Random Observation/Comment #864: Clembot, please don’t steal my identity.
//Generated with ImageFX from labs.google/fx tool suite
Why this List?
Digital security is at top of mind with all the phishing attempts, sim swapping, and Generative AI voice cloning out there. For me, all operations have a mental filter before conducting any action of clicking links, opening emails, entering passwords, or downloading applications. In the best case scenario, your malware is just using your processing power somehow. In the worst case, you could get fully scammed and drained. Take security very seriously. This is longer than a list of 30 because it’s all very important.
Account Security & Authentication
Use unique, randomly generated passwords - A password manager is highly recommended so you would only need to memorize one long password and have everything else be randomly generated. You should also rotate those passwords every now and again.
Adopt multifactor authentication (MFA) - Combine something you know (password) with something you have (device authenticator) or are (biometric). Passkeys seem to be all the rage now. I think there’s some convenience of facial recognition and fingerprints, but I always have backup methods.
Use passkeys where you can - They’re more secure than traditional passwords and harder for attackers to steal when they’re connected to devices.
Don’t rely on security questions alone - Consider providing nonsensical answers to limit guessability of these questions.
Web & Email Hygiene
Double-check URLs before logging in - Ensure domains match exactly because HTML/CSS files and frontends are easily copied.
Don’t open suspicious email attachments - If unexpected, treat them as suspect. Most phishing companies will just update their alias name to match, so triple check the sending address. Even then, those emails may have been hacked so don't open anything with urgency. Your friend or contact could have gotten hacked with a trojan that sends messages from their email address, so even those with unknown links could be suspicious.
Hover over links before clicking - Inspect the link’s true destination for any website. I’ve seen some clever paste of links with the blue underlined link itself go somewhere else completely.
Watch for too-good-to-be-true offers - Scams thrive on extraordinary claims and urgency. If you’re getting airdrops or receiving settlement on a lawsuit for having a common phone, then this also might be a phishing attempt.
Watch out for auto downloads or very familiar UIs - The sneaky ones like calendar invites, gdoc looking emails asking for permission, or docusigns can easily get you with some link clicks.
Device & Network Security
Regularly update software and firmware - Timely patches close known security holes. It might seem super nerdy, but sometimes the github release notes are actually helpful to see what was patched.
Turn off NFC on your phone when not needed - This minimizes physical attack surfaces on your phone. We’re already always turning on location services so we can be tracked everywhere we go.
Use a VPN on untrusted networks (but also, don’t use VPNs) - On one hand, you can keep your traffic encrypted on public Wi-Fi, but in general there are probably only 4 VPN companies and all of them are sniffing your packets and selling your data.
Don’t connect to Wi-Fi you can’t confirm - Unknown networks may be malicious honeypots. The biggest ones are airport and coffee WiFi networks named after the places. I would rather just pay for international roaming.
Check permissions for mobile apps - Revoke unnecessary privileges for these apps. Be very wary of games connecting to your Google accounts. If anything, use a temporary email address for games instead of connecting all your accounts to one Google account.
Inspect browser extensions - Remove anything suspicious or unneeded from there. I used to use Honey all the time to get discounts and now I’ve stopped these all together.
Create an airgap device for critical tasks - A dedicated offline machine for banking or cryptocurrency management reduces exposure. You may use an old phone and separate email address that has never been added to online forms for managing all these important tasks. If you’re super paranoid, you can make your default device the safe one and uninstall all your games and social networks from your main account - create a new one with your other phone to do that mindless scrolling and gaming.
Data & Credential Protection
Segment your email addresses - Use different emails for personal, professional, banking, retirement, newsletters, and a slew of any online services. I probably have a dozen email addresses used for different purposes. Make sure those backup email addresses also have backups. It’s a complicated web.
Limit what you store in the cloud - Keep sensitive data offline or well-encrypted before syncing. It’s important to have those physical backups as cold wallets.
Disable auto-fill of forms and for passwords in browsers - Let your password manager handle credential input. Also be wary that some websites may have hidden fields so if you auto-fill a form, other information like your personal mailing address might also be filled in.
Conduct a test - What if you lost access to your phone? Your email address? Your phone number? Your social security number? Would everything be compromised?
Personal Data & Privacy
Limit personal details on social media - Oversharing fuels targeted attacks. Just be anonymous or make sure your privacy settings are all private. There’s really no need for anyone to be able to Google search and index your kid’s photos.
Protect your phone number - Don’t hand it out indiscriminately. If you’re paranoid, create a Google number that you can use for temporary sign-ups.
Keep your main email address secret - Publicize only secondary addresses. If everyone already has your email address, then create a new one that doesn’t sign up to anything. Don’t assign it as a backup directly with gmail. Make sure it receives emails and occasionally sends a message so the account doesn’t get deleted. You can receive pinging emails by signing up to your own newsletter.
Use unique usernames - Don’t give attackers a trail across platforms. Let’s face it, you’re not a public personality. Only 5 people will like your Facebook photos. This is a message to myself.
Physical & Offline Measures
Physically secure devices - Use strong device passwords and full-disk encryption where needed.
Secure your router - Change default credentials and update firmware.
Make sure you have an NFC-protected wallet - Shield credit cards from skimming attacks.
Shred or destroy sensitive documents - Prevent dumpster-diving identity theft. This does seem a little outdated now that we have all these porch pirates.
If you have the means, get a fireproof and waterproof safe - You can story this with important documents like Wills and trusts with clear instructions
Don't plug in any random USB keys into your computer - It’s not going to be a digital prize. It’ll likely be a keylogger.
If you're super paranoid, don't even use wall sockets - Charge an external charger and then charge your phone through the external charger with your own cable.
Social Engineering & Human Factors
Be skeptical of unsolicited tech support calls - Verify the caller’s legitimacy before sharing info. Even after you’ve verified, don’t share anything.
Due to voice-based scams, create a secret verbal phrase with your family - A code word can confirm identities. Just have a conversation about these types of scams so you can come up with your own ways of confirming identities.
Don’t fall for urgency-based phishing - Recognize and resist panic-driven requests. I heard of a scam where the attacker calls you from the masked phone number and says they physically have your significant other with convincing screaming noises. Even in this case, it’s better to be calm. We’re not in a movie.
Learn to spot deep fakes - Just because you can see and hear something doesn't mean it's true. To be honest, I don’t know what real is anymore.
Learn critical thinking and literacy - Question sources, cross check facts, and poll to see if claims are backed up by unbiased journalism. This one is tough.
Verification & Encryption
Use encrypted messaging for sensitive communications - Prevent snooping on your chats from SMS. I have usually suggested Signal.
Check for HTTPS - Only enter personal data on secure connections.
Continuous Vigilance
Backup your data regularly - Offline, encrypted backups protect against ransomware or hardware failures.
Stay informed about emerging threats - Knowledge helps you adapt defenses.
Periodically clean up old accounts - Dormant profiles are backdoors waiting to be exploited.
Test your operational security occasionally - Run anti-malware scans and spot-check privacy settings.
Don't share all your methodology and secrets - If it works for you, sometimes it’s better to be safe than recognized.
~See Lemons Secure Accounts