digital security can be overwhelming
keeping up with new threats, remembering passwords, watching out for scams
avoiding losing files, preventing identity theft, keeping your data safe
it’s a lot to keep up to date on and pay attention to
unfortunately, if you aren’t following best practices..
it is only a matter of time and a little bad luck before you run into trouble
by focusing on protecting the things that matter, learning the most common threats,
and implementing the habits which seek to balance safety with convenience,
you can rely less on luck and improve your security without feeling overwhelmed
what scammers & hackers want
- your money
- bank account
- your email (will show them where your money is & help get them access to any other account)
- shopping accounts (like amazon)
- money transfer apps/sites like cashapp, zelle, or paypal
- ransomware (encrypts your files) extorts money; usually does not unlock files after payment
- your identity
they use it to ruin your credit & reputation, steal money, or do illegal activity in your name
- your email (contains /so/ much personal information)
- facebook, instagram, or other social media
- sensitive documents like tax or medical records
see the glossary linked at the top of the page if you don't recognize a term or abbreviation
how you get scammed or hacked
- phishing attacks
- clicking links in text messages
- clicking links in emails
- downloading files from websites
- malware/trojan
- downloaded software
pirated software is a common source of trojan malware
- browser extensions
even previously safe browser extensions can become malicious later
new extensions are often vetted well but updates are often not
strong financial incentives push extension authors to sell to hackers/scammers over time
- insecure accounts
- accounts secured with best practices for passwords and mfa/2fa are hard to break into
think of it as a castle - with a strong wall, the remaining weakness is the gate
this mean that with a secure account, you have to invite them in:
unwisely either giving information or clicking a link to enable phishing or malware
focus on what to protect
security can be overwhelming; focus on identifying and securing your critical accounts
- critical accounts: banking, primary email, money transfer apps, investments
the few accounts where, if they were compromised, it would ruin more than your day
primary email because it is usually the key to all other accounts - v critical
other critical accounts include those with direct access to financial accounts
(not just to buy things) - think zelle or accounts with the ability to move money
this does include cashapp or any other money transfer app or website
purchase sites like amazon usually have fraud protection
transfer sites usually do not - once it is gone it is gone
- non-critical (normal) accounts: social media, bills, entertainment, shopping, news, etc.
should still keep track of accounts and follow best practices for passwords and mfa/2fa
still some danger to these accounts being compromised
basic best practices for all accounts
- use a secure password
- unique passwords for every account
- read more about strong passwords
- use mfa/2fa
- do not use anything except for a credit card to pay for things online
(this may mostly apply in the us as other methods usually lack fraud protection there)
- use a password manager to track your active accounts and close accounts you no longer use
basic best practices for all devices
- update your computer and your programs regularly
- use anti-virus on your windows pc and phone
- i am hesitant to recommend a specific antivirus, but malwarebytes seems good
when i used windows, it was v good at spotting things others i had used missed
basic best practices for critical accounts
- /only/ access critical accounts on trusted devices
- don’t trust your phone
- never connect anything but credit-cards to transfer sites like zelle, cashapp, paypal, etc.
(this may mostly apply in the us as other methods usually lack fraud protection there)
- use a 2fa app instead of sms or push notifications or email if at all possible
- app based 2fa is much less circumventable via social engineering
- importantly, sms 2fa is the worst of the bunch
- if using an app, ensure you have recovery codes saved securely in case your phone breaks
or that the app has a way to regain access to your codes in such an event
(saved securely does /not/ mean written down on paper in your room)
if you aren’t sure how to save them securely, use a 2fa app that allows you to access
your codes on another device should your main device break or get lost
- if you must use your critical accounts on public wifi, use a trusted vpn
basic best practices for trusted devices
- only use /highly/ trusted browser extensions like:
ublock origin by raymond hill (firefox based, chrome officially does not allow adblock)
bitwarden password manager by bitwarden inc. (firefox based, chromium based)
browser extensions are a /huge/ attack vector for malware
- don’t allow physical access to trusted devices by anyone you don’t trust with your bank login
- windows user account passwords can be bypassed by a literal child with help from google
- do not sell drives either, unless you have the technical knowledge to scrub them
even then, i personally wouldn’t sell or donate an ssd drive that ever held private info
- this doesn’t apply if you securely encrypt all of your sensitive information on the device
instances of tech repair people stealing data should also encourage you to use encryption
- backup important files (both important like tax records and also like family photos)
- read about best practices for backups here
- don’t forget data doesn’t last forever on disks, even if the disk isn’t powered
- cds & dvds usually 2-5 years
- ssd drives usually 1-3 years without power
- hdd drives usually +3 years without power
- use a password manager to avoid putting passwords into fake sites
- do not allow anyone you don’t trust with your bank login to remote control your device
- do not use an untrusted vpn; if you aren’t sure how to know, use one from this list
- no vpn is likely more private and secure than an untrusted one
- make sure you are using at least an 16 character random password for your home wifi
how to avoid being scammed
- stay informed on new scams and read up on best practices to avoid being scammed
privacy best practices
- trim tracking information when sharing links, or using links with tracking shared with you
- use a privacy focused search engine like duckduckgo