Guidelines for Protecting Your Online Identity

In mobile applications and websites you often have to log in to access personalized content and private data. This authentication process consists in proving that “you are yourself” and thus granting you unrestricted access your online identity.

Why you are at risk

Bad actors will attempt to compromise your online identity for profit in various ways: performing fraudulent financial transactions on your behalf, selling your private data, or using your legitimate online profile to boost their engagement numbers on online platforms.

Types of attack profiles

You should consider two kinds of attack profiles: targeted and non-targeted attacks:

• Targeted attacks attempt to compromise your identity in particular, attackers may collect all available information about you, and will probe every vulnerability to compromise your online accounts.

• Non-targeted attacks attempt to cast a wide net, leveraging that over a significant large number of people, at least some of them will present a vulnerability they are exploiting, or won't be careful enough to avoid a deception attempt.

Common online identity attacks

Let's learn what some of these attacks look like:

• Attacking common passwords -- Attackers may attempt to log in to your online account using weak and common passwords such as: number sequences, your birth year, common dictionary words, or a combination of the items mentioned.

• Using compromised passwords to target other identities -- Over the years, various online systems fall victim to data breaches, leaking their users' email and passwords, which are then sold online in gray markets for other bad actors. Since it is common for people to reuse password across services, this attack consists in attempting to log into various services that you may be signed up to using a known leaked password.

• Phishing -- Attackers may attempt to impersonate brands or people that you trust, most likely impairing a sense of urgency, and ultimately attempting to deceive you to unknowingly surrender your password or credentials to the attacker.

What you should do about it?

1. Password etiquette

• Use machine-generated random passwords -- Your modern device has trusted hardware to generate strong and safe passwords. Use a on-device application to generate passwords that you may use. Here's one example I've implemented for my own use: https://breder.org/pass.

• Use unique passwords per service -- Given that over time at least one service that you use will suffer a data leak, it isn't sufficient to rely on a single strong password. Each password must be unique per service that you use, so that a single data break won't expose all of your online identities.

• At the very least, have a unique secure password for your email and bank -- Having access to your email would allow an attacker to reset almost any other online account in a few steps through “forgot my password” flows, so make sure that your email account is highly secured. Fraudulent financial transaction can often be costly and painful to reverse, so secure your online banking credentials as well.

2. Device hygiene

• Only install and run trusted software on your computer -- Don't run pirated computer software, as it may exfiltrate your personal data and credentials to bad actors or compromise your device in subtle ways. Prefer instead free offerings and/or open-source applications, or consider purchasing the genuine product instead. Also always download the software from the first-party website and not from any software aggregator, as the latter often also installs undesired adware.

• Don't trust or log in in PC or phones you don't own -- Shared devices may be unknowingly compromised by any person that may have had the access to the device.

• Keep your software and operating system up to date -- There is a constant battle in online security to exploit and patch software flaws. Any device connected to the internet must have its software continually updated with the latest security updates.

3. Phishing attention

• Check the domain -- Attackers can't fake the domain name of the website you are visiting or of the email address that sent you the email you are receiving. Before opening links on suspicious emails, hover over then and double check those lead to domains that you recognize.

• Make sure the website is encrypted -- Modern browsers now help you make sure that all websites you enter any information in are served over a secured connection over HTTPS.

4. Multi-factor authentication

Multi-factor through an authenticator app or through SMS defeats most of the attacks mentioned above. The only caveat being you needing to consider how would you recover access to your account in case the additional security factor is lost (e.g. phone broken, lost or stolen).

More Resources

• https://breder.org/pass -- generate a secure random password using trusted on-device cryptography.
• KeepassXC -- an open-source multi-platform device-only password manager (not cloud-based).
• US Federal Trade Commission: Online Privacy and Security Recommendations for Consumers.
• Have I been Pwned -- check if your email address can be found in online password leaks.