look into activating 2-factor/multi-factor authentication where you can.
I use a password manager to generate strong passwords and NEVER repeat passwords.
you could consider an ad-blocker and vpn for internet surfing.
if you are in the US, also consider a one-time credit card number creator (like Privacy) to protect your online shopping and payments.
posted by alchemist at 10:49 PM on June 18, 2023 [7 favorites]

Best and simplest things to do are:

-Use an ad blocker in your everyday browsing
-Use a password manager to store your passwords and generate random ones when you need them
-Turn on two-factor authentication on any service that allows it and get an authenticator app
-Pick and pay once for a service like Privacy Bee or Optery, which find and opt you out of data brokers (you don't need an ongoing subscription really, just let them do one big sweep)

Doing this will make you a harder target than a lot of people out there and it proactively stops a lot of tracking.

When it comes to some stuff, you don't have much leverage. If you search for air conditioners, any social media you use will immediately show you ads for those because all that data is being shared behind the scenes.

But I do recommend going into the settings for the apps you use the most and finding the security or privacy settings, and just looking through them. Usually there's some kind of opt out setting. For instance if you go to Google's privacy settings, there are options to "pause" various collection and retention practices. I've left them off for years with no problems and I still feel like Google remembers too much!
posted by BlackLeotardFront at 10:51 PM on June 18, 2023 [4 favorites]

It's important to understand what you are defending against (the “threat model”) so you can use defenses correctly and spot potential problems before they happen. Here are some of the most common current threats you should be aware of, and corresponding defense.

1. Phishing. The attacker tricks you into giving them your password, credit card number, two-factor authentication codes, or other private information. Typically they send you an email or text message with a link to a malicious website made to look like a legitimate website, so you will type your credentials into it. Phishing has gotten more sophisticated recently. Attackers send targeted emails or texts that appear to be from a boss, co-worker, friend, or relative. They run call centers so they can trick you into talking to them on the phone, not just on the web.

One defense is using hardware tokens like Yubikeys or phone-based “passkeys” for important accounts. These devices talk to the website directly. Unlike passwords or text-message 2-factor authentication, there's no way for you to type credentials into the wrong site or give them up over the phone.

Another, possibly more-important defense is to be aware of such scams, and suspicious of any message asking you to enter passwords or personal information somewhere, especially a message that is trying to create a sense of extreme urgency. (Your boss is on a deadline and can’t log in to the server! Your cousin is on a road trip and needs a tow truck!)

2. Credential stuffing. The attacker gets a list of usernames and passwords that were leaked from one compromised service, and tries using them to log in to other services. The main defense is to use different random passwords for every service, and use a password manager to keep track of them. The password manager built in to your web browser or operating system is a fine choice if it meets your needs.

3. Mobile payment scams. The attacker tricks you into sending them money through a mobile payment app like Zelle or Venmo. They may do this by sending you money “accidentally” and asking you to send it back. Like phishing scams, the request may appear to come from a friend or relative. After you send the money, the original “accidental” payment gets reversed or stopped, leaving you with nothing. You should always contact your bank if someone claims any sort of accidental payment or other mishap with electronic payments. Never try to handle a “refund” by yourself.

Mobile payment apps are also a target for someone with physical access to your phone. Don’t give strangers your unlocked phone, even if you in a singles bar trying to get their phone number. Use biometric security on your phone. Don’t unlock your phone with a PIN or passcode in public where others might see it.
posted by mbrubeck at 11:12 PM on June 18, 2023 [7 favorites]

Good tips so far. I’d add using a separate browser (or at least container) for separate tasks, e.g. banking in chrome, social media in firefox and then keep that, so no logging into a service on the “wrong” browser. This should help isolate these areas and e.g. prevent a social-media phishing attack from taking advantage of an ongoing online banking session.

I’d also make sure to have good backup (generally, but also in case of ransomware) and to not postpone security updates, even though they can be inconvenient.
posted by meijusa at 6:26 AM on June 19, 2023 [1 favorite]

Multi-factor authentication is probably the most important thing. Basically, even if the password is leaked, the bad actors still can't get in, because they can't access your other authentication method. And try not to use email or SMS as your other factor. Use an independent method like FIDO device like YubiKey or One-time code generators such as Google Authenticator. Those work OFFLINE and requires no connection to Internet to work, so they can't be intercepted and decoded.

If you can, do NOT allow websites to "save" your credentials. This is more important if you are famous, probably way overkill for normal users. But basically, websites that "save" your credentials store a "cookie" in your browser "Yeah, we checked him before, he's good" which bad actors have been stealing lately. Linus Tech Tips Youtube Channel was recently hacked this way, when one of their junior employees or contractors opened a malware attachment, which stole EVERY cookie stored in the browser (among other things) and one of them allowed them access into LTT's youtube admin credentials, which allowed them to basically erase the entire LTT youtube channel and uploaded some deepfake Elon Musk crypto talk. LTT had to contact Youtube to get the channel restored.

Which also leads into next tip: practice proper "cyber hygiene" :D Never open attachments, even if they "appear" to come from legit sources, unless you've been told to expect one.
posted by kschang at 7:27 AM on June 19, 2023

Some other ideas:

1) Warn your family members in advance about common scams - and particularly how anyone trying to make you do something _right now_ is probably a scammer

2) Check that you don't have unduly sensitive material in online accounts. Search your GMail / Google Drive or equivalent for anything you would especially not want copied if the account was compromised and store it offline/encrypted

3) You may want to tell the credit reporting agencies to freeze your credit report to make it harder for a fraudster to borrow in your name

4) Make sure you have different passwords for every site. For the unimportant ones, store them in a password manager, a file on your computer, or a piece of paper. Every important account should have multi-factor authentication enabled as well

5) Consider running firewall software which will only allow approved programs to access the internet

6) Run an adblocker, and consider setting up network level ad blocking with something like a Raspberry Pi Hole

7) Remember that you need to keep all your software up to date: operating system, browser, plugins, etc. Any outdated software can make your whole machine vulnerable. If you don't need/use software, remove it

8) Consider putting a band-aid on your computer's camera. The non-adhesive gauze pad will keep adhesive off the lens for when you do want to use it.
posted by sindark at 9:22 AM on June 19, 2023

it's important to understand what you are defending against (the “threat model”) so you can use defenses correctly and spot potential problems before they happen.

Yes. As with many things, there is no perfect privacy if you're online, only better privacy. So some of this is knowing what is going to work within the way you use technology (i.e. some pro-privacy options can be time consuming and so sometimes people just skip those steps entirely which can be worse).

It's also important to know what you're concerned about because you'd do different things if you wanted to make sure things were, for example, safe from family members or roommates (strong passwords on devices so snoopers can't get at them) than safe from unknown internet hackers (phishing and other scam awareness). People have given you good advice, I'll second or add a few things.

- Two-factor authentication, preferably using an authenticator tool, is a good idea to have on any accounts that handle sensitive anything. And not reusing initial passwords. I use Google Authenticator because it's simple, there are others.
- One thing I haven't seen people mention is checking your mail and your email regularly to make sure nothing is getting misused (i.e. some odd email that is from your bank saying there's been a charge on your credit card -- don't click that link, but check it out by going to your bank's website or app just to be sure). Check your credit card/bank statements when they come out and look into charges you don't recognize.
- There are a lot of browser add-ons you can get. Ad Block Plus (better than Ad Block, imo) for Safari on desktop and mobile.Privacy Badger for non-Safari browsers (I like Firefox because I can load it up with add-ons but these do come with their own risks). I really like Firefox Containers (no Safari equivalent I don't think)
- Do backups, do updates. Understand that social engineering is at the heart of a lot of scams so be aware of how they're likely to work and if you're not super tech savvy, check in with a friend if you have concerns about things.
posted by jessamyn at 2:09 PM on June 19, 2023