Measures for Everyone to Protect Your Digital Self Living in Your Mobile Devices In part one of this guide to protect your digital ID, I will talk about the basics — Then, in part two, I will address more on digital identity — some special efforts for people who need more protection. measures that anyone can use to reduce risks to their devices. In the last part of the guide, I will focus on something that anyone can turn into a habit — a risk-based approach to treating your digital identity with risk assessment threat modeling. After reading this guide, I hope more people will, and hopefully, be more aware of protecting privacy. (Remarks: The first one here is for the beginners.) Know Yourself and the Enemy The key to protecting your digital self is making it as pricey and impractical as possible for somebody to steal data critical to cyber-safety — your financial security and privacy. If attackers find it too challenging or expensive to get your data, there’s a better chance that they will move on to an easier target. For that reason, it’s crucial to assess how vital information can be stolen or leaked — and understand the limits to protect that information after knowing where and what your enemy wants to steal, you can have a better chance to put your effort and resources into those vulnerabilities. Make a List! To Check Your “Attack Surface” by a cyber-criminal (or an “unethical” big tech company, employer, or the like) for profit at your expense. Or similar things could put you in a vulnerable position that you may or may not be aware of. The first step above is all about taking stock of your digital life that could be exploited A sample item list may include items like: mobile phone and other mobile devices, personal computer, home network (e.g., routers, access points), social media accounts, online banking and financial information, information of your physical identification and credit card information. — a chance for someone to exploit that and steal your data. How much an attack surface is exposed relies on numerous factors, but you can significantly lower the chances for malicious exploitation with some basic countermeasures. So let’s tackle them one by one. In cybersecurity, each object offers an “attack surface” Physical Security for Mobile Devices Our digital identities “live” in our smartphones and tablets. And these mobile devices are so portable that they lead to a high risk of being out of our control by being lost, stolen, or simply picked up by others when it’s idle, and we are not aware. Luckily, defending against casual attempts to get personal data on a smartphone or other mobile devices (as opposed to attempts by law enforcement, sophisticated criminals, or state actors) is moderately straightforward — reducing the attack surfaces. Lock Your Phone+ First, But it’s equally important Use a longer PIN if possible. Besides, ensure your device is (e.g., a maximum of 10 times). always enable lock on your devices. to consider how your devices are unlocked. set to erase its contents after multiple wrong password attempts Limiting the number of trials can significantly reduce the chance of password guessing and thus have a better opportunity to protect your privacy once your device is stolen or lost, especially when your PIN is only 4-digit long. For better security, use a password **at least eight characters long (**preferably a longer passphrase than a long passcode). This shouldn’t be a problem using face recognition or a fingerprint unlock on your phone. due to the app settings or other reasons. Delays mean someone who grabs your phone can get to your data if they bring up the screen just in time. Bonus: Check if there is any delay in the screen locks Data Backup In response to stricter requirements for password reset after multiple password failures, it is recommended to back up your phone regularly. The safest way to backup data is plainly doing it locally — an encrypted backup on your external hard drive. For Apple devices, for local Backup, you can: backup your iPhone to your computer via Finder (macOS Catalina or later) or Use iTunes (Windows or macOS Mojave or earlier). Apple has an easy-to-follow for data backup locally. For Android devices, please find a similar guide guide . here If you want to enhance the availability of your Backup (in case the local copies are corrupted or lost), before you upload it to the iCloud or other storage services, But remember, (whether it is a password, certificate, or token). you can encrypt those backups. please keep the encryption key safe and secure Software Update To reduce the attack surface, ensuring your mobile devices are kept up to date, along the same lines, is crucial to  prevent someone from taking advantage of known security bypasses. With good initiatives like now we have vendors fixing security vulnerabilities much faster. Keeping up-to-date is easy. All you need to do is check for updates on the device’s settings and press “update.” “ ,” Project Zero Check & update your Android version Apple security updates Digital Footprint 101 More from my previous article: The KonMari Method for Your Digital Footprint: How to Clean up Your Digital Clutter Like Marie Kondo We need to know what it is before trying to protect it. Digital Footprint is everywhere online. It is all your activities with a keyboard and mouse, in addition to what we tap and swipe on our precious mobile devices. Here are some typical locations where we leave most of our footprint. is not just what you post but also the comments, like, tweet, retweet, and swipe left and right. Unfortunately, most platforms have very long user agreements that are difficult to read. Social Media — Make sure you keep an eye on data policies and settings updates. Mobile Apps — the buying habits are precious for ads and marketing. Shopping Websites — web browsers use as attributes that let people identify who you are. Web Browsers headers and cookies Several involve tricking people via social engineering into websites resembling app stores. Unfortunately, these schemes almost always lose thousands of dollars and massive privacy exposure. “fake app” scams Check for the items below: Avoid apps with vague permission requests, and Deny anything that seems like an overreach (Least Privilege) For example, when Facebook Messenger asks to be your SMS client and then logs all your phone calls to your Facebook account, it can find “friends” for you more efficiently. And if there are apps that you don’t use, delete them. Apple’s iOS does this if it’s configured, but only if the apps are not running in the background. To make our life easier, we usually (as it skips the process of creating a username and password for that application.) Not everyone is a “listaholic” who would keep a list of all the online services, online stores, or apps they signed up for over the years. leverage single sign-on (SSO) options such as social media accounts or our email addresses for quick sign-up If that’s your case, No matter which service you use to sign-up for (e.g., Google, Facebook, Apple ID), all options give you a summary of third-party apps access. Here are the top three: your SSO information may save you time. Google Apple Facebook However, if SSO options are not selected or not available, but you used your email addresses instead, you can search for all the services you use by Then, revoke, remove, unsubscribe, and delete all sign-ups you no longer need. searching your email inbox for keywords like “unsubscribe,” “sign-in,” or “welcome.” Recommendation: Minimize Your Digital Footprint At the Beginning It all makes sense. Once you produce less digital footprint, there is less than you need to clean up afterward. So there’s still hope — by applying “ Digital Distancing.” We now all know social distancing as it keeps popping up on the news. The idea of digital distancing is like when you want to talk to your boss about your salary rise, and you close the door. Keeping a digital distance could help keep you away from data breaches or eavesdropping on your digital self. In short, you can start with the following: Change your Browser — Firefox and Brave are privacy-first web browsers. Or use Tor if you need extra features. Use and the “private window” of browsers for searching. Duckduckgo Check Your App Permissions and double-check the privacy settings on social media apps. Regarding Virtual Private Network (VPN) — Assume VPN providers keep logs and check if the provider support PFS — Perfect Forward Secrecy. Also, check the privacy law and regulations of VPN providers’ locations. — Protecting our DNS is essential to internet security. It also blocks many tracking scripts and apps from connecting and sending data back to their destinations. All internet-accessing devices would have a DNS setting. Better to protect your data from the beginning. Upgrade Your DNS Security at Home Mobile Network Threats Besides issues that arise from questionable app behavior, mobile devices can be vulnerable through normal functions like WiFi or Bluetooth. Consider turning off WiFi when you’re away from home. An adapter or the power socket with a separate on/off button would serve this purpose. I have a timed power plug set to turn off at night. Your mobile device may be continuously polling for the network SSIDs in its history to reconnect automatically or connect to anything that looks like a carrier’s WiFi network. Unfortunately, when this happens, your device gives away information about networks you’ve seen and might allow a hostile network access point to connect. Also, someone could use your phone’s WiFi MAC address The same goes for Bluetooth. If your device has Bluetooth turned on, it’s broadcasting information that could identify it — and you. When your phone tells you to turn on WiFi to improve location accuracy, try to ignore it unless you know what you are doing. to fingerprint your device and track it. To avoid someone identifying you fast, This is because your phone’s network name is broadcast all around you. It is like using your WiFi as a mic to shout your name to other’s devices. name your device anything other than [Your Name] ‘s iPhone. Bonus: Thew Mobile Threat Catalogue NIST provided a comprehensive document regarding mobile threats, including attack surfaces and standard techniques. If you want to make your list above more extensive, you can take a look at the . NIST draft Final Words — The Most Expensive is “Free of Charge” We should value our data as the real world for our digital identity. We use vaults to store our personalized jewelry and only share our financial records with the bank; We need the same measures for our digital self. This guide is the beginning of a series of best practices for users of different levels. Remember, Simply realizing the concept of the digital footprint can make us wiser every time we need to decide if we want to share our data. In Japanese, there is an old saying: ( ) Why is it the most expensive? but time, privacy, health, and freedom, which are intangible, are our most precious assets. every time you tap on your phone, you leave some traces. “nothing costs as much as what is given to us.” ただより高いものはない Because the price you pay does not measure with money See you in part two. Thank you for reading. May InfoSec be with you🖖.

Apple

Facebook

Google

Target

Interested in Infosec & Biohacking. Security Architect by profession. Love reading and running.

Protect Your Digital Identity— Level One (Mobile)

Too Long; Didn't Read

Companies Mentioned

@z3nch4n

RELATED STORIES