Five Online Safety Tips from Security Pros

The Australian government compiled a standard list of 10 things you can do to protect personal information online, but sometimes these basics aren’t enough. So I asked some IT security professonals for insight on what steps they take when shopping online or when registering with a new website. Here a list of online safety tips from five IT security pros.

Patrick Harding, chief technical officer, Ping Identity:

• It’s counter-intuitive, but in my consumer role I prefer to use my Facebook or Google identity whenever possible. First, it’s convenient. Second, popular social media has better security practices than I do as a consumer so my Google identity is better evidence to the vendor that I am really doing the shopping than the various and probably weak passwords I might otherwise lose, forget, or have stolen. Third, a shopping site vendor who has my credit card information is maybe even more likely to be successfully breached than Google which offers two-factor authentication 1, requiring the bad guys to have my password and my mobile phone to steal my identity.

Darien Kindlund, senior staff scientist, FireEye:

• Navigate the shopping website using a separate, isolated browser ideally on a separate system or inside a separate virtual machine. Try to use unique passwords when registering with a new site. That way, if (or when) the website is hacked, attackers can’t reuse your login credentials to access your other accounts on other websites.

Marc Gaffan, co-founder and VP of marketing & business development, Incapsula:

• I never give out my mother’s maiden name to ANYONE. It’s worse than giving away your online banking’s password because it’s one of the things that are used to reset and retrieve such passwords.
• If I don’t know them, I don’t connect with them.  People who can see your profile and interactions on social networks can find out a lot about you (If your mom happens to be your friend and her brother is friends with her – there goes your mother’s maiden name.)
• Believe it or not, using a post-it to write down your password is probably much safer than keeping it in some file on your personal computer (which probably has the word password in the file’s name.)

Shuman Ghosemajumder, vice president of marketing, Shape Security

• I make sure I can trust the site with my data by asking these questions:

1. Have I heard of the company before?
2. Did I specifically navigate to their site (as opposed to discovering it through surfing)?
3. Is the URL correct (to ensure I haven’t been tricked into visiting a malicious site)?

• Avoid sites that don’t use SSL/TLS 2 for registration or login. If I’m on an open WiFi connection, I never submit user details to a URL that doesn’t begin with HTTPS://. Submitting information insecurely (e.g., via an open WiFi connection) makes it easy to steal.
• When I create an account, I don’t use the same password I use on other websites such as Gmail or for my bank. Credential harvesting attacks take leaked passwords from one site and then probe other sites for use of the same password.

Nimmy Reichenberg, vice president of marketing and business development, AlgoSec:

• I only shop online through “trusted” sites such as Amazon.com or physical stores that have an online presence such as Target, etc. I limit the amount of information I’m willing to provide. For example, I do not typically store my credit card information and never provide banking information. When registering with a site/newsletter, I provide as little information as possible. Hackers are always looking for useful information which by itself may be nothing overly interesting, but which could be used to gain unauthorized access to other accounts.

1  You can get this via the Google Authenticator app. Authenticator provides a six-digit number users must provide in addition to their usernames and passwords to log in to Google services. The Authenticator can also generate codes for third-party applications. It can be a pain to use sometimes, but it’s much less painful than having your identity stolen.

2 These are Internet security protocols used by Internet browsers and Web servers to transmit sensitive information. In your browser, you can tell when you are using a secure protocol, such as TLS, in a couple of different ways. You will notice that the “http” in the address line is replaced with “https,” and you should see a small padlock in the status bar at the bottom of the browser window.