Online Security Tips

OnlineSecurityIn the last ten years, many of us have embraced technology and use it daily in our lives. We use phones, email, websites, and home automation. We access these services using online services secured by usernames and passwords. A hacked Twitter account may be no big deal. A hacked banking or home automation account can have more serious consequences. Whether it be Twitter or Bank of America, I recommend good security discipline. Here are some ways you can achieve this.

Use a Unique Password For Each Account You Have

It's amazing how many people have had their accounts hacked by using the same password for all of their accounts, or using a super simple password. Both are relatively easy to hack. Here's why. Often people use the same email address as the username for all their accounts. To make it easier, they also use the same password - usually a simple password. When one of their accounts experiences a security breach and millions of account records are stolen, the first thing the purchaser of that information will do is run those usernames and passwords on every online service available. Thus perhaps a hacked Facebook account information is used to login to an online banking account or a health care provider's website.

One of the easiest solutions to this problem is to use a password manager. Password managers allow users to store account information and other items securely and use them conveniently. They provide tools to create strong passwords, and have browser plug-ins that will autofill usernames and passwords into websites. Here are two that are popular:

  • LastPassLogoLastPass (LastPass Website) can be used to store website login information, banking account information, serial numbers, ID's and other records easily and store securely. There's a LastPass app for iPhones, Androids and Windows 10 enabling easy access to account information on mobile devices too. LastPass works pretty well, but has lots of bugs in the image storage system, so if you need to attach images to your LastPass records, I suggest a different solution. LastPass have a free version. The premium plan is $12.00/year.
  • dashlanelogoAnother highly reviewed product is Dashlane (Dashlane Website). Dashlane has lots of features, has a free version, and premium plan costs $39.99/year.

There are many password managers available today and you can find a list of them at Wikipedia Password Managers.

Once you get set up with a password manager, be sure to create strong passwords for your accounts. 

If you have accounts that you want secure a bit more, such as a bank or healthcare account, use a stronger password and consider adding Multi-factor Authentication

Use Your Phone's Password Protection

Use your phone's lock feature to lock your phone and require a password to unlock it. Use a 6 digit PIN rather than a 4 digit PIN. If you use a fingerprint to unlock your phone, be sure to turn OFF your phone if you get arrested - don't just lock it. That will require a PIN to unlock it and the police can't use your fingerprint. I don't feel that fingerprints are good security. There are too many ways around them.

Use Paid Online Services Rather Than Free Ones

Office365LogoGoogle, Microsoft, and others offer free online applications and services. They also offer paid versions of these services with more features and better security. If you read the Terms of Service (TOS) for free versus paid accounts, you'll find a huge difference between them. Generally when you use a free service, the service provider owns everything you create using that service, and everything about you is sold to the highest bidder.

When you use a free service, you are the product the service is selling. What are they selling? Every piece of information they can gather about you, along with every interaction you make, message you send, photo you tag, friend you make. And every time anyone else tags, messages or friends you, that information is gathered and sold too. And oh, by the way, all this information can be hacked and stolen too. If you read the Terms of Service and Privacy Policies of the free service you just can't live without, you'll find that all the data, content and metadata is owned by them, not you.  

When you use a paid service, you are the customer, and you own the intellectual property created using it, and the TOS protects your rights and content. Your information, messages, phone calls and intellectual property are not sold to others. Therefore I highly recommend using paid accounts for any service where you will be creating anything of value, and for your own safety and security.

GoogleGSuiteGoogle and Microsoft both offer paid versions of their services. I prefer Microsoft and use Microsoft Office 365 because it includes the Microsoft Office Suite, options for Microsoft Exchange (for email) and many other features that are awesome.

Google offers Google G Suite, another very popular platform.

Pick the one you think will work best for you.

If you are an individual either will work fine if you don't create much content. However, for individual users who also use Microsoft in their business, Office 365 will require no additional learning and feel very comfortable. And should your individual needs expand, Office 365 can scale to any size and need.

Get Your Own Domain And Email Accounts

Most of the world is still using gmail, Outlook.com or even AOL to communicate. These are usually free accounts where the user doesn't own or control the domain or content. Therefore I highly recommend that everyone have their own domain and private email account. You can set this up easily using Microsoft Office 365, Google G Suite or Godaddy.

Use Gmail.com and Outlook.com accounts (which are almost required these days to use services like Google Maps or Microsoft Windows 10) sparingly. Don't put any real information in these accounts, especially your name, birthday, etc. Put as little information in them as possible to make them work. Until there is a paid consumer version for Google maps, and Microsoft allows Windows to be configured ONLY with Office 365, these accounts are necessary.

Create a separate secondary email account to register for online services that provide you information but that you do not transact with. Many accounts these days require an email address for the login username and to contact you. For these websites, use an email address that does not have your name in it. You can use a random outlook.com or gmail.com account or create your own doman at Godaddy and use something like This email address is being protected from spambots. You need JavaScript enabled to view it..  Eventually everyone gets hacked (Target, Home Depot, the Federal Government, Yahoo, Yahoo, Yahoo, Yahoo, etc.) and when that happens, they will not have your primary email address and personal information. An email address that includes 'junkmail' in it discourages hackers and email re-sellers.

Email Spam and Phishing

Most email platforms have some kind of spam and phishing email filtering available. They can be quite effective in filtering out spam and phishing attacks. However, phishing email comes in many forms these days and the trap it lays can be compelling. Here are some tips to avoid phishing attacks:

  • Never respond to email that asks for account updates. If you feel the email is legitimate, rather than use the click-through link in the email to update your account information, log into the website directly using your credentials and update your information that way.
  • Do not use links in email to automatically log into websites. Instead, go to the website directly on your browser and log in from there.
  • Do not use links in email that take you directly to an online payment page. Go to the website directly and log in there to make a payment. 

Use Your Mobile Number Carefully

Mobile numbers seem to be replacing Social Security Numbers in corporate databases to track customer accounts. Calls to support centers for customer service will often prompt for or verify customer mobile numbers, or use mobile numbers to automatically pull up your customer record on the screen of the support rep. If you don't believe me, check out this article from USA Today: With my cell-phone number, a private eye found 150 pages on me.

Given that it is becoming the newest form of ID, it might be wise to only use your primary mobile number for services and merchants that you trust. Get a secondary number from Skype or Google Voice to use in those circumstances where you don't want the service or person to have your primary mobile number. Forward the secondary number to your primary mobile number if you need to receive calls and don't want to switch between apps.

Use A PO Box Instead Of Your Home Address

A PO Box is a great way to keep your identity safe and sound. Especially if you have businesses and business relationships that are separate from your main employer or are self-employed. Or if you are starting a company. There are many advantages to having and PO Box:

  • It's private.
  • They don't receive junk mail in most cases.
  • If it's not USPS, they usually have a service that will forward your mail to wherever you are on a regular basis - so you can travel around the world and not miss important mail.
  • You don't have to change addresses on everything when you move.

Choose a PO Box location that is easy to get to and offers forwarding services.

Lock Your Credit Accounts

You can now lock or freeze your credit accounts at Trans Union, Experian and Equifax. They may charge you a $10 fee or more to do this, depending upon the state you live in. Once locked or frozen, no one can run credit reports on your account, send you credit offers, or set up credit accounts on your behalf. Remember when Wells Fargo set up accounts for 2 million of its customers without telling them? You'll have to unlock or unfreeze your account before applying for credit to purchase a house, rent a new place, buy a car, or get a new bank account or credit card. Some other transactions may also require you to unlock/unfreeze one of your accounts. You can do this on the bureau website or with a phone call. The credit bureaus do not like customers doing this. They make money on your account every time a credit report is run - whether you want one run or not. This is a great way to prevent identity theft and most people do it after they have experienced identity theft. Do it before your identity is stolen, and save yourself the trouble.

Here are the major reporting bureau credit lock/freeze websites:

Monitor Your Credit

There are several ways to easily monitor your credit. 

  • Get a free annual credit report using a website set up by Equifax, Experian and TransUnion - AnnualCreditReport.com
  • CreditKarmaLogoCredit Karma is a free service that monitors your credit. It uses data from TransUnion and Equifax. You can view your credit scores and reports along with recommendations and tips on managing your credit and a new Tax feature for filing your income taxes for free. You can access it via an IOS or Android app or on the web at Credit Karma.
  • wallethublogoWalletHub is another free service that allows you to monitor your credit. It uses data from TransUnion. You can view your TransUnion credit score and credit report, and analysis, recommendations and tips on managing your credit.You may access it via an IOS or Android app or on the web at Wallet Hub.

Cancel Or Delete Online Accounts Or Apps That You Don't Use

Every day there is a new app or online service that offers something so enticing that it just has to be tried out. A week later, whatever it was is no longer useful. Be sure to delete the account after you abandon it. You don't want your information out there.

Social Media

FacebookLogoNoSocial media is part of the social fabric today in 1st world countries. I don't recommend anyone use social media sites for personal use except as an avatar - an fake identity that is not you. That eliminates Facebook of course. I got rid of Facebook years ago. I had to have an account for business purposes. And the only valid reason to use social media today AS yourself, in my opinion, is for business purposes - to promote your company, product, or yourself.

The product of most social media sites is you. Facebook made about $4 Billion profit on $12 Billion in sales in 2016. That sales came from a variety of sources including ad revenue and selling it's 'social graph' aka all the data it has about you, to others. That social graph is robust. Google "what does Facebook know about me" and you'll find quite a few articles detailing just how intrusive their social graph is. The data comes from you, your friends, your friend's friends, and so on. Big data tools can link your data, your friends data about you on their mobile device (contacts, etc) and even tag you every photo of you taken by anyone using metadata and image recognition. If you leave the app running, and location services on, Facebook knows everywhere you have gone, for how long and can even make pretty good guesses about what you did while you were there. Still not convinced, check out some other reasons not to use Facebook.

Most Facebook users I know simply don't care. They love Facebook and nothing will change their mind about using it. Fine.

But if you are concerned about all the data being collected about you and used by others to manipulate you into buying stuff, electing certain people, and voting for certain issues, by all means delete your Facebook account. It turns out that Facebook doesn't make it easy to do this. Every year the way to do this changes, so to be current, simply Google "how do I delete my Facebook account permanently" to find an article with the latest on how to do it. Be warned: Facebook won't permanently delete your account instantly. They will leave it out there for a period of time and ANY log in to your account will reactivate it automatically. If you are using your Facebook credentials to access other social media accounts (a really bad practice) then you'll probably reactivate your Facebook account using their log in control without knowing it. They really don't want you to leave. You are their product, and everyone that leaves is one less person for them to sell. 

What About Using Social Media For Business?

If you are using Facebook, LinkedIn or Twitter for business, be aware that all the social graph concerns mentioned above still apply. Therefore I suggest that you keep business use of these accounts strictly business. For example, if you use Twitter for business, don't Tweet about your son's role in the high school play or your daughter's upcoming soccer game. If you don't have something to promote or sell that will actually make you money, don't use social media for business. I would strongly suggest that if you do have a brand to promote or sell, that you create a brand name that is not you personally and create your accounts to promote the brand only. LinkedIn is the only exception to this. There's no way around promoting yourself on LinkedIn, if you feel you have to be there. 

Browser Safety Tips and Tricks

Browser safety can be broken down into two major categories: searching and browser technology. Let's start with searching.

Search Engines

There are a number of search engines available today including Google, Bing, Yahoo and others. There are several concerns any user, even law abiding citizens, should have about using any browser. First and foremost, where is all your search data going and who sees it? Even though search data is supposed to be aggregated and "sanitized" of any personal data, it has been proven many times that it's fairly easy to take a big mass of sanitized data, and link it back to individual users. After all, Google makes it's $90 Billion per year income by selling information about you to anyone who will buy it, and they get a lot of that information about you when you use their search engine and apps. Most of us can't live without Google search and Google maps. They are awesome. But how to use them with reduced risk? Here are some tips:

  • Create a gmail user that has as little profile data associated with it as possible and don't use any factual information in the required fields. Never use your real name, real birth date or real anything. Never use this account for any other social media that you want anything real about you associated, such as Facebook, Twitter, LinkedIn. Keep this account totally separate. Use this account to log into all free Google offerings - Chrome, search, maps, etc. If you are using Google for business, do not link these accounts. Use a separate account for your Google for business work. That way, any information Google is gathering and selling about you (via this profile) is very limited. If the account is hacked, the information about you isn't meaningful. That said, do use a strong password on this account and do change it from time to time. LastPass makes this easy.
  • If you want particular searches to be untracked, use the incognito feature of the browser. I have no idea if this does much other than creating a separate browser session.
  • If you want really safe searches, use a search engine that does not track you such as the ones listed here: 5 Alternative Search Engines That Respect Your Privacy.

Browser Technology

NetMarketShareBrowsersAccording to NetMarketShare, the top browsers in 2016 were Google Chrome, Microsoft Internet Explorer, Microsoft Edge, Firefox and Safari. Everyone has their preferred browser(s). Chrome, Edge and Firefox have robust add-ins. Here are a few I recommend:

Essential

  • adblocklogoAdBlock - A free ad blocker. It works quite well. Make a contribution to them to keep this add-in alive.
  • LastPass - If you are using LastPass, be sure to use their add-in. If you are using another password manager, get theirs.

Useful

  • privacybadgerlogoPrivacy Badger - A free add-in from our friends at the Electronic Frontier Foundation that gives you control over who is spying on your browser session and blocks all kinds of mischief. 

Windows 10: Microsoft Accounts versus Local Accounts

NetMarketShareOperatingSystemsWhen Microsoft introduced Windows 10, it made it a free upgrade from previous versions of Windows. Why did Microsoft do that? My theory is they did it for two reasons: 1) They wanted to maintain the code for less versions of Windows and 2) They wanted to monetize the social graph that Cortana and Bing might provide the way the Google monitizes search. Cortana and Bing are basically search engines. Microsoft uses Microsoft Accounts to track user's data and monitize it. As you can see from the pie chart, Windows 10 still only has 25% market share, and Windows 7 is still the dominant version of Windows in use.

You may use Windows 10 using local Windows Accounts or Microsoft Accounts. Microsoft makes it very difficult and awkward for consumers to set up Windows 10 without using a Microsoft Account. Remember that a Microsoft Account is a free account provided by Microsoft that has privacy and terms of use policies that strongly favor Microsoft. By linking Windows 10 computers to Microsoft's social graph via a Micosoft Account, activities taking place on your personal computer running Windows 10 are monitored and sent to Microsoft. What Microsoft does with this information, only Microsoft knows - but you can find out some of what you gave therm permission to do with your data in the TOS and Privacy Policy associated with your Microsoft Account. Just remember that you are the product and not the customer in this relationship. I truly wish the Microsoft would change directions regarding this and mirror Apple's stance on protecting the privacy and security of it's consumer customers. Give consumers a private and secure account associated with Windows 10 with the same level of privacy that a corporate domain account or an Office 365 account has.

When Windows10 first launched, the folks on the web who cared about security and privacy went nuts and were very critical of Microsoft for this invasion of privacy. Note that this largely only affected personal users of Windows 10 and some small businesses, Microsoft business customers would never put up with this breach of security and privacy - and since Microsoft gets most of its revenue from business, it is very sensitive to this. Thus Windows 10 on corporarte networks does not require Microsoft accounts and does not send local data to Microsoft.

As time went on, Microsoft has created ways for users to restrict what data and access Windows 10 sends to Micrsoft, but none of them are really great and Microsoft won't really reveal what it is collecting and selling in any detail. Most users couldn't be bothered. 

Bottom line: You'll need a Microsoft Account to register your Windows 10, buy apps from the Microsoft Store, and use Skype. Fine. Just do not use your Microsoft Account to log into your Windows 10 device. To use local accounts to log into your Windows device, step-by-step instructions are below.

Windows 10: Administrator versus Standard Roles

Another concern about the personal use of Windows 10 is account role security. I recently read a great article that suggested that 85% of the vulnerabilities of Windows 10 could be eliminated by simply setting the user account role to Standard rather than Administrator. Why? Because in most cases, breaches in security can only be effective if the user logged in has administrative rights. If you don't have administrative rights, the virus or whatever can't really do much damage to your system. So it makes sense to use a Standard account for your day-to-day use of Windows 10. Note that in corporate environments, this is exactly how Windows 10 is managed.

Here's how to make Windows 10 less vulnerable and keep Microsoft from collecting and selling your personal data by using local accounts rather than Microsoft Accounts (for advanced users only - others should hire IT support to do this)

  1. Create a new Windows 10 account that is local (and doesn't use a Microsoft account to log in) and give it administrator rights using the Administrator role. This account will be used to administer Windows 10 only. For instance, you'll use it when you install new software. Note: Microsoft makes this difficult to do, so follow these steps:
    1. In the Windows search bar (lower left) type "users"
    2. On the User's Accounts screen, click on the "Manage another account" link
    3. On the Manage Accounts screen, click on the "Add a new user in PC settings" link
    4. On the Family and Other people screen, click on the "Add someone else to this PC" link
    5. On the How Will This Person Sign In screen, click on the "I don't have this person's sign in information" link
    6. On the Let's create your account screen, click on the "Add user without a Microsoft account" link
    7. Fill in the form and click next
    8. The new user will be created
    9. On the Family and Other People screen, click on the user you just created
    10. Click on the Change Account Type button
    11. Change the Account Role to Administrator
    12. Log off
    13. Log into your new Windows 10 local administrator account
  2. If your current Windows 10 account uses a Microsoft account to log in,
    1. Create a new Windows 10 account that is local (and doesn't use a Microsoft account to log in) and give it standard rights using the Standard role.
      1. In the Windows search bar (lower left) type "users"
      2. On the User's Accounts screen, click on the "Manage another account" link
      3. On the Manage Accounts screen, click on the "Add a new user in PC settings" link
      4. On the Family and Other people screen, click on the "Add someone else to this PC" link
      5. On the How Will This Person Sign In screen, click on the "I don't have this person's sign in information" link
      6. On the Let's create your account screen, click on the "Add user without a Microsoft account" link
      7. Fill in the form and click next
      8. The new user will be created
      9. On the Family and Other People screen, click on the user you just created
      10. Click on the Change Account Type button
      11. Change the Account Role to Standard Role
      12. Log off
    2. Log into your new Windows 10 local admin account
    3. Copy the folders and files to the new Windows 10 profile from the user account you were previously using to your new Windows 10 local standard user account. You can do this from your old Windows 10 user account if it had the Administrator Role or the new Windows 10 Administrator account you created in Step 1 above. These folders and files are located under c:\users. Each user will have its own folder. Drag and drop the subfolders into your new Windows 10 user folder.
    4. Log into your new Windows 10 user profile and configure your applications and settings.
      1. Add your favorite applications to the Taskbar.
      2. Add your favorite add-ins to your browsers.
      3. Attach your Dropbox or OneDrive for business account.
    5. You can optionally delete the old Windows 10 user account via the Windows 10 User Manager.
    6. Transferring your Windows 10 profile and data is not easy and can have serious consequences if you make a mistake. If you aren't savvy enough to do this, I strongly recommend that you hire an IT professional to assist you. If you store your data using a free OneDrive account, this will be even more difficult. As mentioned above, store your data on DropBox or OneDrive for Business (Office 365). Then you will actually own your data, and not Microsoft.
  3. If your current Windows 10 account is a local account and does not use a Microsoft account to log in, modify this account to be a Standard role account using the Windows 10 User Manager. Use this account for your daily use.
  4. Turn off Cortana features. 

To summarize, using Windows 10 local accounts and disabling Cortana will keep your personal data safe. Using a standard role account for day-to-day use will keep your Windows 10 system safer.

Windows 10: OneDrive versus OneDrive For Business

Microsoft OneDrive is Microsoft's free competitor to Google Docs, DropBox, and other cloud storage systems. You must use a free Microsoft account to access the free OneDrive. If you read the Terms of Service (TOS) and the Privacy Policy, once again, you'll find that using this product makes you the product and the information you generate in transacting with OneDrive is used to advertise to (manipulate) you, and aggregated and sold to others. Therefore, I don't recommend anyone use OneDrive for anything ever.

Microsoft OneDrive for Business comes with Microsoft Office 365 - a very nice product that you pay for. Therefore you are not the product, you are the customer - and the corresponding TOS and Privacy Policy protect you and your data rather than sell it to the highest bidder. OneDrive for Business works pretty well, but struggles if you use it for large collections of files. For instance, if you want to store over 10 Gb of data, say, your photo and music library, I would suggest DropBox instead. It works flawlessly every time, even with very large numbers of files. (I wish Microsoft would take OneDrive for Business and SharePoint seriously. Both are simply not 100% reliable, yet.)

If you are a OneNote user, you'll need to use OneDrive (either version) to store OneNote files if you want to use OneNote across multiple devices. Again, if you value your security and privacy, use OneNote for Business. The same is true if you want to use Microsoft Word or Excel to collaborate real time with others.

In summary, if you need 20 Gb or less of file storage, you'll be happy with OneDrive for Business. If you have file storage needs over 20 Gb, you may find OneDrive for Business can't handle the volume, and Dropbox will be a better choice. I use OneDrive for Business for OneNote and collaborative projects and Dropbox Pro for everything else.

Windows 10: Updates

Microsoft developed a system for updating Windows 10 called Windows Update Delivery Optimization. In an effort to be efficient, Microsoft created a peer-to-peer update option that allows files from other Windows 10 machines on your local network and on the internet to be used to update your computer and vice versa. What? Yes, with this option, during the update process files from other Windows 10 users may be placed on your machine, and files on your machine may be placed on other user's machines. What could possibly go wrong? 

Sadly, this is the default option for Windows 10. 

If you are concerned, you can turn this feature off or you can leave it on, and specify the peer-to-peer updates only take place between computers on your local area network. If you choose this option, be sure to select it for all the other computes on your local area network. I have turned this feature off. You can easily change these settings by:

  1. Type "Windows Update" in the search bar
  2. Click the "Advanced options" link
  3. Click the "Choose how updates are delivered" link
  4. Select the option you want on the "Choose how updates are delivered page". 

Using Personal Equipment at Work

Mixing your home and work tech will compromise both. The simple answer is: Don't do it. Keep these worlds separate. Just ask Hillary Clinton how it worked out for her.

If you work from home, have your employer provide you the equipment to do so. If your employer provides you a phone, use it for work only and have your own personal phone for your personal use. (As an alternative to having two phones, I suggest you buy and pay for your own phone and have your employer reimburse you - but never give that phone to your employer's IT staff to "configure".)

Here are just a few reasons why.

  • Everything you do on your work equipment (computers, tablets, phones) is monitored and recorded somewhere. As soon as you attach a personal device to a work domain (even from home or a Starbucks), the work environment takes over, and that personal device is forever compromised unless you rebuild it. That means every email you send, document you write, picture you take, call you make, text you send, website you visit, etc. may be recorded and stored by your employer. 
  • There are usually no privacy protections against anything the folks who manage your work network can or cannot do with "work" equipment or equipment used for work. Read your employee manual.
  • Most of the IT staff at most employers are behind in tech, updates and knowledge. So their mistakes can infect your personal computing devices, should you attach them to the work environment.
  • When your employer enters any kind of litigation, ALL the information on any device connected to the network is typically recorded and archived during the period of litigation and sometimes for years afterwards.
  • In some cases, your employer may monitor your activity using software installed on your device, including keystrokes, audio and video.
  • Employers may be required by law to report any illegal activity they find on their network. "Who cares! I don't do anything illegal," you say. Perhaps. But when your 14-year-old son or daughter borrows your laptop or phone and engages in an exchange of naughty pictures with their friends on Snapchat or Kik or Tumblr, suddenly you are liable for kiddie porn, and all of this is being recorded by your employer.
  • Your employer is primarily concerned about protecting their intellectual property, and keeping you from stealing or losing it. They have no interest in your security or privacy.
  • If you write your next novel on your work laptop, you might be surprised to find that your employer owns the rights. Read your employee manual.

So keep these worlds apart. You'll be safer and more secure, and the IT folks at your employer will be much happier too.

Here's a list of all the references used in this article - Technology References.