by Michael Werneburg
The New York Times recently ran a piece with practical information about protecting your online life. I thought I'd add a couple of suggestions.
The following comes from having lived through several credit card compromises, having my pocket picked, having my identity stolen, and having been in a website data breach.
I use a credit card for all of my day-to-day purchases, online and in-person.
I never cash or a debit card. Cash has its place, especially if you're away from urban environments. But by and large it just adds drag to otherwise quick processes. And debit cards are directly linked to your bank account: you'd have to be insane to risk that sort of exposure when your debit card is compromised.
The other credit card stays at home, and is never used for online or in-person expenses. It's only used for recurring bills with large, established utilities, banks, vendors, and charities. The type that have controls in place for managing credit card data.
This way, when my day-to-day card is compromised (and this has happened three times) I don't have to go around changing my credit card details before my next scheduled payment.
I only give my birthdate to banks, my employer, and the government. Every website on Earth gets a lie. Why? They have a healthy disregard for keeping that information secret (e.g. crunchbase.com published the false birthdate I gave them) and it can be used against you. Think of the times when it's used to identify you on a phone call. I never take chances with the arbitrary agenda of someone like crunchbase (or facebook).
Small websites lack controls. I learned this the hard way, despite working in the field myself when my name, SIN, birthdate, address, and phone number were leaked.
Now, this might not apply if you live in a police state. I don't, and spot ID checks don't exist where I live. So I've stopped carrying all forms of ID except a credit card.
This bit me in the ass once recently when I visited the headquarters of Amazon in Canada. They wanted photo ID to allow me to enter their offices. Personally, I find the idea of my ID being scanned and kept on file at some office unnecessary and prone to problems. They didn't, for instance, explain the process by which I could ask for that data to be destroyed. But the meeting happened in a room that didn't require that I provide the ID, and so my colleagues wound up handing their ID over to the care of Amazon forever.
And yet that is the only time this has been a problem. I've been taken to the hospital without my health insurance card without problem, I've even encountered fisheries inspectors who were OK with an on-phone image of my fishing license.
Given the hell I've been through every time I've lost an ID card or was robbed by a pick-pocket, that one time at the Amazon office pales in comparison.
We've known for years that it's a bad idea to let the Internet know when you're going to be away from your home. Don't let the Internet or a mobile app know your regular travel habits. It's bad enough that random entities with unknown agendas will make use of that information, but it sounds like a great way of being compromised: stalked; robbed; defrauded; photographed; revealing affiliates and preferences; becoming entangled in unconnected lawsuits and/or police investigations; on and on.
As an example, I'll compare two versions of an app I have that tells me when the next bus is coming. The first is supported by awful but little ads that I ignore. It tells me the next bus arrival time at a glance, and is always current. Hooray! The next version insisted on knowing my location and accessing a long list of other data from my phone. It refused to let me know when the buses were coming without that data. Not knowing why the app's developers wanted that information, but knowing that that genie was never going back in the bottle, I uninstalled it and went back to the previous version.
When you create an account at a website, the '+' trick works to distinguish mail in future use. The trick is to add a '+' to the end of the name part of your address, like
firstname.lastname@example.org. Email sent to that address will route properly. While it doesn't offer outright protection, it does offer the ability to know if they have leaked or sold your account details. It also offers the convenience of allowing you to track communications from that website in the future.