, opening an authenticator app every time you log into Gmail can be tedious. Web site operators need to improve support for hardware keys, which reduces the number of steps.

My Security Strategy

I recommend using a hardware key—actually, two keys, one as a backup. Additionally, I use the Microsoft Authenticator app as a third method. All these rely on physical possession of a hardware key or my phone to access an account. My phone is protected by my passcode and facial recognition, so this is a legitimate end to end solution.

Yubikey 2factor hardware keys

Tip: many sites still don’t offer 2 Factor Authentication. For those sites, I recommend using a service such as PayPal. You can secure your PayPal account with a hardware or software 2 Factor setup, so using this method as your payment method keeps things secure if the website stores your information.

There’s a lot more that we do to secure your websites and manage your online security footprint. For more information don’t hesitate to contact me.

Update 5/29/2024