As a young and idealistic researcher, one of the most painful lessons for me to learn was this: In real life, not everyone is able to follow best-case security recommendations.
This is especially true for the 46.5 million people in the US living under the poverty line. For many of them, even getting Web access means using open and insecure wireless networks and logging in with shared computers in public libraries. For Americans applying for government assistance, they often have to reveal sensitive personal data on websites that aren’t well protected.
Those of us who are called upon to give out security advice should consider times when our recommendations are simply unrealistic, such as:
“Use credit cards instead of debit cards”
Credit cards offer an added layer or protection against fraud, in that they link to a line of credit rather than directly to funds. Those who don’t qualify for a credit card, may only have access to a bank card or Electronic Benefit Transfer (EBT) card. When this is the case, it makes theft, fraud, and breaches a potential nightmare. Since there is no law requiring speedy refunds in case of fraud, EBT cards have even less protection than debit cards.
“If in doubt, ask for a replacement card”
If you have a credit card, requesting a replacement in case of suspected theft, fraud or a breach might mean switching to a different method of payment for a while. People without a secondary payment card may not have a backup; requesting a replacement may disable all access to funds for several days at minimum, leaving them stranded in an emergency.
“Do not disclose too much information online"
Having options allows you to be choosy: What information will you disclose? What sites will you use, and which will you avoid? People requesting government assistance often do so as a last resort. As part of the application process for public assistance, people are required to give a significant amount of personal information that is often stored or entered online. And those sites may not be adequately protected against attack.
“Don’t use public machines/public WiFi”
The great irony of government assistance programs increasingly depending on online access is that many of the people who receive assistance may not have safe access to the Internet. If you can be selective about what machines you use and how you connect them to the Internet, you can decrease your risk of eavesdropping. If not, you can’t know the intentions of those who’ve shared that computer or network.
“Install security software and encrypt your data”
If you use only your own devices to get online, you can protect your sensitive data and scan your machine for suspicious code. But that may not be a realistic expectation. If you can’t control your computing environment, you can’t be entirely sure of its integrity. This leaves data at risk.
Despite the added difficulty for people in challenging financial situations, however, there are still things that can help:
Choose strong passwords, utilize two-factor authentication
So much of online security relies on the strength of our passwords. If you have fewer alternate means of protection, this is even more important. Choose a strong password that is different for each site you use, and do not share it with others. On any accounts where it’s available, add another factor of authentication to your login process: This is as simple as enabling the site to send a one-time passcode to your email or mobile phone.
Change your passwords regularly
Those who have to use public computers or networks are at greater risk of password theft. Changing your password often limits the amount of time an attacker has access to your account.
Avoid pirated software
When funds are tight, there may be a temptation to avoid paying for software. Unfortunately, criminals know this, and will often disguise malware as popular apps. These days there are free or low-cost alternatives for most types of software. A few minutes spent researching can save hours of costly repairs.
Monitor your accounts/credit report
Many online accounts now provide a way for you to see who is logged into your account, and where they’re located. You can also receive notifications of all login attempts. Check sites’ security settings to see if these options are available, and disable any login instances that seem unfamiliar. It is also important to regularly check your financial accounts and credit reports for unexpected transactions.
Weak security affects more than just the individual or company who is initially targeted. As we saw with the Home Depot and Target breaches, the expense of replacing affected cards was borne by their customers’ banks. This cost then gets passed on to banks’ other customers, too. Likewise, fraud against individuals potentially can cost financial institutions, which are likely to be recuperated by passing the costs on to other customers.
When any one of us is compelled to compromise his or her security, there is a cost to all of us.
Lysa Myers began her security career in malware research in the days before the Melissa virus outbreak in 1999. Because keeping up with all that change can be difficult, as a security researcher at ESET, she aims to provide practical analysis of security trends and events for companies and consumers alike. Follow her @LysaMyers.