Apple is trying, though I would be surprised if they actually manage to stop all fingerprinting on the first few tries. (I speak favorably about Apple in this area because this is a case where their business interests align with our privacy interests. Apple realized awhile ago that they weren’t very good at hosted services and the related advertising business model; the pro-privacy stance is their way of differentiating themselves in the market.)
I feel this is a bit of a simplification of the issue of why people are not proactive about all of those things.
First, there is a huge tech awareness/skill barrier. You cannot teach this stuff to my mom. You also cannot set it up for people who don’t get it since a lot of the measures required are on-going diligence (setting up new email addresses for each new user ID online). I’ll admit that I’m in the middle of the pack for tech skills. I’ll change browser settings, I use a VPN, I don’t tag people on social media and ask others to remove my tags when I’m alerted, I use 2FA for important logins, and have separated email accounts into categories (Family account, personal account, serious business account, regular shopping account, work account, associations account (church, PTO, sport clubs, etc), school account, and 3 different junk-spam accounts that I mostly don’t monitor at all. But some stuff like setting up your own domain and webhosting, setting up aliases and forwarders, etc… is beyond me.
Then there is also the scale of the issue. If you have a family of 5 each with email addresses for each of their activities, controlling the privacy settings of the 4 other individuals linked with you increases dramatically the workload of the information “gatekeeper”. You can educate all of them but if only one of them doesn’t care because it’s inconvenient, it’s a bit like the “castle is as strong as its weakest wall” issue.
Also there are direct costs to the privacy (domain+webhosting, VPN) to the privacy protection and many people do not really gauge as directly the costs of NOT preserving their privacy. Plus there are opportunity costs as well to factor in which are even less obvious. Most of my (limited) inbox spam is actually stuff I somewhat requested for the occasional discount or promo that it’ll bring me that I wouldn’t know otherwise. It’s a bit like targeted credit card promo offers. Yes I can save my mailbox from those but now and then, there is a targeted promo that will benefit me that I wouldn’t be able to get if I did not allow them to send me those mailers.
Finally, the benefits are still pretty obscure to most people. If the worst that happens to them is being served somewhat relevant ads, many will be fine with it.
So for a lot of people, there are low-lying fruits that do not take much expertise or effort to setup. There’s really few excuses for not taking those easy steps (aside from the completely tech inept maybe).
But beyond the simple steps, the benefits of extreme privacy settings are not an easy sell compared to the obvious cost in $, expertise, and effort of taking the extra steps. That’s why you don’t see 2FA being more widespread. Even for those people who know that 2FA is better, it’s either costly (using say YubiKeys) or simply it’s inconvenient to have to wait 10 sec for a SMS, then copy and paste that into your login, after you’ve entered login and password. And they just don’t see the benefits because not many have been very badly financially affected by identity theft (yet).
The fingerprinting info is very eye-opening.
I am unique. In all of my browsers. Terrible.
Great test here:
Middle of the pack? You are in the top 1-2% of people if you are using all those security measures.
I remember when you only needed an 8 character password to log in to a website. Now you need a 12 character password with an upper and lowercase letter, number, and punctuation mark plus a one-time-use nine digit code send to you via e-mail or SMS. Tomorrow, you’ll need all that plus a signed letter from your great-great-grandmother and a stool sample. Where does it stop?
I was just looking at the financial websites I regularly log in to and absolutely zero offer the use of a open standard hard or soft token for 2FA. I bet a majority of us are caring around a smartphone with a fingerprint scanner. Logging into a website today really should be just as easy as picking up your smartphone, but it isn’t.
So what are merchants, financial institutions, and their business partners doing to protect customer data besides having us jump through hoops? Hackers are not going to waste their time on us when it is so easy to hack into a database and grab sensitive data on multiple people at once. How do you prevent that?
Privacy and security requires a trade-off between risk, convenience, and cost. I try to balance the importance, complexity, and cost when organizing the bullet points in the wiki.
True, so you just do what you can. Disabling IE in favor of Firefox (or Chrome) with ABP with ad and tracking filters is a must in my book.
Your practices are already very advanced, so I’m sure it’s not beyond your ability. It just may be unnecessarily complex. One advantage I just thought of for rolling your own or paying for email service is that it won’t expire as long as you keep paying. If you have 3 junk-spam accounts that you don’t monitor at some free provider, they could expire (6-9 months is common). Obviously it’s not important for junk, but if you have other accounts that you use as forwarders and never login to them directly, it could be a problem.
Don’t forget the cost of sifting through and deleting / shredding spam. I find that the occasional discount/promo is not worth the time I’d spend looking at the rest. Also in my experience targeted offers are rarely better than other offers I can find online.
Funny, but the tech industry is aware of this problem (it probably affects everyone in the industry more than the general public). Hopefully it stops with hardware tokens like the YubiKey.
It’s a valid point, but I think fingerprint scanners aren’t that common, only present on the more expensive flagship phones. I have a small problem with biometric scanning in general. Cause, you know, the basic fingerprint scanner doesn’t check the finger temperature…  (and AFAIK none can check the consciousness of the finger owner). Also fingerprint fingerprinting is worse than browser fingerprinting
  (and AFAIK none can check the consciousness of the finger owner). Also fingerprint fingerprinting is worse than browser fingerprinting  .
.
As others have said, you’re not anywhere near the middle of the pack. As for 2FA, it is far from perfect. Brian Krebs has written of several 2FA failures. They were generally high dollar accounts, and partially involved phone company employees, but I can see this becoming more common until the phone companies get a better handle on it.
You’d be amazed at how many people leave the default user/pass combo on their internet facing router. It is only because most routers don’t automatically enable external configuration that tons more of them aren’t compromised.
Those failures are with SMS or phone call-based 2FA (not to be confused with phone app-based 2FA). U2F-based 2FA using a YubiKey or other hardware key is not susceptible to that, and also eliminates phishing (other than some exotic WebUSB – yes, that’s apparently a thing now – nonsense in the past). OTP-based mobile authenticator apps are also not susceptible to mobile account takeovers (though if the authenticator app keys are backed up to Google, iCloud, etc., you would be vulnerable to a takeover of that account), but are susceptible to phishing (a phishing site can ask you to enter your current OTP for a site and then immediately use that, with your credentials, to log in to the real site).
I saw this on HN the other day. It’s a U2F authenticator app for iOS and Android that uses the Secure Enclave on iOS devices and Keystore on Android devices. I haven’t looked at it in any detail, so I have no opinion on its quality, but it looks interesting. And I am unfamiliar with Android Keystore but am completely confident in Apple’s Secure Enclave.
This would be a good place to ask – does anyone know of phone providers (whether mobile, VoIP, or landline) that seem to be more resilient to account takeovers than others? SIM swapping (for mobile), fraudulent port-outs, and fraudulent call forwarding are the obvious potential issues here. Krebs brought up Google Voice, since it relies on Google’s standard account authentication infrastructure (which supports U2F), but Google’s legendary lack of customer service would be concerning to me. (Though that’s also an advantage in a way: no CS = no CSRs to be social engineered.)
Thanks for the link. I had (blissfully?) missed this SIM-swap issue.
But like was mentioned most of the losses for customers were linked to cryptos making it worth for someone to do this. For the rest of us without millions in crypto wallets, it’s a bit less threatening since we’re less likely to become targets. And it should not be an obstacle to getting more people to adopt 2FA since the alternative is even less secure.
Plus, this is a bit early days for this vulnerability. I imagine that network providers will be adapting to the SIM-swap risk quickly especially if it starts costing them millions in lawsuits.
I’m pretty sure all of the major carriers have arbitration clauses now.
You’re absolutely right, and I should have mentioned it. If you feel comfortable putting those apps on your phone, it is certainly an added safety layer.
I just realized the federal freeze law uses the more restrictive 603(p) definition of CRA, not the broader 603(f) definition. I don’t know how I missed that distinction before, since it stuck out at me now.
603(f) is:
The term “consumer reporting agency” means any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports.
603(p) is:
The term “consumer reporting agency that compiles and maintains files on consumers on a nationwide basis” means a consumer reporting agency that regularly engages in the practice of assembling or evaluating, and maintaining, for the purpose of furnishing consumer reports to third parties bearing on a consumer’s credit worthiness, credit standing, or credit capacity, each of the following regarding consumers residing nationwide:
(1) Public record information.
(2) Credit account information from persons who furnish that information regularly and in the ordinary course of business.
This is the same definition used for FCRA fraud alerts. It narrows the CRAs that will have to provide security freezes even further. The major entities all will, but some entities that were covered by some or all state laws will no longer be covered:
- EWS already asserts that they are not covered under the narrower 603(p) definition. I don’t know enough about their activities to determine if this is likely to be a valid position.
- Entities like SageStream/IDA and ARS may have an argument that their reports are for fraud prevention and do not provide information about credit worthiness, standing, or capacity. However, SageStream reports can include account information, and ARS reports can include public record (bankruptcy) information. Presumably that kind of information would be for the purpose of credit analysis.
- LN has different reports and may have an argument that some of those, like CLUE (insurance claims), are not used for credit purposes.
- Work Number definitely sells their reports for evaluation of credit capacity (some CC issuers pull their reports for income verification). However, I don’t think they include public record information. They may have an argument here. If so, this would be the best example of the downside of the new law – an Equifax subsidiary (who we all know is so good at protecting our data) that was covered under at least some state laws in the past.
Any opinions on the Marriott / SPG breach?
IMO? Nothing is gonna happen to the affected customers. The hotel had been breached for four years, so if no specific crimes get linked with this breach, maybe the hackers haven’t or won’t use the information for the usual crimes, like ID or credit theft. Perhaps it was a state actor targeting specific individuals or just gathering intel.
As a consumer, just assume that any information you’ve ever shared with anyone (or any thing) is public. Concentrate on preventing anyone else from misusing your info. Unless someone decides to target you personally, such misuse usually involves a quick profit. Practice the bullet points in the wiki at your comfort level. I tried to organize them by importance and difficulty level – simplest and most important first. You can’t prevent such misuse entirely, but you can make it more difficult and less likely.
On an unrelated subject, I added the following to the wiki in the section about RFID/NFC cards:
“If you have a newer car with keyless entry or keyless ignition, same applies to your car remote – the signal can be boosted, and so can your car.”
Called it!
I just came across an article from last year that underscores the last point in the wiki about avoiding DNA testing:
I should repost this before Prime Day every year, because they keep selling those DNA kits at half price on Prime Day.
Good point! Not that anyone would ever be untruthful on life insurance questionnaires but, how would the long-term care or life insurance company find out if you’ve undergone a genetic test or not if it was a direct to consumer product?
Either way, it’d probably be worth going with a testing company that will let you delete the data from their servers after you’ve taken the test and sent you the results, even if they swear they’ll never sell your info to insurers or marketers. They could be compelled to provide it to law enforcement or get hacked, and this is really information you cannot dissociate from.
I’ve been curious to do genetic testing but I won’t do it for fear of not being able to get insurance.
I’d like to be able to get a kit from a store, pay cash, send it anonymously, and later retrieve the info online with the code from my box. Basically, I don’t ever want the info to be connected to me, but I’d like to have the info. Does anyone know if this option exists?