How security professionals protect personal information

2024 Author: Malcolm Clapton | [email protected]. Last modified: 2023-12-17 03:44

Does it make sense to give up public Wi-Fi and banking applications and get a separate card for online purchases - the opinion of an information security specialist.

Half of my colleagues in information security are professional paranoid. Until 2012 I myself was like that - I was encrypted in full. Then I realized that such a dull defense interferes with work and life.

In the process of "going out", I developed such habits that allow you to sleep peacefully and at the same time not build a Chinese wall around. I tell you what safety rules I now treat without fanaticism, which I violate from time to time, and which I follow with all seriousness.

Excessive paranoia

Don't use public Wi-Fi

I use and have no fears in this regard. Yes, there are threats when using free public networks. But the risk is minimized by following simple safety rules.

1. Make sure the hotspot belongs to the cafe and not to the hacker. The legal point asks for a phone number and sends an SMS to enter.
2. Use a VPN connection to access the Network.
3. Do not enter username / password on unverified sites.

Recently, the Google Chrome browser even began to mark pages with unsecured connections as unsafe. Unfortunately, phishing sites have also recently adopted the practice of obtaining a certificate in order to mimic the real ones.

So, if you want to log into a service using public Wi-Fi, I would advise you to make sure that the site is original a hundred times. As a rule, it is enough to run his address through a whois service, for example Reg.ru. The latest domain registration date should alert you - phishing sites don't last long.

Do not log into your accounts from other people's devices

I go in, but I set up two-step authentication for social networks, mail, personal accounts, the "Gosuslugi" website. This is also an imperfect method of protection, so Google, for example, began to use hardware tokens to verify the identity of the user. But for now, for "mere mortals" it is enough that your account will request a code from SMS or from Google Authentificator (in this application, a new code is generated every minute on the device itself).

Nevertheless, I admit a small element of paranoia: I regularly check my browsing history in case someone else entered my mail. And of course, if I log into my accounts from other people's devices, at the end of the work I do not forget to click “End all sessions”.

Don't install banking apps

It is safer to use the mobile banking application than online banking in the desktop version. Even if it is designed perfectly from a security point of view, the question remains with the vulnerabilities of the browser itself (and there are many of them), as well as the vulnerabilities of the operating system. Malicious software that steals data can be injected directly into it. Therefore, even if otherwise online banking is perfectly safe, these risks remain more than real.

As for the banking application, its security is entirely on the bank's conscience. Each of them undergoes a thorough analysis of the security of the code, often external eminent experts are involved. The bank can block access to the application if you changed the SIM card or even simply moved it to another slot on your smartphone.

Some of the most secure applications do not even start until security requirements are met, for example, the phone is not password-protected. Therefore, if you, like me, are not ready to give up online payments in principle, it is better to use an application rather than desktop online banking.

Of course, this does not mean that applications are 100% secure. Even the best ones show vulnerabilities, so regular updates are necessary. If you think that this is not enough, read specialized publications (Xaker.ru, Anti-malware.ru, Securitylab.ru): they will write there if your bank is not safe enough.

Use a separate card for online purchases

I personally think that this is unnecessary trouble. I had a separate account so that, if necessary, transfer money from it to the card and pay for purchases on the Internet. But I also refused this - it is a detriment to comfort.

It is faster and cheaper to get a virtual bank card. When you make purchases online using it, the data of the main card on the Internet does not light up. If you think that this is not enough for complete confidence, take out insurance. This service is offered by leading banks. On average, at a cost of 1,000 rubles a year, card insurance will cover damage of 100,000.

Don't use smart devices

The Internet of Things is huge, and there are even more threats in it than in the traditional one. Smart devices are really fraught with tremendous opportunities for hacking.

In the UK, hackers hacked into a local casino network with VIP customer data through a smart thermostat! If the casino turned out to be so insecure, what can we say about an ordinary person. But I use smart devices and don't stick cameras on them. If the TV and merge information about me - to hell with it. It will definitely be something harmless, because I store everything critical on an encrypted disk and keep it on the shelf - without access to the Internet.

Turn off your phone abroad in case of wiretapping

Abroad, we most often use messengers that perfectly encrypt text and audio messages. If the traffic is intercepted, it will contain only unreadable "mess".

Mobile operators also use encryption, but the problem is that they can turn it off without the knowledge of the subscriber. For example, at the request of the special services: this was the case during the terrorist attack on Dubrovka so that the special services could quickly listen to the terrorists' negotiations.

In addition, the negotiations are intercepted by special complexes. The price for them starts from 10 thousand dollars. They are not available for sale, but they are available to the special services. So, if the task is to listen to you, they will listen to you. Are you afraid? Then turn off your phone everywhere, and in Russia too.

It kind of makes sense

Change password every week

In fact, once a month is enough, provided that the passwords are long, complex and separate for each service. It is best to heed the advice of banks because they are changing password requirements as computing power grows. Now a weak cryptoalgorithm is brute-force sorted out in a month, hence the requirement for the frequency of password changes.

However, I will make a reservation. Paradoxically, the requirement to change passwords once a month contains a threat: the human brain is designed in such a way that, if it is necessary to constantly keep new codes in mind, it starts to get out. As cyber experts have found out, each new user password in this situation becomes weaker than the previous one.

The way out is to use complex passwords, change them once a month, but use a special application for storage. And the entrance to it must be carefully protected: in my case, it is a cipher of 18 characters. Yes, applications have the sin of containing vulnerabilities (see the paragraph about applications below). You have to choose the best and follow the news about its reliability. I don't see a safer way to keep dozens of strong passwords in my head yet.

Do not use cloud services

The story of the indexing of Google Docs in Yandex search has shown how much users are mistaken about the reliability of this method of storing information. I personally use the company's cloud servers for sharing because I know how secure they are. This does not mean that free public clouds are an absolute evil. Just before you upload a document to Google Drive, take the trouble to encrypt it and put a password for access.

Necessary measures

Do not leave your phone number to anyone and anywhere

But this is not an extra precaution at all. Knowing the phone number and full name, an attacker can make a copy of a SIM card for about 10 thousand rubles. Recently, such a service can be obtained not only on the darknet. Or even easier - to re-register someone else's phone number to yourself using a fake power of attorney in the office of a telecom operator. Then the number can be used to access any services of the victim where two-factor authentication is needed.

This is how cybercriminals steal Instagram and Facebook accounts (for example, to send spam from them or use them for social engineering), gain access to banking applications, and clean up accounts. Recently, the media told how in one day 26 million rubles were stolen from a Moscow businessman using this scheme.

Be wary if your SIM card stopped working for no apparent reason. Better to play it safe and block your bank card, this will be justified paranoia. After that, contact the operator's office to find out what happened.

I have two SIM cards. Services and banking applications are tied to one number, which I do not share with anyone. I use another SIM card for communication and household needs. I leave this phone number to register for a webinar or get a discount card in the store. Both cards are protected by a PIN - a rudimentary but overlooked security measure.

Do not download everything to your phone

An iron rule. It is impossible to know for sure how the application developer is going to use and protect user data. But when it becomes known how the creators of applications are using them, it often turns into a scandal.

Recent cases include the story of Polar Flow, in which you can find out the whereabouts of intelligence officers around the world. Or an earlier example with Unroll.me, which was supposed to protect users from spam subscriptions, but at the same time sold the received data to the side.

Applications often want to know too much. A textbook example is the Flashlight application, which only needs a light bulb to work, but it wants to know everything about the user, right down to the contact list, see the photo gallery and where the user is.

Others demand even more. UC Browser sends IMEI, Android ID, MAC address of the device and some other user data to the server of Umeng, which collects information for the Alibaba marketplace. I, like my colleagues, would prefer to refuse such an application.

Even professional paranoid people take risks, but they are conscious. In order not to be afraid of every shadow, decide what is public and what is private in your life. Build walls around personal information, and do not fall into fanaticism about the safety of public information. Then, if one day you find this public information in the public domain, you will not be excruciatingly hurt.