Best Practices for Improved Security and Privacy: Difference between revisions
(→Four) |
No edit summary |
||
| Line 1: | Line 1: | ||
=Use Multi-Factor Authentication= | =Use Multi-Factor Authentication= | ||
Whenever possible, use multi-factor authentication. Most banks and high-profile web service providers (e.g. Google) provide multi-factor authentication mechanisms. Hardware-based multi-factor authentication is the best (See Yubikey). For services that do not support multi-factor authentication natively, you can still use a hardware device with a static key as part of your password. | Whenever possible, use multi-factor authentication. Most banks and high-profile web service providers (e.g. Google) provide multi-factor authentication mechanisms. Hardware-based multi-factor authentication is the best (See Yubikey). For services that do not support multi-factor authentication natively, you can still use a hardware device with a static key as part of your password.<BR> | ||
* DO NOT use text messages for sending authentication tokens. texting is not, never was, and likely will never be a secure communication channel. | |||
=Changing Default Passwords= | =Changing Default Passwords= | ||
| Line 14: | Line 16: | ||
=Never Use Your Social Security Number= | =Never Use Your Social Security Number= | ||
Never use your real social security number as a password or security answer. It is illegal for any company to require you to give your social security number (with a few exceptions, such as credit and background checks). | Never use your real social security number as a password or security answer. It is illegal for any company to require you to give your social security number (with a few exceptions, such as credit and background checks). Any company requesting that information can ask for a PIN instead, but you'll have to contact them to set that up. | ||
=Never use ANI / Caller ID for Authentication= | |||
As of January 2020, I encountered a very prominent bank that would authenticate you based on the telephone number their system thinks you called from. This is NOT reliable and NOT secure. You'll have to test this out and hopefully you'll have a better experience explaining to the offending company why this is a problem and getting them to remove it. | |||
=Never Use Your Fingerprint(s) for Authentication= | =Never Use Your Fingerprint(s) for Authentication= | ||
| Line 32: | Line 37: | ||
* Show Full URL (including HTTP/HTTPS)<br>Set the following:<pre>browser.urlbar.trimURLs = false</pre> | * Show Full URL (including HTTP/HTTPS)<br>Set the following:<pre>browser.urlbar.trimURLs = false</pre> | ||
= | =Identifying Online Fraud/Scam Websites= | ||
Price too good to be true? Probably is. | |||
Web-based tools: | |||
* https://www.urlvoid.com/ | |||
* https://www.virustotal.com/gui/home | |||
Browser plug-ins: | |||
* Trustpilot | |||
* Scamdoc | |||
* Web of Trust | |||
Latest revision as of 20:09, 24 January 2020
Use Multi-Factor Authentication
Whenever possible, use multi-factor authentication. Most banks and high-profile web service providers (e.g. Google) provide multi-factor authentication mechanisms. Hardware-based multi-factor authentication is the best (See Yubikey). For services that do not support multi-factor authentication natively, you can still use a hardware device with a static key as part of your password.
- DO NOT use text messages for sending authentication tokens. texting is not, never was, and likely will never be a secure communication channel.
Changing Default Passwords
Never leave any default passwords unchanged. This includes, but is not limited to:
- Routers
- Modems
- PIN numbers for phone systems
- E-mail accounts
- Any other web-based accounts
Never Use Your Social Security Number
Never use your real social security number as a password or security answer. It is illegal for any company to require you to give your social security number (with a few exceptions, such as credit and background checks). Any company requesting that information can ask for a PIN instead, but you'll have to contact them to set that up.
Never use ANI / Caller ID for Authentication
As of January 2020, I encountered a very prominent bank that would authenticate you based on the telephone number their system thinks you called from. This is NOT reliable and NOT secure. You'll have to test this out and hopefully you'll have a better experience explaining to the offending company why this is a problem and getting them to remove it.
Never Use Your Fingerprint(s) for Authentication
Under current US law, you can be forced to give up your fingerprints (and any other physical means of authentication, such as keys) to be used as evidence against you. If you use your fingerprints for authentication, this has security implications.
Under current US law, you can not be compelled to give up passwords, pass phrases, or any other knowledge-based portions of authentication, that are in your head.
Using Browser Profiles
To segregate your personal data from the wild west of the World Wide Web, you can use separate browser profiles.
Using Browser Extensions
There are many web browser extensions that can enhance your security and privacy when browsing the web. See my list of recommended Firefox Extensions for Security
Browser Settings
Firefox
- Show Full URL (including HTTP/HTTPS)
Set the following:browser.urlbar.trimURLs = false
Identifying Online Fraud/Scam Websites
Price too good to be true? Probably is. Web-based tools:
Browser plug-ins:
- Trustpilot
- Scamdoc
- Web of Trust