Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2018/12/bad_consumer_se.html
There are lots of articles about there telling people how to better secure their computers and online accounts. While I agree with some of it, this article contains some particularly bad advice:
1. Never, ever, ever use public (unsecured) Wi-Fi such as the Wi-Fi in a café, hotel or airport. To remain anonymous and secure on the Internet, invest in a Virtual Private Network account, but remember, the bad guys are very smart, so by the time this column runs, they may have figured out a way to hack into a VPN.
I get that unsecured Wi-Fi is a risk, but does anyone actually follow this advice? I think twice about accessing my online bank account from a pubic Wi-Fi network, and I do use a VPN regularly. But I can’t imagine offering this as advice to the general public.
2. If you or someone you know is 18 or older, you need to create a Social Security online account. Today! Go to www.SSA.gov.
This is actually good advice. Brian Krebs calls it planting a flag, and it’s basically claiming your own identity before some fraudster does it for you. But why limit it to the Social Security Administration? Do it for the IRS and the USPS. And while you’re at it, do it for your mobile phone provider and your Internet service provider.
3. Add multifactor verifications to ALL online accounts offering this additional layer of protection, including mobile and cable accounts. (Note: Have the codes sent to your email, as SIM card “swapping” is becoming a huge, and thus far unstoppable, security problem.)
Yes. Two-factor authentication is important, and I use it on some of my more important online accounts. But I don’t have it installed on everything. And I’m not sure why having the codes sent to your e-mail helps defend against SIM-card swapping; I’m sure you get your e-mail on your phone like everyone else. (Here’s some better advice about that.)
4. Create hard-to-crack 12-character passwords. NOT your mother’s maiden name, not the last four digits of your Social Security number, not your birthday and not your address. Whenever possible, use a “pass-phrase” as your answer to account security questions such as “Youllneverguessmybrotherinlawsmiddlename.”
I’m a big fan of random impossible-to-remember passwords, and nonsense answers to secret questions. It would be great if she suggested a password manager to remember them all.
5. Avoid the temptation to use the same user name and password for every account. Whenever possible, change your passwords every six months.
Yes to the first part. No, no no — a thousand times no — to the second.
6. To prevent “new account fraud” (i.e., someone trying to open an account using your date of birth and Social Security number), place a security freeze on all three national credit bureaus (Equifax, Experian and TransUnion). There is no charge for this service.
I am a fan of security freezes.
7. Never plug your devices (mobile phone, tablet and/or laptop) into an electrical outlet in an airport. Doing so will make you more susceptible to being hacked. Instead, travel with an external battery charger to keep your devices charged.
Seriously? Yes, I’ve read the articles about hacked charging stations, but I wouldn’t think twice about using a wall jack at an airport. If you’re really worried, buy a USB condom.