Protecting your online identity

A few months ago a small add-on for Firefox and Chrome was released. Called Privacyfix the add-on is designed to check and update your privacy settings for various online services including Facebook and Google.

I had always been vaguely aware that Facebook is the internet’s Mac Daddy of privacy violation but even so the results of installing Privacyfix were pretty shocking. At the default Facebook settings my profile and posts were largely public affairs and – at least according to Privacyfix – 90% of sites I visited had Facebook tracking enabled. Meanwhile Google collects data on 49% of the sites I visit.

So if Privacyfix is to be believed nine out of the 10 sites I visit have a Facebook widget somewhere on the page and send details on my visit back to Facebook all in the vain hope that maybe I’ll click ‘Like’ on one of their articles. It’s not a pleasant thought.

Privacyfix a neat add-on for Firefox and Chrome that shows you just how careless you’ve been with your settings.

Indeed the fact that so much personal information about me was widely available even to non-friends is a major concern and not just from a privacy perspective. Identity theft is on the rise and it was pretty clear I needed to be more careful about what information was out there.

In June 2012 the Attorney-General’s Department released a report on the prevalence of identity theft in Australia. In a survey of 1202 people 24% reported that identity theft had happened to them or somebody they know. In 2011 that number was 17%.

In the majority (59%) of reported cases it was a credit card number that was stolen and used to make purchases. But in nearly a third of cases the stolen information was also used to obtain loans or credit cards. Less prevalent but still notable were instances of submission of false tax returns and benefit claims (pension and Centrelink for example). In 12% of cases the identity was stolen simply in a malicious attempt to embarrass the victim.

It’s not just criminals according to a survey commissioned earlier this year by the US-based CareerBuilder online employment site 37% of employers admitted to using social networking searches to research job applicants and 34% of hiring managers said they had rejected job applicants because of information they had found online – usually because of posts or pictures about drugs or alcohol. In these cases it’s especially important that you’re careful about what the world can see!

In this environment protecting the sanctity of your online persona has become a key concern. With so much of our lives invested in social networking and cloud services getting hacked or having our identity stolen can be disastrous on both a personal and financial level. So what can we do about it?


Passwords passwords passwords

At a rough estimate I have approximately a zillion different passwords to keep track of. OK a zillion is not a real number – my Firefox password list currently has 140 passwords saved. It’s likely yours is something similar given the sheer number of sites that require passwords.

Of course no regular human can remember that many passwords. So we use the same password over and over or we use different passwords and hope our browser’s password memory feature works (and we don’t ever lose the browser’s password list). Either way it’s a recipe for disaster; in the former case if the identity thief gets one password they get them all. In the latter anybody who has access to your browser can access all the sites you visit and heaven help you if you ever lose the master password list.

To keep this all in check a password manager is a great solution. Firefox users have a significant advantage here. Firefox has a built-in password manager that’s editable checkable and securable with a master password. All the passwords that Firefox remembers are stored in an encrypted file. If you add a master password any time that file is accessed the master password will be required. You only need to remember the one password (so make it a good one) but you can still set different passwords for different sites. You can add a master password in Firefox by going to ‘Tools > Options > Security’ and checking the box that says ‘Use a master password’.

If you use Internet Explorer or Chrome the saved passwords are stored in an encrypted file in Windows linked to the current user’s account and accessible to anybody who can log in using that Windows account. If you want to better manage passwords or set up a master password you need to use a third-party password manager.

A good place to start is KeePass a free and open-source password manager for just about every platform you can name. It works for not just your web passwords but networks and applications as well. You can secure your password database with a master password and you can additionally require that a key file needs to be present for the password database to be unlocked. KeePass is portable – you can run it from a USB stick which makes it very handy for carrying passwords from PC to PC. It’s very powerful for a free solution although it can be a little technical.

KeePass a very capable free solution for password management.

LastPass is a free password manager solution that allows master password encryption and also syncs your password list with its cloud service so you can access your passwords from whatever computer or device you’re using. It’s available for a large variety of platforms which makes it perfect if you’d like your PC password list to be made available on your Android phone for example. It works with IE Firefox Chrome Safari and Opera.

Lava Software’s PasswordVault is another free tool that’s easier to use than KeePass and LastPass and offers an encrypted password list that’s very easy to distribute to multiple devices across different platforms. Like KeePass it stores more than just web site logins: software serials text clips and other bits of data can also be added to the vault.

PasswordVault another free password manager.

RoboForm isn’t the prettiest of password managers but it has some features I really like including an easy-to-use interface and the ability to actually print out your password list for hard storage. It also fills out online forms for you automatically. The paid version includes cloud storage of your password list and syncing across multiple devices.


General protection: the security suite

Security suites are another option if you’re looking to better protect your digital identity. Not only do several include password managers they also have other tools to protect your online information.

I’ve reviewed a lot of security suites over the years and nearly all of them claim to have identity theft protection. In many cases however that’s really just shorthand for: ‘Yes we have a spam and web filter’. The spam filter keeps you from getting some of the phishing emails that might head your way; the web filter stops phishing and malicious sites from loading. These things are certainly useful – especially if you have other people less wary than you using the computer – but they’re not a final solution and they do little to protect you from privacy violations.

Some suites like Trend Micro’s Titanium also add specific information filters. In the suite configuration you can set up key phrases (like your phone number and home address) that will be blocked from being sent using web forms or instant messaging. Of course if you’re savvy enough to set this up you’re probably wise enough to know who to trust. It can be useful for stopping children from oversharing though.

We’re also seeing a growth in online social networking security checks. BitDefender Internet Security 2013 and Trend Micro’s Titanium 2013 include a Facebook checker which evaluates your Facebook settings and checks Twitter and Facebook links for malicious content before you click on them. McAfee Total Protection 2013 and Norton 360 likewise check social networking links for malicious sites.


Anti-trackers & other tools

Suites aside there are some great free tools available to protect your privacy and identity online.

The aforementioned Privacyfix add-on checks your social networking configuration. It will link directly to your Facebook and Google settings highlighting elements you should be aware of and telling you how you can change them.

Disconnect is an add-on that’s available for both Chrome and Firefox. What it does is prevent tracking by a number of social networking sites including Facebook Google Twitter and Yahoo!. It prevents sites that you visit from sending tracking information back to these services or from using your history to ‘personalise’ web searches and advertising. No longer will Facebook have a near-complete record of your web activity.

Facebook Privacy List for Adblock Plus and Antisocial are subscriptions for Adblock Plus. Adblock Plus is an add-on for Chrome and Firefox that will block the majority of online ads. These additional subscriptions block Facebook and other social networking widgets from appearing in web sites so those sites won’t send information back to Facebook. You need to have Adblock Plus installed to use them.

Ghostery is an add-on available for all the major browsers that monitors who’s tracking you as you travel around the web. It monitors social networking sites ad providers and others who track you across multiple sites. It then lets you selectively block scripts from those companies. It’s a great tool covering a lot of services you might not want tracking you online.

Ghostery is a tool that tracks the trackers and lets you block them.

DoNotTrackMe is similar to Ghostery: it blocks cross-site tracking by social networking advertising analytics and other services. It’s more aggressive than Ghostery blocking everything by default and letting you opt in. It’s available as an add-on for Firefox IE Chrome and Safari.


Other tips for protecting your identity online

Fix your social media settings

Facebook Google+ and other social media services love to share your private information. They’ll share it to advertisers other users affiliated web sites Facebook apps and more. If you don’t want that to happen you have to go through their privacy settings with a fine-toothed comb. In particular turn on your Facebook security features. Facebook has several little-known features used to secure accounts: ‘Login Notifications’ which send you an email notice every time your Facebook account is accessed from a new device; ‘Login Approvals’ which require a code to be entered if an account is accessed from a new device; one-time passwords which are used for accessing Facebook from a public computer and expire after a single use; and app passwords which need a password before you can access an app.

Use PayPal

PayPal is specifically designed as a firewall between you and an online retailer. It allows you to buy things without having to give up your credit card details – and the fewer people in the world that know your credit card number the better. When given the opportunity use it.

Use a virus and spyware scanner

Truth be told if you don’t have one installed already you should probably be disqualified from owning a computer. However here’s your chance to rectify this: head over to AVG Microsoft’s Security Essentials site avast! or PC Tools and download a free antivirus app. Do it now! Around a third of identity theft is the result of virus infections and bad software.

Don’t share quite so much on Facebook. What’s your birthday? Address? Phone number? Pet’s name? Best friend’s name? What high school did you attend? These are all common questions used on the phone and in online authentication systems and all the answers are frequently readily available on Facebook. According to a 2011 study by Javelin Strategy & Research roughly two-thirds of people share their birthday and high school on Facebook. Close to a fifth published their phone number and 12% even shared their pet’s name.

Remember your mobile

Smartphones and tablets that aren’t password protected are often a weak point in your security. Lose your phone and along with that you lose all your online passwords your private information cloud services and anything else you can access from your mobile is vulnerable. On iOS or Windows Phone enable the password; on Android use the swipe pattern (with a non-obvious shape). You can also enable remote location and wiping for your smartphone. On iOS you need an iCloud subscription so you can either locate the phone via GPS using Find My iPhone or remotely wipe the phone. On Android Mobile Defense can serve a similar function. You can also try McAfee WaveSecure or Symantec Norton Mobile Security.

Be aware of email and text message scams

Much like telephone scams (such as the tech support scam) email and text message scams are becoming more sophisticated. It’s not just fake emails from your banks it’s fake ‘surveys’ used to gather information on you false free offers of wine and travel and much more. If anybody you don’t know offers you anything free or asks for private information over email you know what to do – delete and ignore. Make sure everybody in your family knows that too.

The fake email address

Set up a dummy email address using Gmail Hotmail or Yahoo! Mail. Hell set up several. Whenever a person or site that seems a little shady demands your email address give them this one. This keeps your main email address off spam and phishing lists.

Computer disposal

Before ditching your old computer be sure to not just format the hard drive since files can be recovered from a formatted hard disk but totally nuke the files on it. Darik’s Boot and Nuke is perfect for this – it creates a bootable flash drive that can then be used to totally destroy the data on a hard disk. Alternatively you can always yank the hard disk out and physically destroy it which can be deeply cathartic as well as protecting your data though perhaps not as environmentally friendly.

Use good passwords

It can’t be said often enough: use non-dictionary words. That’s how most hacks work – they run a ‘dictionary attack’ on your passwords trying variants on common words. Random numbers and letters work best.

Do not track

If you’ve been following web standards (and who doesn’t?) you may have heard about a little thing called the ‘Do Not Track’ (DNT) header currently being standardised by the World Wide Web Consortium (W3C). It’s a setting in your web browser that sends sites you visit a note saying you’d like to not be tracked and therefore all cross-site tracking services should be turned off.

Do Not Track settings
You’ll find the ‘Do Not Track’ setting in the ‘Privacy’ settings of your browser.

Most of the major browsers including IE Firefox Safari Opera and Google Chrome support the DNT system. It’s switched off by default in all of the browsers except IE10 for Windows 8 in which it’s switched on by default – a move that even the designers of the DNT system find controversial since it may compel web programmers to just ignore the flag.

And they can do exactly that. The major flaw in the scheme is that it’s entirely based on an honour system. It doesn’t actively prevent sites from tracking you – it just politely lets them know that you would prefer not to be. Major sites will probably honour it but many will just ignore it.

“We’ve detected a problem with your computer”

If you own a telephone there’s a pretty decent chance you’ve had somebody try to run the tech support scam on you. It’s a global phenomenon and it’s still a major problem.

It typically goes something like this: you get a call and the person on the other end of the line (often with a strong accent) informs you that they work for a computer security specialist (or sometimes Microsoft) and they’ve detected that there’s a virus on your computer. They get you to look at your Windows Event Viewer which usually has a list of scary-sounding (but actually benign) problems listed. Then they convince you to install a remote access application that gives them full access to your files – and pay them several hundred dollars for the privilege.

If you’re anything like me you probably began responding to these scam calls with a polite yet incredulous response which evolved into screaming at the operators and demanding that they never call you again then simply settled for wordlessly hanging up. I call it the three stages of phone harassment.

Other users have found more creative ways to take their revenge however. An increasingly popular pastime is actually trolling the scammers make them waste their time thinking they’d caught a fish before pulling the rug out from under them at the last minute. According to the online magazine Ars Technica one user named Ted managed to keep them on the line for two hours by pretending to be running a Windows 95 computer having trouble connecting to a dialup CompuServe account. He even had fake dialup modem sounds ready. He posted the last 43 minutes of the call to SoundCloud as a lark.

Fortunately US Canadian UK New Zealand and Australian authorities have started to make moves against these scammers. In October of last year the US Federal Trade Commission announced a joint plan targeting 14 companies and 17 individuals and froze US$188000 worth of assets in the process. There was also an agreement to block the more than 80 different domain names and 130 different phone numbers used by the scammers.