editione1.0.0
Updated October 9, 2023There is value in impersonation. As an individual, a business owner, or a decision maker, your voice carries weight. You are the person who can authorize changes, information disclosures, and transactions.
The two most common types of attacks you might face would be requests to your staff to transfer money to an attacker’s account, or requests to your phone provider to transfer your SIM to another phone. Once your SIM is transferred to another phone, password resets or two-step login prompts would go to an attacker’s phone rather than yours. Such attacks are becoming more expensive as we rely on SMS for verification on logins when making large payments.
In the physical world, identity is established through government-issued documentation, such as driver’s licenses, passports, and birth certificates. In the online world, our identities are inferred in the email addresses, usernames, and communication channels we use and share with others—WhatsApp, WeChat, Facebook Messenger, Signal, the examples are endless. You build trust with friends, staff, and business contacts through regular interactions using these digital identities, and they may not second guess any favors or questions that seem to come from you.
There is also more traditional value in your identity that you have probably heard of. Attackers can use copies of your identity to commit fraud like opening loans or credit cards, and then going on a bit of a shopping spree. When the financial survivability of your business early on depends on credit, these types of events can be damaging.
danger Treat your email like your crown jewels. If you lose access to your email, it is catastrophic. Everyone knows you at this email address, it is what is used for most of your accounts (and their password reset functions). It would be a nightmare to try to change the emails across every account. (We’ll cover how to protect your email next.)
Back to the list you’re creating—add the things that represent you online and in the physical world. We will cover social and community profiles and the information you share openly with the public or private followers in the next section. For now, think through ways you may directly communicate with others (like email or messaging apps) or official identity documents.
exampleCommon scenarios:
Scenario: You have more than one personal email you use to sign up for different online accounts. Perhaps one is quite old and mostly forgotten. You also have one or more work email accounts.
Scenario: You have some important documents saved in your email account or cloud storage account, including copies of your passport, national identifier (like your social security card), and bank details.
Scenario: You use a variety of communication channels for talking to business contacts, staff, friends, and family. Some accounts are tied to your phone number (like WhatsApp and WeChat) or your social media accounts (like Facebook Messenger).
Your social profiles are a natural extension of your online identity. You use these to shout information out to the public masses, or to a private group of followers. A lot of these social networks have a key communication component, like Facebook Messenger, and are also a great source of other information about you.
Definition Passive information is information others can discover that does not directly have value or identify you, but can add more legitimacy or trust when someone is impersonating you or trying to get into your accounts.
danger Even if you have been safe about your passwords, there are a few old-school systems that still rely on knowledge-based questions and answers for resetting passwords. They may ask about things like the name of your high school or your mother’s maiden name. If these questions are easier to guess than your password, this can be used as an easy side entrance to valuable accounts.
danger Remember social accounts like Facebook, Twitter, Google, and LinkedIn can be used to log in to other services or websites. While this is a great idea—it lets these services and websites rely on the social network’s authentication process, and is one less password to manage for you—this also makes each social account all the more important because it becomes a multi-tool that can be used to access other accounts.
Your passive information can also have indirect value, and may help an attacker appear legitimate because they know things that only the real you may know. For example, if you are updating your social media accounts with photos of your glamorous overseas holiday, this passive information gives an attacker an opportunity to spoof your work email to ask for an urgent overseas payment to be made because you need to “replace your lost passport.” To your growing list, add the social accounts that you or your business rely on.
exampleCommon scenarios:
Scenario: You have multiple social accounts, perhaps even multiple accounts on the same platform. You have social accounts for your business. You manage these yourself or they may be managed by employees.
Scenario: You have social accounts for your business that are tied to your personal account (such as Facebook, Instagram, or Twitter). You use social accounts to log in to other websites.
Scenario: You have social accounts that you no longer use, but are still active. You have placeholder social accounts you set up to register for services in the past. You have not gone through to remove your information and shut them down.
One would hope it stops there. However, there are still more areas of passive information to cover! The next area to consider is not directly related to you, but is related to the group of people you likely trust most: your family.
When you receive messages or requests from family, you are likely to respond or act without much question. In the same way your employees may respond to a fake request from someone impersonating you to send money overseas, you may respond in the same way if your child, parent, or sibling makes a similar request.
Perhaps more likely is the lack of suspicion when asked to download an attachment. You might let your guard down if your dad asks you to check a document for him, or if your mom asks you if you want to check out her latest cruise photos in a zip folder.
The lists we went through already and made for you can also be helpful to make for your family. However, I know making these lists for them can be less fun than watching paint dry. At a minimum, add situations where you often interact with family digitally to your own list, as those would be your highest risk points.
exampleCommon scenarios:
Scenario: You communicate with family members via email, different communication tools, and social media networks. For some family members, digital communication is your primary source of communication and you don’t often see them in person or chat on the phone.
Looking at your list, it might feel daunting to get started on securing all these things. Now is an important time to learn about the 80% theory.
storyFirst, a confession: I used to be a perfectionist and completionist, and I also am a huge video game nerd. Every video game I started I would push to get 100% completion. My Pokédex in Pokémon Red was complete with 151 Pokémon. I found every Easter egg and secret ending there could be found. My goal in life was to finish level 255 in Pac-Man so I could experience the level 256 integer overflow glitch. When I started picking up more hobbies, my ability to complete games started becoming harder and harder.
Most of us probably know the experience of playing a game. You can play it from start to finish, and that represents roughly 80% of the game play. You can play again to finish up side quests and alternative paths to the ending and get closer to 100% completion, but it takes more or more time and investment the closer you get to 100%. You end up investing more time in that final sprint than you do playing the game for the first time from start to finish. And the value received is quite minimal at this point.