Jennifer Lawrence was having a rough Labor Day weekend. The Academy Award winner was one of several celebrities who woke one morning in 2014 to find that their most private pictures—many of which showed them in the nude—were being splashed about on the Internet.
Take a moment to mentally scan all the images that are currently stored on your computer, phone, and e-mail. Sure, many of them are perfectly benign. You’d be fine with the whole world seeing the sunsets, the cute family snapshots, maybe even the jokey bad-hair-day selfie. But would you be comfortable sharing each and every one of them? How would you feel if they suddenly all appeared online? Maybe not all our personal photos are salacious, but they’re still records of private moments. We should be able to decide whether, when, and how to share them, yet with cloud services the choice may not always be ours.
The Jennifer Lawrence story dominated the slow Labor Day weekend news cycle in 2014. It was part of an event called theFappening, a huge leak of nude and nearly nude photographs of Rihanna, Kate Upton, Kaley Cuoco, Adrianne Curry, and almost three hundred other celebrities, most of them women, whose cell-phone images had somehow been remotely accessed and shared. While some people were, predictably, interested in seeing these photos, for many the incident was an unsettling reminder that the same thing could have happened to them.
So how did someone get access to those private images of Jennifer Lawrence and others?
Since all the celebrities used iPhones, early speculation centered on a massive data breach affecting Apple’s iCloud service, a cloud-storage option for iPhone users. As your physical device runs out of memory, your photos, new files, music, and games are instead stored on a server at Apple, usually for a small monthly fee. Google offers a similar service for Android.
Apple, which almost never comments in the media on security issues, denied any fault on their end. The company issued a statement calling the incident a “very targeted attack on user names, passwords, and security questions” and added that “none of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone.”1
The photos first started appearing on a hacker forum well known for posting compromised photos.2 Within that forum you can find active discussions of the digital forensic tools used for surreptitiously obtaining such photos. Researchers, investigators, and law enforcement use these tools to access data from devices or the cloud, usually following a crime. And of course the tools have other uses as well.
One of the tools openly discussed on the forum, Elcomsoft Phone Password Breaker, or EPPB, is intended to enable law enforcement and government agencies to access iCloud accounts and is sold publicly. It is just one of many tools out there, but it appears to be the most popular on the forum. EPPB requires that users have the target’s iCloud username and password information first. For people using this forum, however, obtaining iCloud usernames and passwords is not a problem. It so happened that over that holiday weekend in 2014, someone posted to a popular online code repository (Github) a tool called iBrute, a password-hacking mechanism specifically designed for acquiring iCloud credentials from just about anyone.
Using iBrute and EPPB together, someone could impersonate a victim and download a full backup of that victim’s cloud-stored iPhone data onto another device. This capability is useful when you upgrade your phone, for example. It is also valuable to an attacker, who then can see everything you’ve ever done on your mobile device. This yields much more information than just logging in to a victim’s iCloud account.
Jonathan Zdziarski, a forensics consultant and security researcher, told Wired that his examination of the leaked photos from Kate Upton, for example, was consistent with the use of iBrute and EPPB. Having access to a restored iPhone backup gives an attacker lots of personal information that might later be useful for blackmail.3
In October 2016, Ryan Collins, a thirty-six-year-old from Lancaster, Pennsylvania, was sentenced to eighteen months in prison for “unauthorized access to a protected computer to obtain information” related to the hack. He was charged with illegal access to over one hundred Apple and Google e-mail accounts.4
To protect your iCloud and other online accounts, you must set a strong password. That’s obvious. Yet in my experience as a penetration tester (pen tester)—someone who is paid to hack into computer networks and find vulnerabilities—I find that many people, even executives at large corporations, are lazy when it comes to passwords. Consider that the CEO of Sony Entertainment, Michael Lynton, used “sonyml3” as his domain account password. It’s no wonder his e-mails were hacked and spread across the Internet since the attackers had administrative access to most everything within the company.
Beyond your work-related passwords are those passwords that protect your most personal accounts. Choosing a hard-to-guess password won’t prevent hacking tools such as oclHashcat (a password-cracking tool that leverages graphics processing units—or GPUs—for high-speed cracking) from possibly cracking your password, but it will make the process slow enough to encourage an attacker to move on to an easier target.
It’s a fair guess that some of the passwords exposed during the July 2015 Ashley Madison hack are certainly being used elsewhere, including on bank accounts and even work computers. From the lists of 11 million Ashley Madison passwords posted online, the most common were “123456,” “12345,” “password,” “DEFAULT,” “123456789,” “qwerty,” “12345678,” “abc123,” and “1234567.”5 If you see one of your own passwords here, chances are you are vulnerable to a data breach, as these common terms are included in most password-cracking tool kits available online. You can always check the site www.haveibeenpwned.com to see if your account has been compromised in the past.
In the twenty-first century, we can do better. And I mean much better, with longer and much more complex configurations of letters and numbers. That may sound hard, but I will show you both an automatic and a manual way to do this.
The easiest approach is to forgo the creation of your own passwords and simply automate the process. There are several digital password managers out there. Not only do they store your passwords within a locked vault and allow one-click access when you need them, they also generate new and really strong, unique passwords for each site when you need them.
Be aware, though, of two problems with this approach. One is that password managers use one master password for access. If someone happens to infect your computer with malware that steals the password database and your master password through keylogging—when the malware records every keystroke you make—it’s game over. That person will then have access to all your passwords. During my pen-testing engagements, I sometimes replace the password manager with a modified version that transmits the master password to us (when the password manager is open-source). This is done after we gain admin access to the client’s network. We then go after all the privileged passwords. In other words, we will use password managers as a back door to get the keys to the kingdom.
The other problem is kind of obvious: If you lose the master password, you lose all your passwords. Ultimately, this is okay, as you can always perform a password reset on each site, but that would be a huge hassle if you have a lot of accounts.
Despite these flaws, the following tips should be more than adequate to keep your passwords secure.
First, strong passphrases, not passwords, should be long—at least twenty to twenty-five characters. Random characters—ek5iogh#skf&skd—work best. Unfortunately the human mind has trouble remembering random sequences. So use a password manager. Using a password manager is far better than choosing your own. I prefer open-source password managers like Password Safe and KeePass that only store data locally on your computer.
Another important rule for good passwords is never use the same password for two different accounts. That’s hard. Today we have passwords on just about everything. So have a password manager generate and store strong, unique passwords for you.
Even if you have a strong password, technology can still be used to defeat you. There are password-guessing programs such as John the Ripper, a free open-source program that anyone can download and that works within configuration parameters set by the user.6 For example, a user might specify how many characters to try, whether to use special symbols, whether to include foreign language sets, and so on. John the Ripper and other password hackers are able to permute the password letters using rule sets that are extremely effective at cracking passwords. This simply means it tries every possible combination of numbers, letters, and symbols within the parameters until it is successful at cracking your password. Fortunately, most of us aren’t up against nation-states with virtually unlimited time and resources. More likely we’re up against a spouse, a relative, or someone we really pissed off who, when faced with a twenty-five-character password, won’t have the time or resources to successfully crack it.
Let’s say you want to create your passwords the old-fashioned way and that you’ve chosen some really strong passwords. Guess what? It’s okay to write them down. Just don’t write “Bank of America: 4the1sttimein4ever*.” That would be too obvious. Instead replace the name of your bank (for example) with something cryptic, such as “Cookie Jar” (because some people once hid their money in cookie jars) and follow it with “4the1st.” Notice I didn’t complete the phrase. You don’t need to. You know the rest of the phrase. But someone else might not.
Anyone finding this printed-out list of incomplete passwords should be sufficiently confused—at least at first. Interesting story: I was at a friend’s house—a very well-known Microsoft employee—and during dinner we were discussing the security of passwords with his wife and child. At one point my friend’s wife got up and went to the refrigerator. She had written down all her passwords on a single piece of paper and stuck it to the appliance’s door with a magnet. My friend just shook his head, and I grinned widely. Writing down passwords might not be a perfect solution, but neither is forgetting that rarely used strong password.
Some websites—such as your banking website—lock out users after several failed password attempts, usually three. Many sites, however, still do not do this. But even if a site does lock a person out after three failed attempts, that isn’t how the bad guys use John the Ripper or oclHashcat. (Incidentally, oclHashcat distributes the hacking process over multiple GPUs and is much more powerful than John the Ripper.) Also, hackers don’t actually try every single possible password on a live site.
Let’s say there has been a data breach, and included within the data dump are usernames and passwords. But the passwords retrieved from the data breach are mere gibberish.
How does that help anyone break into your account?
Whenever you type in a password, whether it is to unlock your laptop or an online service—that password is put through a one-way algorithm known as a hash function. It is not the same as encryption. Encryption is two-way: you can encrypt and decrypt as long as you have a key. A hash is a fingerprint representing a particular string of characters. In theory, one-way algorithms can’t be reversed—or at least not easily.
What is stored in the password database on your traditional PC, your mobile device, or your cloud account is not MaryHadALittleLamb123$ but its hash value, which is a sequence of numbers and letters. The sequence is a token that represents your password.7
It is the password hashes, not the passwords themselves, that are stored in the protected memory of our computers and can be obtained from a compromise of targeted systems or leaked in data breaches. Once an attacker has obtained these password hashes, the hacker can use a variety of publicly available tools, such as John the Ripper or oclHashcat, to crack the hashes and obtain the actual password, either through brute force (trying every possible alphanumeric combination) or trying each word in a word list, such as a dictionary. Options available in John the Ripper and oclHashcat allow the attacker to modify the words tried against numerous rule sets, for example the rule set called leetspeak—a system for replacing letters with numbers, as in “k3v1n m17n1ck.” This rule will change all passwords to various leetspeak permutations. Using these methods to crack passwords is much more effective than simple brute force. The simplest and most common passwords are easily cracked first, then more complex passwords are cracked over time. The length of time it takes depends on several factors. Using a password-cracking tool together with your breached username and hashed password, hackers may be able to access one or more of your accounts by trying that password on additional sites connected to your e-mail address or other identifier.
In general, the more characters in your password, the longer it will take password-guessing programs such as John the Ripper to run through all the possible variations. As computer processors get faster, the length of time it takes to calculate all the possible six-character and even eight-character passwords is becoming a lot shorter, too. That’s why I recommend using passwords of twenty-five characters or more.
After you create strong passwords—and many of them—never give them out. That seems painfully obvious, but surveys in London and other major cities show that people have traded their passwords in exchange for something as trivial as a pen or a piece of chocolate.8
A friend of mine once shared his Netflix password with a girlfriend. It made sense at the time. There was the immediate gratification of letting her choose a movie for them to watch together. But trapped within Netflix’s recommended-movie section were all his “because you watched…” movies, including movies he had watched with past girlfriends. The Sisterhood of the Traveling Pants, for instance, is not a film he would have ordered himself, and his girlfriend knew this.
Of course, everyone has exes. You might even be suspicious if you dated someone who didn’t. But no girlfriend wants to be confronted with evidence of those who have gone before her.
If you password-protect your online services, you should also password-protect your individual devices. Most of us have laptops, and many of us still have desktops. You may be home alone now, but what about those dinner guests coming later? Why take a chance that one of them could access your files, photos, and games just by sitting at your desk and moving the mouse? Another Netflix cautionary tale: back in the days when Netflix primarily sent out DVDs, I knew a couple who got pranked. During a party at their house, they’d left their browser open to their Netflix account. Afterward, the couple found that all sorts of raunchy B-and C-list movies had been added to their queue—but only after they’d received more than one of these films in the mail.
It’s even more important to protect yourself with passwords at the office. Think of all those times you’re called away from your desk into an impromptu meeting. Someone could walk by your desk and see the spreadsheet for the next quarter’s budget. Or all the e-mails sitting in your inbox. Or worse, unless you have a password-protected screen saver that kicks in after a few seconds of inactivity, whenever you’re away from your desk for an extended period—out to lunch or at a long meeting—someone could sit down and write an e-mail and send it as you. Or even alter the next quarter’s budget.
There are creative new methods to preventing this, like screen-locking software that uses Bluetooth to verify if you are near your computer. In other words, if you go to the bathroom and your mobile phone goes out of Bluetooth range of the computer, the screen is immediately locked. There are also versions that use a Bluetooth device like a wristband or smartwatch and will do the same thing.
Creating passwords to protect online accounts and services is one thing, but it’s not going to help you if someone gains physical possession of your device, especially if you’ve left those online accounts open. So if you password-protect only one set of devices, it should be your mobile devices, because these are the most vulnerable to getting lost or stolen. Yet Consumer Reports found that 34 percent of Americans don’t protect their mobile devices with any security measures at all, such as locking the screen with a simple four-digit PIN.9
In 2014 a Martinez, California, police officer confessed to stealing nude photos from the cell phone of a DUI suspect, a clear violation of the Fourth Amendment, which is part of the Constitution’s Bill of Rights.10 Specifically, the Fourth Amendment prohibits unreasonable searches and seizures without a warrant issued by a judge and supported by probable cause—law enforcement officers have to state why they want access to your phone, for instance.
If you haven’t already password-protected your mobile device, take a moment now and do so. Seriously.
There are three common ways to lock your phone—whether it’s an Android or iOS or something else. The most familiar is a passcode—a sequence of numbers that you enter in a specific order to unlock your phone. Don’t settle for the number of digits the phone recommends. Go into your settings and manually configure the passcode to be stronger—seven digits if you want (like an old phone number from your childhood.) Certainly use more than just four.
Some mobile devices allow you to choose a text-based passcode, such as the examples we created here. Again, choose at least seven characters. Modern mobile devices display both number and letter keys on the same screen, making it easier to switch back and forth between them.
Another lock option is visual. Since 2008, Android phones have been equipped with something called Android lock patterns (ALPs). Nine dots appear on the screen, and you connect them in any order you want; that connecting sequence becomes your passcode. You might think this ingenious and that the sheer range of possible combinations makes your sequence unbreakable. But at the Passwords-Con conference in 2015, researchers reported that—human nature being what it is—participants in a study availed themselves of just a few possible patterns out of the 140,704 possible combinations on ALP.11 And what were those predictable patterns? Often the first letter of the user’s name. The study also found that people tended to use the dots in the middle and not in the remote four corners. Consider that the next time you set an ALP.
Finally there’s the biometric lock. Apple, Samsung, and other popular manufacturers currently allow customers the option of using a fingerprint scanner to unlock their phones. Be aware that these are not foolproof. After the release of Touch ID, researchers—perhaps expecting Apple to have improved upon the current crop of fingerprint scanners already on the market—were surprised to find that several old methods of defeating fingerprint scanners still work on the iPhone. These include capturing a fingerprint off of a clean surface using baby powder and clear adhesive tape.
Other phones use the built-in camera for facial recognition of the owner. This, too, can be defeated by holding up a high-resolution photograph of the owner in front of the camera.
In general, biometrics by themselves are vulnerable to attacks. Ideally biometrics should be used as just one authenticating factor. Swipe your fingertip or smile for the camera, then enter a PIN or passcode. That should keep your mobile device secure.
What if you created a strong password but didn’t write it down? Password resets are a godsend when you absolutely can’t access an infrequently used account. But they can also be low-hanging fruit for would-be attackers. Using the clues we leave in the form of social media profiles all over the Internet, hackers can gain access to our e-mail—and other services—simply by resetting our passwords.
One attack that has been in the press involves obtaining the target’s last four digits of his or her credit card number, and then using that as proof of identity when calling in to a service provider to change the authorized e-mail address. That way, the attacker can reset the password on his or her own without the legitimate owner knowing.
Back in 2008 a student at the University of Tennessee, David Kernell, decided to see whether he could access then vice presidential candidate Sarah Palin’s personal Yahoo e-mail account.12 Kernell could have guessed various passwords, but access to the account might have been locked after a few failed tries. Instead he used the password reset function, a process he later described as “easy.”13
I’m sure we’ve all received strange e-mails from friends and associates containing links to porn sites in foreign countries only to learn later that our friends’ e-mail accounts had been taken over. These e-mail takeovers often occur because the passwords guarding the accounts are not strong. Either someone learned the password—through a data breach—or the attacker used the password reset function.
When first setting up an account such as an e-mail or even a bank account, you may have been asked what are usually labeled as security questions. Typically there are three of them. Often there are drop-down menus listing suggested questions, so you can choose which ones you want to answer. Usually they are really obvious.
Where were you born? Where did you go to high school? Or college? And the old favorite, your mother’s maiden name, which apparently has been in use as a security question since at least 1882.14 As I’ll discuss below, companies can and do scan the Internet and collect personal information that makes answering these basic security questions a piece of cake. A person can spend a few minutes on the Internet and have a good chance of being able to answer all the security questions of a given individual.
Only recently have these security questions improved somewhat. For example, “What is the state where your brother-in-law was born?” is pretty distinct, though answering these “good” questions correctly can carry its own risks, which I’ll get to in a minute. But many so-called security questions are still too easy, such as “What is your father’s hometown?”
In general, when setting these security questions, try to avoid the most obvious suggestions available from the drop-down menu. Even if the site includes only basic security questions, be creative. No one says you have to provide straightforward answers. You can be clever about it. For example, as far as your streaming video service is concerned, maybe tutti-frutti is your new favorite color. Who would guess that? It is a color, right? What you provide as the answer becomes the “correct” answer to that security question.
Whenever you do provide creative answers, be sure to write down both the question and the answer and put them in a safe place (or simply use a password manager to store your questions and answers). There may be a later occasion when you need to talk to technical support, and a representative might ask you one of the security questions. Have a binder handy or keep a card in your wallet (or memorize and consistently use the same set of responses) to help you remember that “In a hospital” is the correct answer to the question “Where were you born?” This simple obfuscation would thwart someone who later did their Internet research on you and tried a more reasonable response, such as “Columbus, Ohio.”
There are additional privacy risks in answering very specific security questions honestly: you are giving out more personal information than is already out there. For example, the honest answer to “What state was your brother-in-law born in?” can then be sold by the site you gave that answer to and perhaps combined with other information or used to fill in missing information. For example, from the brother-in-law answer one can infer that you are or were married and that your partner, or your ex, has a sibling who is either a man or married to a man born in the state you provided. That’s a lot of additional information from a simple answer. On the other hand, if you don’t have a brother-in-law, go ahead and answer the question creatively, perhaps by answering “Puerto Rico.” That should confuse anyone trying to build a profile on you. The more red herrings you provide, the more you become invisible online.
When answering these relatively uncommon questions, always consider how valuable the site is to you. For example, you might trust your bank to have this additional personal information but not your streaming video service. Also consider what the site’s privacy policy might be: look for language that says or suggests that it might sell the information it collects to third parties.
The password reset for Sarah Palin’s Yahoo e-mail account required her birth date, zip code, and the answer to the security question “Where did you meet your husband?” Palin’s birth date and zip code could easily be found online (at the time, Palin was the governor of Alaska). The security question took a bit more work, but the answer to it, too, was accessible to Kernell. Palin gave many interviews in which she stated repeatedly that her husband was her high school sweetheart. That, it turns out, was the correct answer to her security question: “High school.”
By guessing the answer to Palin’s security question, Kernell was able to reset her Yahoo Mail password to one that he controlled. This allowed him to see all her personal Yahoo e-mails. A screenshot of her inbox was posted on a hacker website. Palin herself was locked out of her e-mail until she reset the password.15
What Kernell did was illegal, a violation of the Computer Fraud and Abuse Act. Specifically, he was found guilty on two counts: anticipatory obstruction of justice by destruction of records, a felony, and gaining unauthorized access to a computer, a misdemeanor. He was sentenced in 2010 to one year and one day in prison plus three years of supervised release.16
If your e-mail account has been taken over, as Palin’s was, first you will need to change your password using (yes, you guessed it) the password reset option. Make this new password a stronger password, as I suggested above. Second, check the Sent box to see exactly what was sent in your name. You might see a spam message that was sent to multiple parties, even your entire contacts list. Now you know why your friends have been sending you spam for all these years—someone hacked their e-mail accounts.
Also check to see whether anyone has added himself to your account. Earlier we talked about mail forwarding with regard to multiple e-mail accounts. Well, an attacker who gains access to your e-mail service could also have all your e-mail forwarded to his account. You would still see your e-mail normally, but the attacker would see it as well. If someone has added himself to your account, delete this forwarding e-mail address immediately.
Passwords and PINs are part of the security solution, but we’ve just seen that these can be guessed. Even better than complex passwords are two-factor authentication methods. In fact, in response to Jennifer Lawrence and other celebrities having their nude photos plastered over the Internet, Apple instituted two-factor authentication, or 2FA, for its iCloud services.
What is 2FA?
When attempting to authenticate a user, sites or applications look for at least two of three things. Typically these are something you have, something you know, and something you are. Something you have can be a magnetic stripe or chip-embedded credit or debit card. Something you know is often a PIN or an answer to a security question. And something you are encompasses biometrics—fingerprint scanning, facial recognition, voice recognition, and so on. The more of these you have, the surer you can be that the user is who she says she is.
If this sounds like new technology, it’s not. For more than forty years most of us have been performing 2FA without realizing it.
Whenever you use an ATM, you perform 2FA. How is that possible? You have a bank-issued card (that’s something you have) and a PIN (that’s something you know). When you put them together, the unmanned ATM out on the street knows that you want access to the account identified on the card. In some countries, there are additional means of authentication at ATMs, such as facial recognition and a palm print. This is called multifactor authentication (MFA).
Something similar is possible online. Many financial and health-care institutions, as well as commercial e-mail and social media accounts, allow you to choose 2FA. In this case, the something you know is your password, and the something you have is your cell phone. Using the phone to access these sites is considered “out of band” because the phone is not connected to the computer you are using. But if you have 2FA enabled, an attacker should not be able to access your 2FA-protected accounts without having your mobile device in hand.
Say you use Gmail. To enable 2FA you will be asked to input your cell-phone number on the Gmail site. To verify your identity, Google will then send an SMS code of six digits to your phone. By subsequently inputting that code on the Gmail site, you have just verified that this computer and that cell-phone number are connected.
After that, if someone tries to change the password on your account from a new computer or device, a text message will be sent to your phone. Only when the correct verification code is entered on the website will any change to your account be saved.
There’s a wrinkle to that, though. According to researchers at Symantec, if you do send an SMS to confirm your identity, someone who happens to know your cell-phone number can do a bit of social engineering and steal your 2FA-protected password reset code if you are not paying close attention.17
Say I want to take over your e-mail account and don’t know your password. I do know your cell-phone number because you’re easy to find through Google. I can go to the reset page for your e-mail service and request a password reset, which, because you enabled two-factor authentication, will result in an SMS code being sent to your phone. So far, so good, right? Hang on.
A recent attack on a phone used by political activist DeRay Mckesson showed how the bad guys could trick your mobile operator to do a SIM swap.18 In other words, the attacker could hijack your cellular service and then receive your SMS messages—for example, the SMS code from Google to reset Mckesson’s Gmail account that was protected with two-factor authentication. This is much more likely than fooling someone into reading off his or her SMS message with a new password. Although that is still possible, and involves social engineering.
Because I won’t see the verification code sent by your e-mail provider to your phone, I’ll need to pretend to be someone else in order to get it from you. Just seconds before you receive the actual SMS from, say, Google, I as the attacker can send a one-time SMS, one that says: “Google has detected unusual activity on your account. Please respond with the code sent to your mobile device to stop unauthorized activity.”
You will see that yes, indeed, you just got an SMS text from Google containing a legitimate verification code, and so you might, if you are not being careful, simply reply to me in a message and include the code. I would then have less than sixty seconds to enter the verification code. Now I have what I need to enter on the password reset page and, after changing your password, take over your e-mail account. Or any other account.
Since SMS codes are not encrypted and can be obtained in the way I just described, an even more secure 2FA method is to download the Google Authenticator app from Google Play or the iTunes app store for use with an iPhone. This app will generate a unique access code on the app itself each time you want to visit a site that requires 2FA—so there’s no SMS to be sent. This app-generated six-digit code is synced with the site’s authentication mechanism used to grant access to the site. However, Google Authenticator stores your one-time password seed in the Apple Keychain with a setting for “This Device Only.” That means if you back up your iPhone and restore to a different device because you are upgrading or replacing a lost phone, your Google Authenticator codes will not be transferred and it’s a huge hassle to reset them. It’s always a good idea to print out the emergency codes in case you end up switching physical devices. Other apps like 1Password allow you to back up and restore your one-time password seeds so you don’t have this problem.
Once you have registered a device, as long as you continue to log in to the site from that device, you will be prompted for a new access code unless you specifically check the box (if available) to trust the computer for thirty days, even if you take your laptop or phone to another location. However, if you use another device—say, you borrow your spouse’s computer—then you will be asked for additional authentication. Needless to say, if you’re using 2FA, always have your cell phone handy.
Given all these precautions, you might wonder what advice I give to people who are conducting any type of financial transaction online.
For about $100 a year you can get antivirus and firewall protection for up to three computers under your control. The trouble is that when you’re surfing the Web, you might load into your browser a banner ad that contains malware. Or maybe you open your e-mail, and one of the e-mails contains malware. One way or another you are going to get your computer infected if it regularly touches the Internet, and your antivirus product may not catch everything that’s out there.
So I recommend you spend around $200 to get yourself a Chromebook. I like iPads, but they’re expensive. The Chromebook is as close to an easy-to-use tablet as an iPad is, and it costs much less.
My point is that you need to have a secondary device that you use exclusively for financial stuff—perhaps even medical stuff as well. No apps can be installed unless you first register with a Gmail account—this will limit you to opening the browser to surf the Internet.
Then, if you haven’t already done so, activate 2FA on the site so that it recognizes the Chromebook. Once you’ve completed your banking or health-care business, put the Chromebook away until the next time you have to balance your checkbook or arrange a doctor’s appointment.
This seems like a hassle. It is. It replaces the convenience of anytime banking with almost anytime banking. But the result is that you are far less likely to have someone messing around with your banking and credit information. If you use the Chromebook only for the two or three apps you install, and if you bookmark the banking or health-care websites and visit no others, it is very unlikely that you will have a Trojan or some other form of malware residing on your machine.
So we’ve established that you need to create strong passwords and not share them. You need to turn on 2FA whenever possible. In the next few chapters we’ll look at how common day-to-day interactions can leave digital fingerprints everywhere and what you can do to protect your privacy.