REPEAT AND REFINE: HOW DO YOU GET TO CARNEGIE HALL? (Pt. 6 of “Why Don’t You Go Dox Yourself?”)

Welcome back! In our last article, you cleared out your extraneous digital footprints by removing unnecessary accounts and opting-out of data broker services, and have finished a dedicated review of your online history. In this final section, we will answer the natural question encountered at the end of any journey: What’s next? 

Before becoming the series you’ve just read, I presented a version of this many times as a live talk at conferences and training sessions. After the first few talks, I noticed a consistent trend in the feedback when I was approached afterwards: people who said they felt anxious about how their online activity going forward might share more than they want. So I went back and added a final section to the talk, one that we’re going to cover together now: risk acceptance and the value of routine in good security.

POBODY’S NERFECT 

Some people think that the goal of good security is to eliminate risk. One of the first lessons you learn in this industry, though, is that eradicating every possible risk is very rarely practical, whether we’re talking about the individual or organizational level. This is because there are few choices one can make with zero possibility of a negative outcome, and because human beings are… human, and even with excellent discipline and good intent the best of us can mess up. 

The goal of good security strategy is instead to assess risk and find a healthy balance: to decide what is more or less important and valuable, to determine how damaging the worst-case scenario might be and weigh that against the potential benefits, and figuring out how much you can reasonably do to tip the balance and increase your odds of success. 

That’s fairly abstract, so let’s use a couple quick practical examples at both levels: 

• Working with third-party vendors is a risk for companies, because they can only have so much control over that outside company’s policies and procedures and limited visibility into how well both are followed. But simply doing everything in-house and not relying on any suppliers or support externally is impossible for most businesses to survive. Instead, security teams focus on due diligence before vendor selection to make sure they’re choosing the best option, and work to make sure vendors can only access what they’re supposed to. 
• Making new friends is a risk for individuals, because almost everyone has experienced the pain of a friendship souring and the heartache that can come with it. But simply going through life without personal connections isn’t terribly rewarding or likely to make us happy. Instead, we continually learn how to determine we can trust someone and the red flags that indicate trouble may lie ahead. 

I don’t know about you, but I grew up as a child of the internet, and the thought of never going online again isn’t one I’m likely to seriously consider. So rather than logging off forever, let’s focus on how we can both stay safe and stay connected. We’ve completed the “3 R’s” of the self-dox process: Review, Restrict, and Remove. But now, a surprise more shocking than the Spanish Inquisition itself: we’re going to add two final steps-Repeat and Refine.

THE ADVENTURES OF PETE AND REPEAT 

Every good security plan includes a plan for routine follow-up. We know that staying offline forever isn’t practical, so the next best thing is to set up a reminder to go through an easier version of this checklist on a regular schedule. Why is it easier? In this review, you had to look back on your entire life up to the present, and next time you’ll just need to look back from then to… well… now! Depending on how active you are online and how likely you are to be doxxed, this might make sense to do on an annual basis, or split into abbreviated and more frequent quarterly reviews. 

There is no one-size-fits-all approach to this review, but here are some typical checks you may want to consider: 

• Some password managers have a built-in audit tool that will highlight re-used passwords or passwords that may have been captured in a data breach. Provided you’re generating new passwords for each account, you likely won’t have more than a handful of accounts or passwords surface in this review, so it shouldn’t take nearly as long as the first review. 
• Repeat the HaveIBeenPwned search for your most important emails/usernames in case there are known password breaches that aren’t indexed by the password tool you use. 
• Depending on how common your name is, it may be worth setting up a Google Alert for automatic notification when new search results for your name (or other contact info like phone number or email address) arise.  
• Take a couple minutes to revisit the security and privacy settings of your top accounts. For social media, are your default permissions still restricted to the audience you want? Some services will automatically use the permissions for your last shared post if you change them, so it’s worth double checking.  
• For all of your important accounts, if two-factor authentication wasn’t available when you completed this review, has it been added? Or are more secure options available, like switching to an authenticator app instead of receiving an SMS or code by email? Finally, check your activity for any new third-party sign-ins or apps that you no longer need. 
• How up-to-date are your devices? Are there OS or browser updates pending for your laptop, desktop, or smart devices? Most of the tools or exploits someone might use to get access to your devices rely on security vulnerabilities that have since been patched by the software provider, but they continue to be successful because many people do not keep their devices up-to-date. Setting automatic updates is a great practice, but a quick inventory during your check-in will also be useful. 

Before we move on to our final (final, I promise!) step, let’s talk one more kind of repeating. A wifi repeater is a gadget that can connect to and boost the signal from a wireless network, helping to expand the network’s reach and keep a strong connection. In the same way, by sharing the lessons you’ve learned with your family and friends you will expand the reach of that security knowledge. Not only does that help keep the people you care about safer… but since we’ve seen how information shared about us by others can also be discovered by doxxers, it helps to increase your own safety as well! 

GOT TO ADMIT IT’S GETTING BETTER 

My goal in writing this series was to give a straightforward introduction and broadly-useful walkthrough of how to figure out what’s out there about you online. In the beginning of this series, I talked about how the level of risk for doxxing is not the same for everyone. You may want to go significantly further than we’ve covered in this guide if you are:

• politically active 
• in an important position 
• the target of bullying/retaliation 
• someone whose work requires an increased level of confidentiality like an investigative reporter 
• a victim of identity theft

This can cover a wide range of additional steps like placing a freeze on your credit report, requesting a privacy removal from search engines, or even setting up dedicated secure devices/apps for communication online. The full scope of these additional protections is beyond what we can cover here, but I will again recommend the Self-Doxxing Guide from AccessNow and the Gender and Tech Safety Resource guide linked in the first post of this series as an excellent reference for where else you might want to check.  

Thank you for following along with me on this journey, and I hope that you found this guide and the resources shared have been helpful for you. Still have questions, or have you discovered any of the links/tools here are no longer available? Please let me know! Life comes at you fast on the web, and I want to make sure this guide continues to be relevant and helpful for a long time to come. You can drop me a line at zoe@duo.com, or find me on Twitter. Until then, happy trails and stay safe out there!  

If you can’t get enough security content and care deeply about making the web safer for everyone, we’d also love to hear from you. Please check out our open positions and how your passion can contribute to keeping people safe online. 

We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

CLEANING UP THE CLUTTER (Pt. 5 of “Why Don’t You Go Dox Yourself?”)

Welcome back! Previously in our Go Dox Yourself series, we walked through reviewing what information is available about you online, prioritizing those accounts that are most important or still active, and then restricting how much we share through those accounts and who gets to see it. That’s two out of our three steps — maybe good enough for Meatloaf, but not for us! You’re in the home stretch now, and this is the most straightforward-if-slow portion of the process — so let’s dive right in.

SURVIVING THE WALKING DEAD (ACCOUNTS)

In the review step , along with the top accounts that you wrote out in your initial brain dump, we used some email search tricks and the free services NameCheckup.com and NameChk.com to dig up any unused, forgotten, or now obsolete accounts you might have previously registered under your email address or favorite username (or, as us ʼ80s kids used to say, your “handle.”)

We set those old accounts to the side to focus on your active and sensitive data first, but now it’s time to make Marie Kondo proud and clean out the junk drawers of our online life – if it doesn’t still serve you or spark joy, let’s kiss it goodbye!

In a perfect world, this would be as simple as logging in, going to your account settings and clicking a big ol’ “Cancel My Account” button. However, many sites opt to bury the cancelation settings behind a series of smokescreen menus, sometimes even including a half dozen unskippable “are you SURE you want to leave?” and “but we’ll give you a super good deal to stay!” surveys to click through first.

If you find yourself thwarted and your first search of “[Unwanted Service] cancel” doesn’t take you where you need to go, try checking out AccountKiller. This collaborative resource takes submissions of step-by-step deletion instructions and direct links to cancel for a tremendous number of sites, and even includes phone tree options and direct support numbers for canceling offline accounts as well.

The first pass of your delete list might well be longer than a CVS receipt, because these days the average person has 100 password-protected accounts to manage, but don’t worry! You don’t have to sprint to the finish line, and slow progress checking off a few accounts in short sessions over a few weeks will serve you better than a several-hour slog of trying to clear them all at once and burning out.

An important lesson in security is that operating at max capacity isn’t sustainable all the time, and planning for rest and overflow in our personal security planning is no different. Remember that the work you’re doing is cumulative, each small step is one more forward, and every account you clear now is one less that you’ll need to revisit later.

TAKING YOUR DATA OFF THE MARKET

You might notice that we’ve checked off most of the information from our initial brainstorm: emails, usernames, phone numbers, profile pictures… but so far, we haven’t done much with your location history: the cities you lived in and live now, the cities where you worked or went to school, and the city of your birth. Now that we’re going to see how much information on you is available through data brokers and public record sites, these details will be important to have handy.

For the unfamiliar, data brokers are companies which collect and bundle personal information for everything from ad customization to individual investigation. Brokers collect their data through a wide variety of methods, including:

• Public record sites
• Public social media content, and social media/demographic content collected through third party apps
• Ad trackers, which collect data about your browsing activity across different sites (it is worth mentioning that this method is becoming less popular thanks to improvements by hardware and OS providers)
• Location tracking, often collected by installed apps on a user’s smart device
• In brick and mortar stores, retailers even use Bluetooth and WiFi trackers for more precise information on shopper’s habits and “hotspots” during a visit

These metrics and details are bundled and sold, either directly through lookup sites like we’ll review in just a moment, or in demographic bundles (for example, “Resilient Renters” or “Living on Loans: Young Urban Single Parents”). If you’ve ever walked through a car dealership window-shopping and suddenly found sponsored content for that car company in your feed, data brokers are the most likely reason.

For this step you should reference the previously-mentioned Personal Data Removal Workbook provided by Michael Bazzell through his company, IntelTechniques. Bazzell has maintained and updated this workbook for many years now, and it is by far the most comprehensive resource for keeping a handle on who is buying and selling your data.

One of the first things you’ll notice on opening the workbook is the sheer volume of businesses out there buying and selling your data: at time of writing, the current edition includes 220 separate brokers. But much like your initial account inventory likely included a select set of important accounts and a longer list of less-relevant ones, there are less than a dozen brokers who dominate most of the market and should be at the top of your list – and fortunately, they’re also at the top of the workbook! These sites are:

• Acxiom: B2B (business-to-business) marketing service providing “customer intelligence” that can include personal info as well as demographic/interest information based on your online activity
• BeenVerified: Search engine for public records, including email/phone/username lookup, vehicle information, and unclaimed property
• Infotracer: Another public records search including even more information like political contributions, arrest records, and property records
• Intelius: People-search tool utilized for background checks, private investigators, and public searches
• Lexis Nexis: One of the oldest brokers, and more of a “big player” in the space working with law firms, government agencies, and large corporation for analytic and investigation needs
• Radaris: Similar to BeenVerified and Intelius, covering public record searches of name, contact information, or property/location history
• Spokeo: Branded as a “white pages service”, focused on name/address/email/phone-based searches
• TruePeopleSearch: Phone, name, and email based searches
• Whitepages: Another comprehensive search site covering many types of public records

Aside from covering most of the market for data and analytics intelligence, these primary sites often act as “feeders” for smaller providers that are either directly affiliated or collect information for their own databases from the largest providers. Which means that as you remove your data from these sites, you’ll not only check off another box on your list, but you may also reduce the number of hits you find for your information on smaller sites as you work your way down.

Congratulations: if you’ve been following along, you’ve just made it through your self-doxxing! Hopefully you’re feeling much better informed and aware of what tracks you’ve left online, and addressed who you do and do not want to have your… addresses. Join us soon for our wrap-up post where we’ll recap with takeaway lessons, as well as good habits and check-ins to keep you safe going forward.

Care about keeping people and their data safe online? Check out our open roles.

We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

LOCKING THE BACK DOOR (Pt. 4 of “Why Don’t You Go Dox Yourself?”)

With passwords and MFA out of the way, let’s next look at connected apps or services that are tied to our priority accounts. When you log into other sites on the web through Facebook, Google, or another social account, as well as when you install social media apps or games, you are sharing information about those accounts with those services. This may be as limited as the email address and username on file, or may include much more information like your friends list, contacts, likes/subscriptions, or more.

A well-known example of this data-harvesting method is the Cambridge Analytica story, where installing a social media app opened up access to much more information than users realized. (Note: as mentioned in the linked article, Facebook added protective measures to limit the amount of data available to app developers, but connected accounts can still present a liability if misused.)

LOCKING THE BACK DOOR(S)

With this in mind, look under the Security or Privacy section of each of your account’s settings, and review where you have either used this account to log into a third-party website or allowed access when installing an app. Here are some handy links to some of the most common services to check:

• Facebook
• Google
• Twitter
• Instagram
• Amazon
• Apple
• Microsoft

If you aren’t going to use the app again or don’t want to share any details, remove them. Once you’ve checked your accounts, repeat this process with all the apps installed on your phone.

Just like connecting a social account to a third-party game can share information like your contact info and friend’s list, installing an app on your mobile device can share information including your contacts, camera roll and more. Fortunately, mobile OSes have gotten much better at notifying users before installation on what information is shared, so you should be able to see which apps might be nosier than you’re comfortable with.

Finally — and this is really for the nerds and techies out there — check if you have any API (short for “application programming interface”) keys or browser extensions connected to your accounts. API keys are commonly used to let different apps or services “talk” between one another. They let you use services like Zapier or IFTTT to do things like have your Spotify favorites automatically saved to a Google Sheet, or check Weather Underground to send a daily email with the forecast.

Browser extensions let you customize a web browser and integrate services, like quickly clicking to save an article for review on a “read it later” service like Instapaper. Even if you trust the developer when installing these apps, they may pose a risk later on if they are recovered or taken over by an attacker. These “zombie extensions” rely on a broad install base from a legitimate service which can later be misused to gather information or launch attacks by a malicious developer.

A LINK TO YOUR PAST

We’ve made great progress already, and taken steps to help defend your accounts from prying eyes going forward – now it’s time to lock down your previous activities on social media. Rather than enumerate every option on every service, I’ll highlight some common tools and privacy settings you’ll want to check:

• See yourself through a stranger’s eyes. You can quickly see what information in a social media profile is visible to someone outside your friends list by opening an incognito/private tab in your web browser and visiting your profile’s page. Some services have more granular tools that will allow you to view as a stranger or even as a specific profile.
• Make your past more mysterious. Most social media services have an option to bulk change privacy settings on your previous content, typically listed as something like “Limit Past Posts” (as shown for Facebook below), “Protect Your Posts,” or “Make Private.” You can always re-share pinned content or your favorite posts with the world, but moving that review from an “opt-out” rather than “opt-in” process will give you a huge head start. While we’re in your post settings, change the default setting for your future posts to your social circles by default.

• Set clear boundaries. Where supported, taking the time to build sublists/groups for your friends list based on context (work, school, your *shudder* improv group),will make it easier to fine-tune the audience for your future posts. You can set boundaries on what your friends can share about you, including requiring your approval before allowing tags or whether your friend’s friends can search for your profile. And while you’re taking a look at that friends list, ask yourself…
• Where do you know them from? You’ve just seen the difference between how much information a friend can see on your profile compared to a friend – which means you want to keep your friends close, and randos the heck out of your business! Don’t be shy about removing contacts you don’t recognize, or asking for context when receiving a new friend request that doesn’t ring a bell.
• Don’t contact us, we’ll contact you. When you’re setting up a new profile, odds are you’ve seen a request to share access to your contacts or the option to search for someone by their phone number or email address. You may want to enable this after we dedicate a “public” email address (more on that in just a moment), otherwise you can disable these options as well.

Before moving on to email, I’ll add another plug for the NYT Social Media Security and Privacy Checklists if you, like me, would rather have a series of boxes to mark off while going through each step above.

YOU GOTTA KEEP ‘EM SEPARATED

Security experts know that you can’t erase the possibility of risk, and it can be counterproductive to build a plan to that expectation. What is realistic and achievable is identifying risk so you know what you’re up against, mitigating risk by following security best practices, and isolating risk where possible so that in the event of an incident, one failure doesn’t have a domino effect affecting other resources. If that seems a bit abstract, let’s take a look at a practical example.

Tech journalist Mat Honan was the unlucky victim of a targeted hack, which resulted in a near-complete lockout from his digital life requiring a Herculean effort to recover. Fortunately for us, Mat documented his experience in the Wired story, “How Apple and Amazon Security Flaws Led to My Epic Hacking,” which offers an excellent summary of exactly the type of domino effect I described. I encourage you to read the full article, but for a CliffsNotes version sufficient for our needs here:

1. The attacker started their research using Honan’s Twitter account, @mat. From there, they found his personal website which included his personal Gmail address.
2. By entering that email and clicking the “Forgot Your Password” recovery link, the attacker was able to see a partially obscured version of his Apple ID which was used as his secondary email: m****n@icloud.com. From here it was pretty easy to figure out the full Apple ID.
3. Now the attacker focused on gaining access to that Apple ID with the knowledge that (at the time) Apple support would validate an account with the billing address and last four digits of the credit card on file. The address was harvested from a WHOIS lookup of his personal site, which searches public registration info available for websites.
4. The last four digits of the credit card were gathered by exploiting a flaw in Amazon’s tech support, which involved using everything collected so far to add a new card and email to Mat’s account, then using these new “approved” details to reset his Amazon password. From there, it was easy to find the last four digits of the credit card used on previous orders, and a safe guess he likely used the same with Apple.
5. With both address and digits in hand, the attacker then called Apple Support and used their collected info to gain access to Mat’s Apple ID through a password reset.
6. Once they got access to this Apple ID, the domino effect really picked up speed. As the iCloud address was the reset email for Google, they were able to gain access there and then use the Google address to reset his Twitter account password. To slow down his attempts to regain access, for good measure they used the Find My Mac feature to remotely wipe and lock his Apple devices making it much harder to reach support.

Honan’s article goes into much more detail, including some of the changes made by the services exploited to prevent similar incidents in the future. The key takeaway is that having a couple of emails without strong authentication tied to all his most important accounts, including the recovery of these email accounts themselves, meant that the compromise of his Amazon account quickly snowballed into something much bigger.

We’re going to learn from that painful lesson, and do some segmentation on our email channels based on the priority and how public we want that account to be. (“Segmentation” is an industry term that can be mostly boiled down to “don’t put all your eggs in one basket”, and keep critical or vulnerable resources separate from each other.) I would suggest setting up a few different emails, listed here from least- to most-public:

• Recovery Email: Only used for password resets when a backup address is allowed, and nowhere else.
• High-Priority Email: This would include anything with payment, financial, health, or other sensitive information. This email is only used for these sensitive accounts, and I would encourage you to opt out of any sharing/advertisement consent options to minimize its footprint.
• Social Email: Think of this as your “calling card” – when you want to be found by a personal contact. For instance, if you wanted the option for your friends to connect their contacts to an account to find friends, this is the address you’d use.
• Low-Priority Email: This is for…everywhere else you have to provide an email address for one-time or trivial purposes. Want to sign up for a newsletter, receive coupons/sale notifications, or create an account to reply to someone’s comment on a news website? While you can always use “disposable” email services to create a single-use email account, many websites will block these temp account services from registration and you may someday need to re-access the email you used. For this reason, I recommend setting up a dedicated address. Some email services like Gmail even allow you to create task-specific versions of your email address using a “email+tag@gmail.com” format. This way, if that tagged email shows up in another message or on another site, you’ve got a good idea who shared your information!

For all of the above, of course, we’ll create strong passwords and set up 2FA. And speaking of 2FA, you can use the same split-channel approach we followed for email to set up a dedicated verification number (using a VOIP service or something like Google Voice) when sending a passcode by SMS is the only option supported. Keeping these recovery numbers separate from your main phone number reduces the risk of them being leaked, sold, or captured in an unrelated breach.

Good news: We’re almost done with doxxing ourselves! In the next section, we’ll sweep out those unused accounts to avoid leaving data-filled loose ends and take a look at how data brokers profit off of your personal information and what you can do to opt-out.

You’ve made it this far so maybe you’re passionate like we are about developing innovative ways to make security accessible. We’d love for you to join our mission.

We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

RESTRICT: LOCKING THE FRONT DOOR (Pt. 3 of “Why Don’t You Go Dox Yourself?”)

In the first step of our doxxing research, we collected a list of our online footprint, digging out the most important accounts that you want to protect and obsolete or forgotten accounts you no longer use. Because the most recent and relevant data is likely to live in the accounts you use regularly, our next step will be to review the full scope of what’s visible from these accounts and to set more intentional boundaries on what is shared. 

It’s important to note here that the goal isn’t to eliminate every trace of yourself from the internet and never go online again. That’s not realistic for the vast majority of people in our connected world (and I don’t know about you, but even if it was I wouldn’t want to!) And whether it’s planning for an individual or a giant organization, security built to an impossible standard is destined to fail. Instead, we are shifting you from default to intentional sharing, and improving visibility and control over what you do want to share. 

LOCKING THE FRONT DOOR 

Before making changes to the settings and permissions for each of these accounts, we’re going to make sure that access to the account itself is secure. You can start with your email accounts (especially any that you use as a recovery email for forgotten passwords, or use for financial, medical, or other sensitive communications). This shouldn’t take very long for each site, and involves a few straightforward steps: 

• Set a long, unique password for each account. Weak or reused passwords are most vulnerable to attack, and as you most likely discovered during your HaveIBeenPwned search, the odds are better than not that you found your username or email in at least one previous breach. 

The best way to prevent a breached password from exposing another account to attack is to use a unique password for for every website you visit. And while you may have heard previous advice on strong passwords (along the lines of “eight or more characters, with a mix of upper/lower case letters, numbers, and special characters”), more recent standards emphasize the importance of longer passwords. For a great explanation of why longer passwords work better than shorter, multi-character type passwords, check out this excellent XKCD strip: 

A password manager will make this process much easier, as most have the ability to generate unique passwords and allow you to tailor their length and complexity.  While we’re on the topic of what makes a good password, make sure that the password to access your password manager is both long and memorable.

You don’t want to save or auto-fill that password because it acts as the “keys to the kingdom” for everything else, so I recommend following a process like the one outlined in the comic above, or another mnemonic device, to help you remember that password. Once you’ve reset the password, check for a “log out of active devices” option to make sure the new password is used.

• Set up strong authentication using multi-factor authentication wherever it is supported. Whether short or long, a password on its own is still vulnerable to capture or compromise. One way experts have improved login security is through the use of multi-factor authentication. Multi-factor authentication is often shortened to MFA and can also be referred to as two-step authentication or 2FA.

MFA uses two or more “factors” verifying something you know, something you have, or something you are. A password is an example of “something you know”, and here are a few of the most common methods used for an additional layer of security:

• Email/SMS passcodes: This has become a common method for verifying logins to secure services like bank accounts and health portals. You enter your username and password and are prompted to enter a short code that is sent to your email or cell number associated with the account. It’s a popular method because it requires no additional setup. However, it suffers from the same weaknesses email accounts and phone numbers do on their own: If you set up 2FA for a social media service using email passcodes on an email using only a password for access, you’re effectively back to the security of a password alone. This is better than nothing, but if one of the other factors is supported you should likely opt for it instead.
• Hardware/software passcode generators: This method uses either a physical device like a keyfob or USB dongle or an installed soft token generator app on a smart device to generate a short code like those sent to SMS or email without relying on those channels. You may use an app tied to the service (like the Steam Authenticator on the iOS/Android Steam app) or scan a QR code to store the new account in a third-party authenticator app like Google Authenticator or Duo Mobile. This still isn’t ideal, because you’re typing in your passcode on the same device where you entered your password – meaning if someone is able to intercept or trick you into revealing your password, they may very well be able to do the same with the passcode.

• On-device prompt: Rather than using a trusted email or phone number to verify it’s you, this method uses a trusted device (something you have) to confirm your login. If you’ve tried logging into a Gmail account and been prompted to approve your login through another already-approved device, you’re completing an on-device prompt. Another type of on-device prompt would be login approvals sent through push notifications to an authenticator app like Duo Mobile, which will provide you with other details about the login to your account. Because you approve this prompt on a separate device (your phone) than the device used to log in (your computer), this is more resistant to being intercepted or captured than a passcode generator.

• Biometric authentication: If you buy an app on the Google Play Store or iOS App Store, you may be prompted to confirm your purchase with a fingerprint sensor or facial recognition instead of entering a password. The shift to unlocking our mobile devices through biometric methods (unique physical measurements or “something you are”) has opened up a more convenient strong authentication. This same method can be used as a prompt on its own, or as a requirement to approve an on-device prompt.

If you want to know more about the different ways you can log in with strong authentication and how they vary in effectiveness, check out the Google Security Team blog post “Understanding the Root Cause of Account Takeover.”

PASSWORD QUESTIONS: WHERE DID YOUR FIRST PET GO TO HIGH SCHOOL?

Before we move on from passwords and 2FA, I want to highlight a second step to log in that doesn’t meet the standard of strong authentication: password questions. These are usually either a secondary prompt after entering username and password, or used to verify your identity before sending a password reset link. The problem is that many of the most commonly-used questions rely on semi-public information and, like passcodes, are entered on the same device used to log in.

Another common practice is leveraging common social media quizzes/questionnaires that people post on their social media account. If you’ve seen your friends post their “stage name” by taking the name of their first pet and the street they grew up on, you may notice that’s a combination of two pretty common password questions! While not a very targeted or precise method of attack, the casual sharing of these surveys can have consequences beyond their momentary diversion.

One of the first widely-publicized doxxings happened when Paris Hilton’s contact list, notes, and photos were accessed by resetting her password using the password question, “what is your favorite pet’s name?”. Because Hilton had previously discussed her beloved chihuahua, Tinkerbell, the attacker was able to use this information to access the account.

Sometimes, though, you’ll be required to use these password questions, and in those cases I’ve got a simple rule to keep you safe: lie! That’s right, you won’t be punished if you fib when entering the answers to your password questions so that the answers can’t be researched, and most password managers also include a secure note field that will let you save your questions and answers in case you need to recall them later.

We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn