Privacy and security tips for safer surfing
Sony's recent security troubles have demonstrated that no matter how big the organisation, anyone is at risk. The hack attack potentially exposed the details of millions of Playstation Network users including some credit card info, opening up the possibility of harassment and fraud for people who just wanted to play games online.
PSN users felt that storing their details with Sony was safe, trusting such a large company to have adequate security in place, but the fact is we're all at risk. Every one of us has information stored on servers all over the world. If you want to sign up for services or shop online providing name, address, phone number and credit card is a necessary evil.
There are, however, steps you can take to minimise the risk without strapping on a tin-foil hat and becoming a recluse.
This is the single most important part of staying secure online. Short, easy to guess passwords are responsible for more security problems than organised hackers breaking into videogame services, and it's something anyone can prevent with common sense.
Don't use dictionary words, they can be cracked easily with a simple program. Phrases which can be figured out from personal information are also a bad idea, so don't put down the name of your favourite football team.
Using the same password over and over is a mistake because then it only takes one web site to experience a security breach and suddenly everything is at risk. This was demonstrated by the leaking of Gawker user's passwords earlier in the year - there was a spate of Facebook and Gmail hijacks soon after because they just went round trying the same password on popular services, with some success.
The problem with creating difficult passwords is that it can be a hassle to memorise them, but there are a few tricks and tools to help.
Substituting numbers for letters is a simple way of creating memorable but slightly obscure passwords, though again dictionary words should be avoided because common letter substitutions are accounted for when cracking passwords. Another handy one is using a jumbled version of your address which looks like nonsense but is easy for you to remember.
The most secure method though is a long, random string of letters and numbers that will be as good as uncrackable. To save from having to remember all that there are some tools which safely store and retrieve this info.
Lastpass is an online service which offers the most user-friendly password management system going. Partly because it integrates so smoothly with web browsers - automatically entering the details so they can't be caught by keylogging - but also because passwords are kept on the Lastpass servers and so instantly accessible from multiple locations, including smartphones.
This seems risky but the info is kept in encrypted containers which not even Lastpass has access too, so long as a strong master password is chosen it is perfectly safe. Because the master pass is the only one which has to be remembered you can make sure it's extra long and complex.
Keepass is an open-source password manager which is incredibly flexible and supports just about anything including Apple Mac and smartphones. It too keeps passwords locked in a secure container but the difference is you have that container file. This eliminates the worry that hackers might steal it off a server, but does make it slightly less convenient.
Keepass is very powerful but not as easy to setup, particularly with regard browser integration for auto-entry of passwords, though there are lots of plugins available which expand its functionality.
1Password is similar to Keepass but far easier to setup and use, the downside being that it costs money. Cheekily, they also ask extra for the iPhone and iPad apps. Cloud storage for online syncing of passwords is via Dropbox, but optional, so the container file doesn't ever have to leave your sight.
1Password has an excellent reputation for being secure, well supported and hassle-free, so if you're not keen on the Lastpass cloud approach and not up for figuring out Keepass, this is a good choice.
Get a net-only bank account
It's a bad idea to use the same account for online shopping as bills and mortgages are paid from, because if a scammer cleans you out it'll be overdraft and rejected direct debit charges galore. A better idea: setup a whole new bank account with a new debit card.
If thieves get hold of the details they won't be able to do as much damage, particularly if there's no overdraft facility, and even if money does go missing it won't impact on daily life or make the mortgage company angry. Also, if there's a situation like the Sony data leak where personal details end up in the public domain then it's easier to order a new card for a secondary account as it won't have any affect on your ability to do simple things like buy food.
If the bank is halfway decent setting up another account shouldn't be any hassle, they should be able to do it in the local branch over the counter and send a new card in the mail a few days later.
Don't give them everything
Remember the X-Files slogan "Trust No One" ? That's a good rule to live by when it comes to handing over your particulars. In the interest of building up a gigantic marketing database to target us for ads, web sites will ask for all kinds of personal details. My standard approach is that unless I'm handing over money for goods or services, they do not need to know.
Make sure that you're only entering the stuff that's required for registration (usually denoted by a wildcard * symbol) and feel free to fill in made-up details for the rest. Forums are particularly bad for this, they'll ask a million questions but in general only a few fields are compulsory.
If a site is being really pushy about wanting your info then head to Fakenamegenerator.com, a ridiculously useful tool which provides invented IDs, even down to occupation and credit card number.
Don't rely on cloud services
We've previously talked about why cloud computing is a bit rubbish but despite our concerns it is very useful for sharing files and syncing between smartphones and multiple systems. However, keeping files stored on a remote server is an obvious risk.
While services like Dropbox are handy they're not packing rock solid security, and in terms of privacy there's also the concern about what companies like Google are sniffing out when documents are uploaded to services such as Google Docs.
As a backup method online storage is convenient but an offline backup should always be kept as well. Just because the files are on a corporate server it doesn't mean they're immune to hacking or accidental deletions. I'd also caution against keeping anything too sensitive or personal on remote backup sites.
Setup a spam email address
It's good practice to have a throwaway email address which can be used to sign up for non-vital web sites, it'll help minimise the junk coming through to your main account and won't matter as much if someone gets hold of the info. This can be done just by registering for a second (or third, fourth...) Gmail, Yahoo or Hotmail account. Just remember to sign in on a regular basis to keep it live.
Some email services - usually premium accounts by the likes of Fastmail - have the ability to set up aliases. These are custom email addresses which all forward to the main inbox. So an alias can be used for all your junky web site registrations and then routed straight to the trash folder. And, depending on the upper limit of aliases, it's also useful for creating unique addresses for specific sites and figuring out which lie about selling on your details for spam.
A handy tip for Gmail users is that aliases can be created on the fly just by adding "+something" to the address, so it would look like [email protected]. These come through to the inbox just like any other message but can easily be shunted to another folder with a simple filter.