Email, online banking, and social media security
Here is how to secure your email and social media profiles. But if you want to communicate 1-1 with someone, use Signal instead.
'As described in the Secure digital communication page, ProtonMail is a secure email client with encryption features that most other email providers lack. If not ProtonMail, consider using the chat messenger Signal.
Many emails contain embedded images in them. When you open an email, these images load from remote servers. Whoever owns these servers can often determine:
- when and how many times you opened the emails containing their images.
- your IP address, which can be used to approximate your physical location when you emailed them.
- some basic information about your email client and computer.
In July 2019, the email client Superhuman was widely criticized for sending emails with tracking images that could expose the above information about the recipient. This is a common feature in a lot of email-sending software used by businesses or hackers.
If you click on a link in an email to visit a website, the website will learn your IP address--which can reveal your approximate location. The website may also learn basic information about your computer that can be used to recognize you and de-anonymize you later.
If you are being sent an email with a link to a website that you regularly visit--such as your bank--do not click the link. The link may send you to an imposter website. Avoid this by storing your bank's URLs in your browser bookmarks or carefully and correctly typing the URL directly.
Many attachments--such as PDFs and Microsoft Office documents--can store executable code that could install malware on your computer. This is a difficult rule to follow because many activists have to open attachments as part of their jobs, but always recognize the risks.
Two-factor authentication is an additional security measure that protects access to an Internet account when your password is stolen.
Your password is the first factor that identifies you, and the second factor is typically a proof that you own a specific device or account. The second factor is usually a time-limited code:
- sent to you via email or SMS. (Avoid using this. See below.)
Two-factor authentication makes it much harder for an attacker to hijack one of your online accounts. It is an important part of staying safe online.
Many of these websites will send you the time-sensitive two-factor authentication code via text message. This is a security risk, because it is possible for attackers to gain control over your phone number via SIM-hijacking attacks. Avoid using SMS 2FA unless it is the only type of 2FA offered by the website.
Sometimes an attacker succeeds in obtaining or resetting your password, but they need your time-sensitive two-factor authentication code to log in. Some attackers get this code simply by contacting you while pretending to be someone else (such as your IT department) and asking for the code so they can log in.
To avoid being fooled, never give your two-factor codes to anybody.
People commonly use an app like Google Authenticator or Authy to generate 2FA codes. If you only have these codes on one device, you risk being locked out of your accounts if something happens to that device. Keep that in mind if you are bringing your phone to protests.
Authy lets you create encrypted backups of your 2FA codes to their servers. The password manager 1Password offers the same.
1Password is a tool that securely stores your passwords so that you do not have to remember all of them. Instead, you only have to remember a master password used to lock your 1Password installation.
For ease of use, 1Password can sync your passwords to their cloud website. However, if your threat model includes your government, it may be more prudent to use 1Password without cloud syncing. If you do this, make sure to take backups to avoid losing access to all of your passwords.
1Password can also store your two-factor authentication codes. This makes it a lot easier to use two-factor authentication, but it also means that anybody that can compromise your 1Password vault can get complete control of all of your accounts.
When registering for an account at an online website, they may ask you for security questions to answer in case you forget your password or are locked out of your account.
Never use security questions based on your real-life biography, such as your birthday, the name of your hometown, your mother's maiden name, and so forth because:
- Biographical information about you may be available on social media or Internet websites.
- Some adversaries, like an abusive partner or family member, may know the answers to these security questions.
- Once people know biographical information about you, it is hard to change it. Everybody can change a password, but nobody can change their birthplace.
Instead, pick arbitrary security questions and give them password-like answers. For example, select "What is your hometown?" as a security question, and type in random words like "correct horse battery staple" as an answer.
The answers to your security questions should be pronounceable over the phone, in case you need to validate your identity to customer support. However, only give these answers when you have made an outgoing call to website's customer support phone number. Do not give these answers when somebody calls you, because you may be speaking to a computer hacker.