NOTE: This is a multi-post series and contains a lot of data points
I get asked a lot of questions about whether or not I use online banking, make online purchases or register to any online sites. The answer to all of the above is yes, no, and depends. It is critical to recognize what it means to do anything online and the terms that are used, situations that can happen and how best to protect yourself. It is really important to recognize that no matter how safe you are, you still may become a victim. This is because as companies collect your data and store it, there will always be employees or external forces that access your data, sell it or steal it for nefarious purposes. If you own a phone, if you own a tablet, if you own a computer and your device as internet access, including an XBOX, PS3, Nintendo you run the risk of someone taking advantage of you.
There are certainly things you can do and should to protect yourself. While it is a lot of information to consume, let’s look at some terms that get tossed around and understand what they mean. It is critical to understand where you sit in each and every situation as it will help you keep yourself safe and better understand how to communicate to the businesses you register and partner with. This can include banks, online shopping, medical or taxes (government).
• Account: Accounts are used to connect an individual with some online presence. Of course you can have accounts with businesses and not use any form of online connection, but the discussion here is about online connections. You can have an email account, bank account, Facebook account, twitter account and so on. Each of these have different types of authentication & profiles.
Security is how they protect you and them, while profiles are the collection of data that makes up your account connection to the business, such as email address, login information, name, address and personal options.
NOTE: You should never treat accounts across multiple business partners as a single thing. I know a lot of people do it, but using the same email / user name / password combination across all sites, opens you up to severe consequences, by making it easy for cyber thieves to access your accounts and access its resources
• Security: describes the way in which a resource, such as a web page or your own data are secured. This means there are processes in place which attempt to “protect” your data. Security processes can be things like user name / passwords, id cards or some of the newer models that leverage your phone, pc or even your finger. The resource that you are requesting will not be available until you go through the security process (Authenticate, Authorize, Access)
• Authorization: authorization is a specific security process that is used to validate whether you, as an individual (or computer), have access to do what you are asking to do. Say for instance, that you want to login your bank. The bank may use a password and user name to authenticate you. So they have secured your bank accounts via user name and passwords. Authorization is literally a “question” that the security process has to answer. Does this person / computer whom is requesting access to “something”, actually have permission (authorization) to view it. There are technically only 2 answers, Yes or No
• Authentication: authentication is a security process that validates that the “security credentials” you are attempting to use, are actually valid.
Example: Ok, so you browse to Facebook. You have “requested” to see the Facebook account of “Michael Person”. It asks for your user name and password. They are using a form of standard request / response authentication and authorization. It asks who you are. You provide your credentials (think your license). It looks at the credentials and first says
1) are these valid credentials – yes
2) do these credentials have permission to the “requested” resource, in this case a web page of data – yes
3) great you are authenticated & authorized and the page renders (is displayed)
• Credentials: credentials are the “data points”, such as user name password, finger print data or digital card data that you are using to try to “authenticate” to a resource. More recently companies are getting stricter, such as how long your password is, how complex it is, forcing you to change it ever so often etc
• Two-Factor Authentication: this is something that has been around but is just now really getting into much of the mainstream security processes. This is a process where you don’t just supply one set of authentications, but you actually have two. This is usually a process where you provide some form of credentials and the company you are attempting to authenticate too, sends you a message (usually on your phone or email) and expects you to supply it back.
Why is this good? Because:
1) it helps validate that the service you are connecting to is actually the one you intended to connect to
2) it helps protect you, because to enable 2 factor authentication you probably used your cell phone. In this case, a person whom wanted to pretend to be you, not only has to steal your user name / password, but also has to somehow emulate your phone and then have the previously mentioned company specifically send that fake phone (or steal yours) a message. But now they also have to get passed your user name / password + stealing your phone + your phone password / code (always have one)
• Privacy: privacy is a big thing. It is a topic specifically about the data that any company may collect about you and how it can use it to further its business processes, including the government.
When you register with a company you almost always agree to some form of “agreement” that they can use your data both internally and with their 3rd party partners. This stinks… because you may not even realize it. And to a certain degree the companies merely have to prove that the data was necessary to help benefit them directly or through their partner to use it (once you have agreed), and they cannot get in trouble.
Each country around the world can have one or more rules regarding this. Europe is much stricter with data than in the US. Such as not even allowing your data to be shipping out of the entire region (meaning it cannot be used in the USA at all)
• Opt In / Opt Out: opt In is a term used to determine is you have “opted in” to a company’s data sharing / data saving processes. Some regions of the world allow for automatic opt-in. This means to a degree a company can start using your data and capturing it the moment you download their app or log into their web site.
While other countries / regions require double opt-in or just plain make it illegal to actually capture / leveraging / store data about its customers. You should be very clear that when you sign up online for anything, you have a real issue with your data privacy
By legal standards in most places world wide, companies are required to provide Opt-In, Opt-Out options, ability to see your current settings (so you can change them), the ability to change them and to not “hide” them so hard that a user cannot find them to change them. In many cases they are required to provide both online and email / phone call options to enable / disable these settings.
Lastly and really important, a single company may have actually multiple levels of Opt-In communications etc. You may say you want to get data from your credit card company (monthly bill) by email, but you do NOT want them to call you with offers. There could even be a second part of the company that does… oh I don’t know, mortgages and you can Opt-In to credit card data but Opt-Out specifically from mortgage communications. Finally many of them have a “big button” option that overrides all the other settings. It means, do not ever contact me (via email, phone, SMS, fax, whatever) no matter what the individual settings may be. Even Microsoft has this option. It enables customers a very quick way to block ALL communications even if you previously said yes to individual communications within a company.
Privacy and Data Security have massive legal compliance rules world wide. Companies have to work really hard to meet them all. Even though they may make a mistake they have to prove they are trying their best to meet the needs in each country. This is difficult to do because compliance is so different across the globe.
• Login / Password: A standard way to provide credentials to a security authentication process. Used by many companies in some way. Please note that your login and your password should never be used on multiple sites. And you should recognize that this is NOT the same thing as your user name and password to your ISP (internet service provider). This is a big mistake by many folks. They use the same email address on all sites and in many cases specifically use the same password as their actual email password… never ever do this
Some folks do confuse that their “account” on a site they sign up for is the same as their “email” account. When they are asked for their email address as a way to login they end up using the same password as they do to their actual email account login, such as google or yahoo or even outlook.com. The problem is that if someone steals this information, it will be easy to “hack” someone’s Facebook, twitter or other account if you did leverage the same password.
• User Name: User name, member name, login, sometimes email address are used to identify you. Some sites actually let you have a member name (or screen name / nick name) and an email address, yet you can use either / or to actually authenticate. Please please recognize that when a site asks for your email address, especially in the cases where they use your email address “as your login name”, you should NEVER use your Email Accounts password as this sites password. If you do this, you are very specifically making it easy for hackers to steal your stuff.
Facebook is a great example. If you have for instance firstname.lastname@example.org as your email, and of course you go to log into facebook, you should be using a completely different password than the one that you use to actually read your email. Think of it this way. When you register on a site, you are effectively telling a hacker that you have an email address and here it is. Now they have that, they only need to hack your password. And then of course if you use the exactly same email on ALL your sites, and the same password, once they hack one site… they only need to guess or “try” the same information on other sites and bingo, they own you
• Data Classification: Data both internal to a company (business data) and customer data have different classifications. This won’t cover everything but at least to help you understand
o LBI – low business impact: The expectation is if this data is lost / stolen it will not impact the company much
o MBI – medium business impact: Has a medium impact on the business if lost or stolen
o HBI – high business impact: This is business critical data that would impact its customers and financial bottom line in a major way. This could be financial data, tax data, investment data etc. Technically speaking it is merely something that would impact them, so it could be anything they “deem” HBI.
o PII – Personally Identifiable Information: This data would make it easy for anyone to specifically identify a customer, thereby losing the customers privacy and could more directly impact the user (hacking, identity fraud etc).
This would be IP Address (alone in some regions with other data in others), Name + Address, Cell Phone Numbers + Name, SS #, Government ID’s etc… it’s a wide and varying range of things.
o Anonymous Data: This data is considered to be safe. The goal / idea is that in no way can this data be used to actually identify an end user, no matter how much reverse engineering is done.
But can anonymous data ever be used to identify someone? Yes, and it has happened. Sometimes companies collect multiple streams of data. Separately they mean nothing but combining that data with other data (which doesn’t even have to be owned by said company) can make it PII data. While it takes effort to turn it into PII, it is in fact possible.
There are great case studies about how this has happened by researches just to prove it can be done, sometimes combining company & government collected data to reverse engineer and identify people directly (even getting addresses, phone numbers etc)
• Data Sharing: Even within a company, data is not necessarily guaranteed to be sharable EVEN if you agree to them capturing your data. It depends on what the company does, what the division does and what it’s partner does.
You aren’t giving away free reign of everything, at least normally. The government does try to protect from that. But be careful for what you do agree too. Facebook apps are a good example, where you have to actually “approve” them accessing your timeline, friends list etc. Now… what they do with it is a different story. You would really have to read carefully to see what “access” means
An example would be that you go to your bank for a mortgage. They ask if they can share your data to insurance companies whom you might get a better deal from, due to being a partner with said bank. This would be you opting-in to data sharing and them specifically only being able to use it for services related to mortgages and particularly insurance. If someone in their office called you, or another partner, say about a new credit card, that might be a violation. You need to verify what you agreed too. They must record it and be able to prove it (at least in the states).
• Cookies / Tracking: Cookies are normally client side text files that store information about you and your usage across a web site, domain or set of domains. This way they can better track what you do, then when a web page renders, or even when you open an email it can be read and they can change the targeted content.
Ever notice how they just seem to show you an ad for something you were searching for a few days ago? That’s how. Whether it’s server side or client side, tracking can be annoying. The latest version of many browsers block 3rd party cookies.
There are really two primary types of cookies called first and third party cookies. If you go to www.thissite.com then a first party cookie would be thissite.com. However, if they want to track you for business intelligence, they might be using something like WebTrends, or Omniture. These tracking companies using special client code that calls back to a server to store data. These would be more like www.webtrends.com. Since the webtrends.com part does not match thissite.com, it is considered a 3rd party domain. And many newer browsers block them by default or in other versions you can specifically turn them off
• Hacking: I actually get annoyed at this… because so many times people say “I was hacked”. Yes, people do get hacked by different types of software exploits. However usually it is due to using poor passwords, the same password all the time, downloading Trojans onto your machine, reading FW: emails and looking at videos and pictures from people they barely know.
There are certainly hackers out there with the tools to brute force hack your account. Truth is that is not even close to necessary in most cases. People are merely making too many mistakes and leaving themselves vulnerable. Many times hackers are not even writing the code themselves, they are running code written by someone else. Does that mean hacking doesn’t exist? Heck no, it sure does, merely that the methods used are in some cases simpler and easier to share. So it is up to you to be careful about how you share your data, share your passwords, keep your systems logged in, log in at cafe’s etc.
• Phishing: Think Fishing, where you are trying to catch something. In this case individuals are trying to acquire personal information from you (cc #’s, account #’s, passwords, user names etc). They send you emails, or setup fake websites that resemble real sites.
These emails and or sites can and will attempt to trick you into believing they really represent who you were attempting to reach and or whom you partner with (banks, paypal, shopping etc). So many people fall for this on a daily basis and it is very very easy to combat.
NOTE: Your bank or any good site (paypal etc) will NEVER EVER EVER send you an email saying that there is a problem with your account and go login and do this or that. I know you think, oh sure they do I’ve gotten a mail. If you ever get a mail from an account online you have, CALL THEM, do NOT click on the links ever. I do not care what your barbers buddies sister whom is an “expert” in computers says.
Email links will look legit but actually be fake and have you sending your information to the wrong person.
Secondarily, never ever ever ever ever ever type your password to ANY account you own into an email, SMS, online chat or anything else. Your accounts will have authorization and authentication mechanisms for when you are online. If the person CALLS you first, tell them you will call BACK at the known number for said account. No matter who they say they are. I do not care… if you do this, you are just asking to be scammed, period.
• Spoofing: Spoofing is when someone (whether in person or online) attempts to identify themselves as someone else in order to get access to further data and or personal resources. Someone may spoof your identity to access your bank accounts, steal your car, access your apartment whatever.
Ok, that is a lot of information to absorb. Next I will talk a bit about some of the scenarios that actually happen on a day to day basis and ways to recognize them, connecting them to these terms. Lastly I will provide some examples of mistakes that people make and some suggestions on how to protect yourself.
Next – Accounts, Apps and Hacks Oh My – Part 2 – How They Work
Image Credit: http://lerablog.org/wp-content/uploads/2013/06