Cybersecurity Awareness Tip 23: Use Digital Payments Instead of Swiping Your Credit Card
Most credit card fraud occurs, or at least originates, offline, but you can use online tools to help there, too. Specifically, digital payments via a mobile wallet that offers tokenization to secure credit card transactions by providing secure tokens to retailers, instead of the credit card information. These secure tokens can be limited to the specific transaction or vendor, eliminating the possibility of fraudulent use. As the credit card industry moves away from magnetic stripes, many retailers are beginning to accept digital payments. Gas stations - the last holdouts for magnetic stripe credit cards - are accepting digital payments via mobile wallets or their own branded mobile apps.
Use the Digital Wallet Available on Your Phone
The major digital wallets and many retailer mobile apps use tokenization, so from a security perspective, they are virtually identical. But digital wallets can't be used on all phones, at least not yet. South Korea recently enacted legislation to require Apple and Google to allow other payment systems (like South Korea's Samsung Pay). Samsung initially offered rewards for using Samsung Pay, but terminated this unique feature on December 31, 2020. For now, use the digital wallet available on your phone:
Apple Pay only works on iPhones and Apple watches.
Google Pay only works on Android phones and smartwatches.
Samsung Pay only works on Samsung phones and Samsung smart watches, both of which can also use Google Pay.
Both are instant, and senders generally expect instant responses
Both are intrusive (messages pop up over other content) and used for informal communications
To Text...
Text messages are ubiquitous - nearly everyone can send and receive 1-to-1 text messages, and most can receive MMS (multimedia messenging service) message with multimedia content and multiple recipients. But SMS messages aren't secure. The How-To Geek identifies several reasons why SMS text messages aren't private or secure, including:
Your Cellular Carrier Can See Your SMS Messages
SMS Messages Can Be Intercepted by Criminals
SMS Messages Can Be Monitored by Authorities
Your Phone Number Is Surprisingly Easy to Hijack
Or Not to Text
A recent survey found over 90s of Americans actively used instant messengers (aka Chat Apps) in the 3rd quarter of 2020, beating social network apps like Facebook, MeWe and Minds. Twitter CEO Jack Dorsey recommended George Floyd protesters, who caused $1-2 billion in private property damages, move communications from Twitter to Signal, possibly to avoid a similar shutdown suffered by microblogging competitor Parler.
Secure Instant Messages offer advantages over SMS Text messages, including:
Many (but not all) IM options provide end-to-end encryption
Some also provide video chat, groups, and offer the ability to manage SMS text messages, too
SwampGeek Recommends...
SwampGeek recommends (without affiliate or any other compensation):
Cybersecurity Awareness Tip 21: Treat Password Reset Security Questions Like Passwords
Many banks, credit card providers and other financial institutions use modern methods like multi-factor authentication for resetting passwords. But some accounts still require users to provide answers to security questions to reset passwords, and others, like Apple ID, are transitioning from security questions to multi-factor authentication.
Assume Your Personal Information Has Been Compromised
Choose open-ended questions / avoid questions with limited choices (i.e. avoid "favorite" or similar questions, surveys, etc. that are easy to find online or to guess)
Cybersecurity Awareness Tip 20: Avoid social media quizzes, surveys and public groups
TMI
Hackers and other surveillance organizations (governments, companies) use social media, too. Surveys, quizzes, games, pages and groups can all be used to collect personal information that can be used in indirect phishing or direct cybersecurity attacks.
"Be Less Social.
What to do: Minimize the amount of personal data you have on social media platforms.
Why: Information like your pet’s name or mother’s maiden name is sometimes used to recover account logins. Don’t give hackers an easy way into your online accounts!"
Cybersecurity Awareness Tip 19: Check your privacy settings on social media
Who Are You and How Can I Use Your Profile Against You?
Check the authentication options and enable 2-factor authentication or multi-factor authentication if possible. Also check what personal information is collected (SwampGeek recommends to provide as little as possible), what is visible, and who can see your posts.
For Example
The privacy and security options supported by social media companies vary from basic (Minds) to complex (Facebook).
Facebook's security and privacy settings seem almost intentionally complex, but also highlight the vast amount of data the company surveils.
Facebook
Privacy Checkup (yes)
Settingss require a Master's degree
Posts require a Bachelor's degree
Supports two-factor authentication via OTP (One-Time Passwords), Facial and Biometric authentication on mobile devices
Can limit logins to certain devices and can use application-specific passwords
Instagram
Privacy:
Private account (yes)
Hide commends (not sure who identifies offensive comments or how, but hiding them in generate is good)
Posts: hide like and view counts (yes)
Allow tags and @mentions from people you follow
Show Activity Status: No
Who can add you to groups? Only people you follow
Security
Save Login Info: No
Two-factor Authentication: OTP (e.g. Authy, LastPass Authenticator) and SMS / Text message
Apps and Website: review and remove as appropropriate
Issue: you can view - but not remove - access data (i.e. advertising tracking data)
LinkedIn
Partners & Services: check who has access to your valuable LinkedIn information / contacts
Visibility: Who can see / download your email address?
Third-party Data:
Two-step verification via SMS or OTP (e.g. andOTP, Microsoft Authenticator)
MeWe
Allow Chat Requests (from other members of a group): may no since it's difficult to verify the person is real
Limited to single-factor (password) authentication
Minds
Two-factor authentication via OTP (e.g. Duo Mobile and Google Authenticator) or email code
Twitter
Data Sharing and Off-Twitter Activity
Two-factor authentication via SMS, OTP (e.g. FreeOTP and Aegis Authenticator), U2F (e.g. Yubikey and others)
Venmo
Privacy: Yes, Venmo shares your payment description with the world by default. What could possibly go wrong? (Change the default privacy option to Private)
You can also change Privacy For Past Transactions to Private
Friends & social: will you REALLY benefit from giving Venmo access to your Facebook friends list? 'Cause Venmo sure will!
Supports single factor authentication via PIN or biometric (thumb print)
Cybersecurity Awareness Tip 18: Don't open suspicious attachments
Dangerous Attachments (It's Not a Lifetime Movie)
No matter what the King of a tiny foreign country promises in the attached instructions, what "Amazon" says you ordered in the attached shipping document, or FedEx charged you for shipping in the attached invoice, just don't open that attachment.
Any Way You Want It, Just the Way You Don't Need It
Attachments may look like they were sent by some from Amaz0n.com or another legitimate looking website. They might be described as containing some salacious or otherwise must-know-right-now information. Definitely don't open something compressed (.zip, .7z, .arc, .rar, etc.) or with an executable (.exe, .com, .iso, .dmg).
If it looks legitimate (i.e. it comes from a possibly valid source and has a common extension (.pdf, .docx, .pptx, .xlsx - but not .docm, .pptm, .xlsm), download the file on a home computer (not a mobile device) instead of opening from the email. Your system's antivirus or other anti-malware tool may identify issues, but to be safe, upload it to an online virus scanner like VirusTotal, which scans the file with almost every available anti-malware scanner for quick and fairly complete detection.
Petya is a family of encrypting malware first discovered in 2016 which propagated via infected email attachments.
Cybersecurity Awareness Tip 17: Don't Take the Click Bait
All the Time, On Every Channel
Spammers, phishers, hackers and surveillance organizations (governments and companies) don't care how they reach you - only that you take the clickbait. They'll put clickbait in email, text, social media, comments on online posts or news stories, instant messengers, chat rooms, TV or on paper in snail mail, newspaper or magazine ads. Some even look like stories from the site you're visiting, often mixed with real stories from the site you're visiting.
Stop It Before It Starts
You can stop many malicious communication attempts before they start by using:
Even the best malicious communication blockers won't catch everything, and they can't stop you from visiting sites that might have malicious links in comments or articles. And there aren't any good tools for blocking malicious text or instant messenger communications. So think before you click. Think, and check:
Check the URL, especially if the URL doesn't match the website you think you're going to visit - use a link checker to see the final destination and a website reputation checker to determine if it's safe
Use a URL expander to see the end final destination of shortened URLs (e.g. goo.gl, bit.ly, etc.)
Remove tracking parameters from links. The ability to remove tracker parameters from links is built into Brave, you can also add browser plugins to do this. Some email clients (e.g. FairEmail) can also prompt you to remove tracking parameters.
"Security without privacy is like having a house made of bullet-proof glass. Sure, no one is getting inside, but your personal life is still on display."
New threats target all platforms. All. Platforms. HowToGeek suggests you don't need antivirus protection on your iPhone because malware on iOS is rare by design. Antivirus BitDefender reminds us that iOS isn't safe either.
South Florida Seasons: Summer and Hurricane
In South Florida, many use a checklist to prepare for hurricane season each year (our other season is summer). Even though the threat of cybersecurity attacks are constant, schedule a reminder to check your cybersecurity preparedness at least annually. Schedule it a calendar that you're sure to see and remember to take action.
SwampGeek Recommends...
SwampGeek recommends (without affiliate or any other compensation):
Cybersecurity Awareness Tip 14: Use private email to limit snooping to governments
Nothing to Hide
40% of emails are spam, and 70% contain email trackers, and hackers, spammers and surveillance organizations (companies, governments) use this to target individuals. What about the email providers who may have direct access to your email communications?
"Here's my email address. ...Email me the passwords to all of your email accounts, not just the nice, respectable work one in your name, but all of them, because I want to be able to just troll through what it is you're doing online, read what I want to read and publish whatever I find interesting. After all, if you're not a bad person, if you're doing nothing wrong, you should have nothing to hide."
Greenwald doesn't mention being able to reset the passwords for all your financial accounts, find your phone and much more, just by being able to access your email.
Google insists it no longer reads your email and neither do 3rd-party app makers. Preveil and Guardian disagree. And even if Google, Yahoo, Microsoft and other providers of "free" email services don't scan your messages, they can (and do!) still use the meta data - who sent and received the email, when, what was the subject - for marketing or other purposes.
Snooping Governments Will Still Snoop
Even privacy-focused email providers must respond to the force of courts and other government agencies, including top providers ProtonMail and Tutanota. After a recent event, ProtonMail explained why it scrubbed its website of "no IP logging" content, how it transparently reports incidents of government force, and how you can use its free ProtonVPN service to mitigate the impact of government force.
Keeping Your Email Yours
There are better options for private email without the surveillance incentives of the major free email providers. Some of them have free versions with limitations. These offer end-to-end encryption, but beware:
You can also send unencrypted email, and the contents are visible on the recipient's potentially-surveilled inbox.
You must use secure email clients on all devices. Most secure email providers offer clients on major platforms, but beware of using other clients, especially without encryption, via POP or IMAP.
SwampGeek Recommends...
SwampGeek recommends (without affiliate or any other compensation):
ProtonMail - Switzerland-based with good free service with most features and low cost, fully-featured commercial service
Tutanota - Germany-based with good free service with most features and low cost, fully-featured commercial service
You can also use email forwarding to further protect your inbox.
Resources
Privacy Tools - provides services, tools and knowledge to protect your privacy
