A simple online safety guide

or how to stay safe on the internets

I have heard a couple of friends and family bemoan the dangers lurking online.  These fears have been stoked even further with the rise of AI as the expectation is that the attacks will become more prevalent and more sophisticated.  I decided to write a guide to capture how I think of online safety in a way that is accessible to non-technical people and try to demystify the dangers.

The foundation of thinking about security is to determine your threat model.  A threat model is just a fancy way of asking “who is after you and why?”.  There are three basic threat models most people could encounter.

1. Broad, unfocussed attacks - These attacks are not targeted at anyone in particular.  The attackers cast their nets wide and hope it catches something.  Most scam emails landing in your inbox fall into this category.  They work because they are cheap and easy to deploy at scale and so they are still worth it even if they snare only a small percentage of targets.

2. Targeted attacks - A targeted attack is one where the malicious actor goes after a specific victim (or group of victims).  This can be the case for a jealous lover putting a keylogger in a victim’s device or an industrial spy dropping poisoned USB drives in the parking lot of a company hoping an employee picks one up and inserts it into a device inside the firewall.

3. State sponsored attacks - This is where a state actor (typically a three letter agency) is the attacker.  This is a separate category in itself because states and state agencies have much greater resources and ability to pull off attacks.  Most people who are at the risk of this type of attack (think activists, dissidents, journalists, work in sensitive roles, etc) are probably already aware that they fall into this category.  This is one of those areas where if you have to ask, you’re probably not in the club.  If you do fall into this category, this guide is not for you.  You definitely need more specialized help.

The basic philosophy of online security for most people rests on two principles.  First, make yourself less of a target.  You would not walk down the street in a sketchy neighborhood wearing a flashy watch and a visible band of cash so don’t do similar things online.  The other is to employ simple tactics.  If your precautions are cumbersome, you will eventually tire of them and stop applying them.  Security is a lifelong effort and so you need to make it as easy on yourself as possible to stay one step ahead of the bad actors.

General security

The general rules to apply are as follows:

• The two most important things to keep safe are your email account and your phone.  Anyone getting access to either, or both, of these can get access to pretty much any other account you have (social media, financial, etc).  Don’t leave your phone or email unlocked.  If you unexpectedly cannot receive calls and your phone has no network connection, you should immediately contact your cell phone service provider to ensure no one has transferred your number to another device.

• You should assume that anything you do on any device that does not belong to you (e.g. hotel computers,  work laptop or phone) is visible to the owner of that device.

• You should consider that anything you do on a computer or phone (browsing, email, etc) could possibly become public.  People always seem surprised when their Google searches are used against them as evidence.  Pro-tip: Do not google “how to commit X crime and get away with it” just before committing X crime.  This is not legal advice but it seems to me that all you have done is establish premeditation and made life real easy for the prosecution.

• On mobile, use Apple devices (iPhones, iPads) as much as possible.  There are much fewer attacks aimed at them and the security is stronger than Android.

• If you receive an email (or a call) from an institution (eg a bank) and your response is required, do not click on any link in the email.  Instead log into your account or call back from a bookmark or phone number you find on the website you find from a Google search.

• Keep your software and apps updated

Password security

Since passwords are the most common way of preventing access to accounts, here are a couple thoughts on passwords

• Passphrases like “Cats is a terrible movie” are easier to remember than passwords like “3erg@iY9”.  You can even add special characters to the passphrase if you want to get fancy eg “C@ts is a terrib1e m@vie.”

• You should not reuse the same passphrase for different accounts.  This way, if someone gets access to one account, they do not automatically get access to all your other accounts.  You can have a passphrase template and modify that for different accounts eg “C@ts is a google terrib1e m@vie.” for your Google account and “C@ts is a faceb@@k terrib1e m@vie” for your Facebook account.

• If you want to get a bit more careful, you can use different passphrase templates for different types of accounts eg for social media - “C@ts is a ...”; financial – “Vaccines cause adults”; etc

• Use a password manager eg Bitwarden.  They make entering your password on your computer or phone very easy and convenient so you never need to remember them

• Use Two-Factor authentication wherever it is available.   This means that in order to sign into your account, you need both a password and a code generated by a device.  This way, if someone manages to get your password, it is still useless since they do not also have the device (usually your phone)

WiFi security

Almost everything we do is on WiFi, so I have a couple tips for using WiFi safely

• Do not log into sensitive accounts (eg bank, email) when you are on public wifi (eg airports, Starbucks).  Only log into those types of accounts when you are on your home or office WiFi. It is safe to use any of those accounts if you are already logged in previously.  It is just the process of logging in that should not be done on a public network.  This is because whomever controls the public network may be able to listen in and you do not want to give them your passwords.

• If you must log into a sensitive account when you are out and about, use your phone hotspot if you have one

Internet browsing

When browsing on the internet, here are a couple things you can do to be safer

• Use an adblocker.  These browser addons block ads and other scripts from being loaded in your browser.  Sometimes, these scripts can be malicious and you get attacked just from visiting a normal website.  I use uBlock Origin.

• Assume anything you do on the internet can be made public even if you are using incognito mode.  Never assume anonymity even if you are using a pseudonym or cut-out.

• Do not install browser extensions or toolbars you do not trust.  If you have to install one, check the permissions and restrict them as much as possible.

Commerce safety

When buying something

• Use credit cards rather than debit cards.  A bank will usually allow you to reverse a fraudulent credit card transaction very easily.

• When entering your credit card information (or doing anything sensitive), check to ensure the site is using SSL security.  The website address should start with “https” (eg https://wellsfargo.com not http://wellsfargo.com) or the address bar will show a padlock icon.  Most browsers today will warn you if you are visiting a site that does not use SSL security.  Heed that warning.

• When inserting your physical credit card into a reader (usually at gas stations or ATMs), look out for skimmers.  These are devices that look like a normal reader but are designed to send your card information to an attacker so they can duplicate it.  I like to give card readers a good tug just in case.

• Use ApplePay (or the Google and Samsung equivalent) as much as possible.  These systems encrypt your card number so it is useless to anyone that gains access to the transaction

Device safety

For your physical device safety

• Do not plug your phone or laptop into unknown USB ports (eg at aiports, hotels or on planes) even if just to charge them.  Carry your own chargers and plug into an electrical outlet instead.

• Do not leave your laptop or phone unlocked.

• If you have to give someone else your phone unlocked (eg to have it repaired), first delete any information you do not want that person to have access to.

• If you are using an Apple device, turn on “Find my device”.  If you misplace your phone or iPad, it will let you know where they are.

Information safety

Backing up your information

• Make sure to backup your important information.  You do not want to lose all your photos or important documents because you misplaced a phone or your laptop died.  Use Google Drive, Dropbox, iCloud, etc.  Most of these services cost about $10 a month and offer a family sharing plan.

• Decide what you would like to have happen to your information (email, documents, photos) if you are no longer able to access them (death or incapacitation).  Google has an inactive account option where you can designate someone to gain access to your accounts after a certain period of inactivity.

Most of these tactics are easy to incorporate into your routine.  Quite a few are set and forget.  More technically minded users may quibble with the nuances of the advice and the broad brushes applied but the goal is to provide simple tactics that can be consistently applied to keep you out of trouble most of the time.

Stay safe out there.