The Phone Call
I received a phone call from a family member in another state earlier this week. Always happy to talk to this person I leaned back in my chair happy to hear their voice and wondering what I owed the pleasure of the phone call. After the initial pleasantries and brief catch up I was being asked some what I believed to be odd questions about if it was possible for someone on an iPhone to do hack into a laptop, and some other similar questions. I remember thinking at the time, why am I being asked this? And then it came out - "Someone got into our on-line bank account and the money in the account is gone". While the details of it are still being looked into by the bank, it was revealed to me that there were other accounts that were compromised as well.
As I continued to talk to my family member about what was going on, it pained me to hear how much time and effort was involved with getting everything squared with the bank. And I'd like to point out that this is only time invested with the bank, that doesn't include other accounts that have been compromised. Everyone can develop some good account management habits that will minimize their exposure, and allow them to respond quickly should a breach happen. And if reading this has made you curious on whether or not your personal accounts have been compromised, checkout haveibeenpwned
What to do about it?
In talking to my wife, we agreed that talking security isn't fun for most and in general no one wants to talk about it unless there is a problem. It made me realize how computer security and operational security tends to become second nature for people in the tech industry because, frankly its our day job to protect data. And even thought we think about it constantly - its hard to get right, its time consuming, and your always at risk of a gotcha. And that got me thinking - what if there was a simple guide that could help you setup a work flow that is easy to setup, remains mostly out of your way, and can help protect your on-line accounts? I started looking for this on-line, and I found some - they were great for their time (circa early 2000s). I found that there are a number of moderns ones out there, some of them are vague; others are are trying to sell you a service or a physical device. I have also found other modern articles that are fantastic, but involve using tools that can be confusing or complicated to use. So I figured what if I wrote down an opinionated guide that walks you through the process of improving your on-line account management.
Goals and assumptions
- Setup something from scratch within one afternoon.
- Use free or freemium services that cost no money long term (at the time of this writing).
- Have a high level understanding of what you can do to protect your accounts.
- Avoid getting deep into the weeds about how stuff works, but provide ample source material for reference if you want to go in depth.
- You already own a computer (Running Windows, MacOS, or ChromeOS) and know what a web browser is.
- You have a smart phone running iOS or Android.
- You have a desire to protect your on-line accounts, and want an easy way to react to a compromised account.
As mentioned above this is NOT intended to be the definitive guide to cybersecurity, computer security, protecting yourself on-line, etc. But rather this is an opinionated guide on how to improve browsing habits and account management for individuals who haven't been exposed to this topic yet. For depth on the subject matter being discussed in this and the subsequent articles, please refer to the National Institude of Standards and Technology - Cybersecurity and or review the opinions of subject matter experts such as Bruce Schneier for best practices.
Now that we have outlined what we are going to do, what we are not going to do. Lets talk specifics. First, we will setup a web browser that enforces good browsing habits, and that can seamlessly manage the following two items. Second, we are going to setup a password manager that can create/manage/rotate strong passwords for you. And finally we are going to setup Multi-factor authentication (MFA) so that in addition to your strong passwords, there will be a physical component to getting into your accounts (more on this later). This may seem like a lot, as there is new vocabulary, it sounds technical but in practice its much less intrusive than you'd expect. I ask for your trust for a little bit, try it out, and if it seems far too daunting - its easy to undo. Without any further ado excelsior onto part 1!