All of us have a responsibility to protect our digital identity. However, what can we do in practice? During every episode of our Let’s Talk About Digital Identity podcast I, as the podcast host, have asked our guests to tell us a tip for anybody to protect their digital identity. We have heard truly interesting pieces of advice, and here I’m compiling 8 of them. While we’ve had more than 8 guests, some tips are so important they’ve appeared multiple times!
1. Use a password manager
By far, the most common answer is this: use a password manager. We heard this from Colin Wallis, Max van de Poll, Emma Lindley, Joni Brennan, Julian Hayes and Don Thibeau. Passwords are clearly a huge problem. Don Thibeau was categorical when he said, “Passwords are the cockroaches of our industry.” They give a false sense of security.
Your primary email is the gateway to all of your services. If an attacker accesses your inbox, they have the power to impersonate you or reset passwords on other websites, on which they can steal money or cause other serious harm.
Even if you are using password managers today, it is likely that you have re-used passwords throughout the years and across several websites. That is why we also recommend you check HaveIbeenpwned.com if you have never done it.
2. Enable two-factor authentication
Two-factor authentication means that in order to either log in or confirm a transaction, you will need to use two factors to authenticate yourself, preferably a combination of: something you know (a password, PIN code or passphrase); something you have (a physical token, USB key, your mobile device); or something you are (fingerprint, face recognition, hand gesture).
Two-factor authentication varies across services and countries but the good thing is that today they are widely available: SMS one-time passwords, email one-time passwords, printed one-time passwords, national ID cards, mobile authenticator apps, disconnected tokens, USB stick tokens, etc. This tip was recommended by Max van de Poll and Lauri Immonen.
3. Take an extra second before you click, or before you post
Let’s say it’s the time of the day when you check social media. Someone you follow has shared a flashy poll “Are remote workers more productive?” and it sound very interesting. Wait. Take an extra second before you click. Take an extra second to think: is it worth to participate in that game? Will this leak personal data about me or my company? Thanks to Joni Brennan for this tip.
Another day, you receive an email from a service you use (audiobook subscription, CRM, etc.) which asks you to check new offers, read the blog, and log in. Take an extra second to check: is this the right site or is it a fake site? Thanks to Simon Wood for this one.
Alberto García recommends that on your Internet browser, verify the service provider is legitimate, and check the certificate of the website.
4. Never believe someone calling you is who they say they are
In the past, it wasn’t uncommon for a bank to call you by phone to verify some personal information, even to confirm a transaction, so some people built the belief that talking by phone with the bank was a necessary and safe practice. And they were right.
However, times have changed and these days fraudsters may call you and ask your password, pin code, or critical personal data such as social security number. These criminals could also ask you to reset your password. Today, never believe if someone calls you telling it’s the bank, never, as categorical as that, Lauri Immonen recommends. You can get a feeling of the dreadful consequences by watching this video – also embedded below – created by Dubai Police (best enjoyed standing up and turning the volume up).
What can you do if the bank or another service you use calls you? Ask for a number on which you can call them back and check the bank’s website or a trusted directory (e.g. yellow pages) to verify that the number is legitimate. The same applies to emails, don’t reset your password if you receive an email asking you do that. Rarely are these email messages authentic, as Diane Joyce tells us in episode 12.
5. Put a secondary password on your mobile subscription account
Last August 30th, 2019, Jack Dorsey’s Twitter account was hacked. The most likely way was an attack called ‘SIM swap’. In a SIM swap attack, a hacker convinces your mobile operator that you want to change your mobile subscription to a different SIM card. This can be done by simply calling your mobile operator, talking a customer support operator into believing it’s you and, during that call, claiming that you want to change your subscription to a new SIM card. If that succeeds, your actual phone will get completely disconnected from the mobile network and the attacker will have in their hands a phone using your mobile number to make calls, send and receive text messages on your behalf.
In order to prevent this catastrophe, Cameron D’Ambrosi recommends that you contact your mobile operator and set a secondary PIN code that protects your subscription. In some countries, that default PIN is the four last digits of your social security number.
Cameron also suggests an extra step (perhaps for more advanced users): later, call your mobile operator and try to social engineer your own mobile subscription account. In some cases, doing this revealed that even though a user requested the secondary PIN code, the mobile operator didn’t set it and that account was still vulnerable.
6. Demand that services let you sign documents digitally
According to Robin Von Post, today when you have to sign an agreement, there are no excuses for printing the paper, signing with a pen and then scanning it back in. Digital signatures have evolved to a solid level of security, and online document signing tools are easier and more intuitive than ever. In spite of that, a minuscule share of public services and private organisations have embraced this new paradigm so far. Do contact your service providers and demand they let you sign documents digitally.
7. Be careful what personal data you put where
These days, online services know that the more data they collect about you, the more potential there is to make money from it. So be careful what information you offer and where. For example, don’t allow webshops to store your card details, Max van de Poll suggests. Be aware of who you trust, and value your ability to make trust decisions on your digital life, said Rachelle Sellung. Colin Wallis recommends that you visit web services that ask you less personal data, or use ones you already have a longer, trustworth relationship with.
8. Check your credit files regularly
Credit files services are commonly used in UK and USA, e.g. Experian and Equifax. Diane Joyce recommends that you go and have a look at your credit file regularly. A bank will visit your credit file if they want to have a glimpse at your solvency, so it’s good to remember that everyone who sees your credit file will leave a mark on it. You might find surprising marks that can alert you to suspicious activity. As an additional tip, check your postal address on your bank account to make sure it’s up to date.
Thanks to our amazing podcast guests for their tips so far!
Links to episodes released so far, in chronological order:
- Colin Wallis, Executive Director of Kantara
- Simon Wood, CEO of Ubisecure
- Max van de Poll, Product Manager for SplitKey at Cybernetica
- Lauri Immonen, Head of Security & Identity, and Joni Rapanen, Global Product Manager, at Telia Company
- Emma Lindley, Co-Founder of Women in Identity
- Joni Brennan, President of DIACC (Digital ID & Authentication Council of Canada)
- Julian Hayes, CEO of Veneto Privacy
- Cameron D’Ambrosi, Principal at One World Identity
- Don Thibeau, Executive Director of the OpenID Foundation
- Robin von Post, Head of IAM Solutions at Cybercom
- Rachelle Sellung and Alberto Miranda García, representing the LIGHTest Project
- Diane Joyce, Identity Evangelist and Executive Member at Women in Identity
If you have more tips for anyone wanting to protect their digital identity, comment below or use #LTADI – Let’s Talk About Digital Identity – on social media. Remember to subscribe to the podcast for more great interviews every fortnight.
The podcast connecting identity and business. Each episode features an in-depth conversation with an identity management leader, focusing on industry hot topics and stories. Join Oscar Santolalla and his special guests as they discuss what’s current and what’s next for digital identity. Produced by Ubisecure.