It’s hard staying safe online. Many people never learned how to use computers safely in school, and even if they did, what they learned is probably out of date by now. There’s no shortage of guides that promise to help, but many of them are from companies selling a product, don’t provide concrete recommendations on what to do as a result, or are otherwise incorrect or not relevant to people who aren’t very technical.
This guide is designed to be concise and easy to read by everyone – no prior knowledge is assumed. It’s not just a list to check items off though — I’m going to do my best to explain the concepts relevant to internet security along the way. I hope that by the end of this guide you not only become safer, but that you also have a better understand of computers and the internet than when you started.
additional info for the technically inclined reader
If you are already a very techincal person, a lot of this guide may be review, but feedback on my reccomendaitons is always welcome.
This guide is opinionated — I will generally reccomend one “right” way to do things rather than listing many similar alternatives.
Let’s start with the single most important thing you can do to protect any of your online accounts — two-factor authentication (2FA), sometimes called multi-factor authentication (MFA). This is easy to do, and you may use it already without knowing the name. If your bank texts you a code to enter after you’ve already entered your username and password, congratulations! You’re already using 2FA. Your phone number – verifying the person with the number is the same person that knows that password – is the second factor (the first being your password).
Some services (usually banks) don’t let you choose what second factor you use. Many social networks and more tech-forward comapnies will let you use a phone number, a TOTP code, or a security key. These are listed in order of securtity — security keys are most secure, followed by one-time use codes (generated by an app) and finally SMS (text) codes — but even SMS codes are drastically more secure than using a password alone.
the trouble with text codes
Text codes are great, and for the vast majority of people the vast majority of the time, they work just fine. They have two major vulnerabilities though. The first is that there are attacks bad guys can use to steal your phone number. They do this by calling your mobile provider with some of your information and pretending they want to transfer their phone to a new number. After they have your number, they use your password (which they usually get in a leak) and the text code they can now get to steal your account. Ensure you know your mobile provider’s security questions or PIN for your account, and make them hard to guess or find online (don’t use your pet’s name!) It’s also possible, but less likely, to hack networks directly to do this, but you shouldn’t need to worry about that.
The second problem with text codes is phishing. We’re going to talk about phishing a little later.
one time use codes
Time-based One-time Passwords (TOTP) work similarly to text codes. Usually, you use an app to get your one time use code, and the code will change every minute or so. When you enable TOTP codes to protect your account, computers do some crazy math stuff to generate keys based on time. Basically, each side of the login process (the server, and your TOTP app) has an algorithm to figure out a special number based on the current time. When you login, you compare your number to the number the server has, and if they match, you can login. This allows you to avoid the types of hacks that can affect mobile carries.
Again though, this doesn’t help you against phishing. Phishing is the most common type you’re going to face — you’ve likely seen it before — and attackers are only getting more sophisticated. Let’s do a deep dive into phishing and the one two-factor method that can help you prevent it entirely.
One time use codes aren’t new technology — they predate smart phones!
what is phishing?
Phishing refers to the strategy attackers use to steal information from you by pretending to be someone else when they contact you. It’s called phishing as a comination of fishing —fishermen using a lure (email) to catch fish (you) — and the ph popularized by phreaking, what people called hacking phones in the 60’s and 70’s.
A common phishing tactic is to email the secretary of a C-level executive in a big company pretending to be the executive. The attacker will say something like “I’m running late for this conference and realized I forgot the prize! I need you to send me $500 in gift cards asap!” or “I lost my sticky note with our bank info, you need to send it to me. I need to do my expenses tonight!”. The goal is usually to get some financial gain – cash, gift cards, a bank account — or account access.
Attackers that phish for your account access will send you an email prompting you to login to an account, usually email or social media, but instead of going to the real site it will go to a fake one. For example, the infamous Clinton campaign hack was a result of someone clicking an email that said “Take action now to protect your Google account” and entering their Google credentails on a fake website.
Phishing isn’t just in email — it can come from anywhere, including social media and messaging apps.
who’s doing this?
You will likely face two types of attackers. The first group is commerical phishers — these people target huge swaths of accounts at a time automatically, using information from leaks or the grey market. As socialist orgs do not have a lot of cash to steal, they aren’t going to face targeted attacks from attackers only looking for financial gain. Hooray!(?)
The second and more dangerous group of attackers are fascists explicity opposed to lefitism as a project and looking for targets to make miserable. They are usually going to launch more specifically targeted, harder to detect attacks.
Can I stop it?
There are very few purley technical means to stop phishing. Major email providers like Gmail and Outlook person basic checking of email and can send obvious attacks to Spam. It’s hard to technologically protect against phishing because phishing attacks rely on attacking not the computer via technical means, but via the person in the chair. That said, there are two great ways to help protect some accounts against phishing — a security key, and training.
keys to stopping phishing
1) a literal key
A security key is a small device you plug into your computer or phone with a special key on it. When you set it up, it will remember what sites it’s supposed to work on. Let’s say you add a security key to your Twitter account, and later that month you click on a phishing email trying to steal your Twitter account! You don’t realize you’re on a fake website (realtwitterlogin.com) and enter your username and password. But wait — the attackers need one more thing to login.
This is usually where they ask for your two factor code from SMS or TOTP. But they can’t steal a security key. The security key will only work on twitter.com – it will not work on a phishing site. This still isn’t a foolproof way to prevent phishing (they can trick you into installing malicious software that can get around this safety net) but it does make it a whole lot harder!
Need a security key? Yubico is the absolute best in the business. If you have a USB-A port on your computer (the older, rectangle kind) you can get this one for $25. If you need USB-C (the newer, oval-ish port on Androids and Macbooks) grab this one. Both have near-field communication (NFC) which means you can touch them to the back of your phone to use it on the go.
This is the most bang you will ever get for your buck in a security product. Don’t believe me? A 2019 study showed they stopped 100% of attacks.
2) the less literal key (skills)
The best way to stop phishing is arming yourself with knowledge about common phishing tactics and warning signs. One of the easiest ways to spot phishing is by knowing how URLs work.
What’s in a URL?
The URL is what you see at the top of this page. Mozilla has a graphic that helps break all the parts of the URL down:
We’re most concerned with the Domain Name, which contains three main parts. .com (or in our case, .tools) is the top-level domain name (TLD). When purchasing a domain name, you need to choose the domain (sometimes called the second-level domain, but I don’t like this term) and the top-level domain. socialism is my domain, and tools is the top-level domain. These are the two most important parts of a URL. They will always appear together. As an example, socialism.blogsarefun.tools is not this site — the domain is blogsarefun, meaning the server is completely different than the server that runs socialism.tools.
What’s socialism in that example above, then? After purchasing a domain, a web developer can configure their web server with an unlimited amount of subdomains, like chat.socialism.tools, cloud.socialism.tools, or accounts.google.com. You don’t buy these, you just make them whenever you want, and you can make as many as you want. I could make accounts.google.socialism.tools if I really wanted to — there are no technical limitations.
Covering the first part of the diagram, you will likely never see a port number in your browser — don’t worry about it. This used to matter becuase port 80 was for insecure web browsing and 443 was for secure web browsing, but several years ago nerds the world over pushed to make any website worth visiting secure. You should see a little lock icon next to the domain name in your browser, and that’s all you need to worry about for now. The lock icon says your connection is secure, but this doesn’t mean legitimate. You can be securely connected to the web server of a fraudster.
Finally, the path, parameters, and anchor are all different ways for the source server to organize content, they don’t have an impact on phishing.
If you remember only one thing from this section make it this: the domain name and TLD must appear together.
ding! you’ve got psychological warfare
People have gotten wiser to phishing schemes over the years as they’ve exploded in popularity. Companies the world over are teaching users to recognize things like domains and common mistakes like spelling errors in phishing emails. But scammers are clever. They have a few tricks to hide the URL and some more to trick you into not looking at it.
One of the oldest phishing tricks in the book is inducing panic in the victim to lower their defenses. The infamous Clinton campaign hack email told the victim they must act immediately to fix a security issue. Fake prompts to secure your email account, or your bank account, or your online gaming account are effective because when you’re in a panic, you might not look at the URL at all, or simply not notice a misspelling like gooogle.com vs google.com.
If you ever think you’ve been hacked, the first thing you should do is take a deep breath and try to calm down. If you did get hacked, rushing to fix it isn’t going to matter anyway — but slowing down to double-check what’s happening can prevent you from getting hacked in the first place.
On the technical side, attackers will often hide the URL of the malicious web page in a button or link in your email — this ensures you can’t see what it is before you click. On your computer, you can always hover over the button to see the URL, or long-press the button or link on your phone. Attackers also like to use URL shortening services like bit.ly to force you to click to see the real URL.
Here’s the screenshot of the phishing email that dealt a blow to the Clinton campaign. Check out the screenshot and then look at the plain text version of the email. Can you find the three things that indicate this email is fake?
- accounts.googlemail.com — not google.com!
- Change password (link to bit.ly) — account service links will never, ever be behind a bit.ly link, especially from a major provider like Google
- The attackers made a typo — “sign-in” vs ”sign in”. Any kind of typo, language inconsistency, or strange-sounding language is usually a tell of phishers.
A Solid Foundation
If you’ve come this far, congratulations. You’ve got tools to tackle two of the most common attacks you’re likely to face. You know why 2FA, especially a security key, is important, and how to spot a phishing email. This is a fantastic start to protecting your digital life.
In the next Security series, we’ll block the prying eyes of data brokers and ad networks to help protect your location, and talk more about physically securing your devices.