Protecting Your Identity and Passive Information

11 minutes, 1 link
From

editione1.0.0

Updated October 9, 2023
Now Available
Security for Everyone

There is value in impersonation. As an individual, a business owner, or a decision maker, your voice carries weight. You are the person who can authorize changes, information disclosures, and transactions.

The two most common types of attacks you might face would be requests to your staff to transfer money to an attacker’s account, or requests to your phone provider to transfer your SIM to another phone. Once your SIM is transferred to another phone, password resets or two-step login prompts would go to an attacker’s phone rather than yours. Such attacks are becoming more expensive as we rely on SMS for verification on logins when making large payments.

In the physical world, identity is established through government-issued documentation, such as driver’s licenses, passports, and birth certificates. In the online world, our identities are inferred in the email addresses, usernames, and communication channels we use and share with others—WhatsApp, WeChat, Facebook Messenger, Signal, the examples are endless. You build trust with friends, staff, and business contacts through regular interactions using these digital identities, and they may not second guess any favors or questions that seem to come from you.

There is also more traditional value in your identity that you have probably heard of. Attackers can use copies of your identity to commit fraud like opening loans or credit cards, and then going on a bit of a shopping spree. When the financial survivability of your business early on depends on credit, these types of events can be damaging.

danger Treat your email like your crown jewels. If you lose access to your email, it is catastrophic. Everyone knows you at this email address, it is what is used for most of your accounts (and their password reset functions). It would be a nightmare to try to change the emails across every account. (We’ll cover how to protect your email next.)

Back to the list you’re creating—add the things that represent you online and in the physical world. We will cover social and community profiles and the information you share openly with the public or private followers in the next section. For now, think through ways you may directly communicate with others (like email or messaging apps) or official identity documents.

exampleCommon scenarios:

  • Scenario: You have more than one personal email you use to sign up for different online accounts. Perhaps one is quite old and mostly forgotten. You also have one or more work email accounts.

    • Risks: You use one email as a backup (recovery option) for another. Or you use your personal email as a backup for your work email, and if you ever lose access to your work email, it might try to send the password reset request to your personal email. This means a compromise of one email account compromises your other email accounts, too. If an old email address has a weak password and does not have two-factor authentication (2FA), this is even more likely.
  • Scenario: You have some important documents saved in your email account or cloud storage account, including copies of your passport, national identifier (like your social security card), and bank details.

    • Risks: Compromises to your email mean the documents can be used to authenticate other accounts. Identity theft is also a real possibility.
  • Scenario: You use a variety of communication channels for talking to business contacts, staff, friends, and family. Some accounts are tied to your phone number (like WhatsApp and WeChat) or your social media accounts (like Facebook Messenger).

    • Risks: It’s difficult to sort out which tools you use for which social circles, so some are more trusted than others. Compromises on your personal social media accounts could lead to security issues with work accounts. Impersonation of yourself or others in these channels is a common example of spear phishing.

Remember Your Social Profiles and Communities

Your social profiles are a natural extension of your online identity. You use these to shout information out to the public masses, or to a private group of followers. A lot of these social networks have a key communication component, like Facebook Messenger, and are also a great source of other information about you.

Unlock expert knowledge.
Learn in depth. Get instant, lifetime access to the entire book. Plus online resources and future updates.
Now Available

Definition Passive information is information others can discover that does not directly have value or identify you, but can add more legitimacy or trust when someone is impersonating you or trying to get into your accounts.

danger Even if you have been safe about your passwords, there are a few old-school systems that still rely on knowledge-based questions and answers for resetting passwords. They may ask about things like the name of your high school or your mother’s maiden name. If these questions are easier to guess than your password, this can be used as an easy side entrance to valuable accounts.

danger Remember social accounts like Facebook, Twitter, Google, and LinkedIn can be used to log in to other services or websites. While this is a great idea—it lets these services and websites rely on the social network’s authentication process, and is one less password to manage for you—this also makes each social account all the more important because it becomes a multi-tool that can be used to access other accounts.

Your passive information can also have indirect value, and may help an attacker appear legitimate because they know things that only the real you may know. For example, if you are updating your social media accounts with photos of your glamorous overseas holiday, this passive information gives an attacker an opportunity to spoof your work email to ask for an urgent overseas payment to be made because you need to “replace your lost passport.” To your growing list, add the social accounts that you or your business rely on.

exampleCommon scenarios:

  • Scenario: You have multiple social accounts, perhaps even multiple accounts on the same platform. You have social accounts for your business. You manage these yourself or they may be managed by employees.

    • Risks: You can lose track of these accounts and not secure any one of them. Or employees may not secure the business accounts. A social account in the wrong hands could lead to your brand being used to perform phishing attacks on your followers and customers.
  • Scenario: You have social accounts for your business that are tied to your personal account (such as Facebook, Instagram, or Twitter). You use social accounts to log in to other websites.

    • Risks: Forgetting to secure your own personal account could lead to a breach of your business account and could lead to your social brand being misused by an attacker.
  • Scenario: You have social accounts that you no longer use, but are still active. You have placeholder social accounts you set up to register for services in the past. You have not gone through to remove your information and shut them down.

    • Risks: These may not be secured with strong passwords and 2FA so compromise is more likely. Although you aren’t using these social accounts, an attacker can still use them to trick people into a scam that will look even more legitimate with your social handle and logo.

Understand Your Family’s Public Exposure

One would hope it stops there. However, there are still more areas of passive information to cover! The next area to consider is not directly related to you, but is related to the group of people you likely trust most: your family.

When you receive messages or requests from family, you are likely to respond or act without much question. In the same way your employees may respond to a fake request from someone impersonating you to send money overseas, you may respond in the same way if your child, parent, or sibling makes a similar request.

Perhaps more likely is the lack of suspicion when asked to download an attachment. You might let your guard down if your dad asks you to check a document for him, or if your mom asks you if you want to check out her latest cruise photos in a zip folder.

The lists we went through already and made for you can also be helpful to make for your family. However, I know making these lists for them can be less fun than watching paint dry. At a minimum, add situations where you often interact with family digitally to your own list, as those would be your highest risk points.

exampleCommon scenarios:

  • Scenario: You periodically share files and attachments with family members via email.

    • Risks: If your family gets a phishing email pretending to be you with a malware-infected attachment, they are more likely to download and interact with it. It is not as simple as telling them not to download suspicious files, as they regularly handle files from you and may not be sure how to assess something as suspicious.
  • Scenario: You communicate with family members via email, different communication tools, and social media networks. For some family members, digital communication is your primary source of communication and you don’t often see them in person or chat on the phone.

    • Risks: Your family are used to talking to you via multiple channels. It would not be out of the ordinary to get a WhatsApp message from you. They might not think twice about requests. Friends or family who don’t talk to you every day may be more likely to fall for a phishing message that says you are in urgent need of some help or money.

The 80% Theory of Security

Looking at your list, it might feel daunting to get started on securing all these things. Now is an important time to learn about the 80% theory.

storyFirst, a confession: I used to be a perfectionist and completionist, and I also am a huge video game nerd. Every video game I started I would push to get 100% completion. My Pokédex in Pokémon Red was complete with 151 Pokémon. I found every Easter egg and secret ending there could be found. My goal in life was to finish level 255 in Pac-Man so I could experience the level 256 integer overflow glitch. When I started picking up more hobbies, my ability to complete games started becoming harder and harder.

Most of us probably know the experience of playing a game. You can play it from start to finish, and that represents roughly 80% of the game play. You can play again to finish up side quests and alternative paths to the ending and get closer to 100% completion, but it takes more or more time and investment the closer you get to 100%. You end up investing more time in that final sprint than you do playing the game for the first time from start to finish. And the value received is quite minimal at this point.

You’re reading a preview of an online book. Buy it now for lifetime access to expert knowledge, including future updates.
If you found this post worthwhile, please share!