Why You Should Fear Cybercrime
You may listen to the video essay here.
This essay is a taste of my upcoming course, which to be honest you really need to be in on if you want to keep your money, your identity, and avoid being part of the growing statistic of cybercrime. Check it out at hackproofcourse.com
Have you ever fed an animal and then tried to take back that food you just gave? The animal will fight you off as if it was the owner of that food the entire time. This is because animals don’t have a sense of honoring what another possesses. They have no qualms about taking things from others. Animals don’t have morals; for them might makes right.
Theft is animalistic and we have failed to shed it off throughout human history. Even the idealistic philosophy of communism—which advocates for the abolish of private property—is the ultimate expression of ownership by a small few: history showed it to be the greatest theft of all. To be fair, the idea of what one owns legitimately has been contested. The aristocrats during medieval Europe could hardly be said to have earned all of their positions and goods, and thus why the Robin Hood figure of this era is celebrated. Today of course politicians distort these sensibilities and thus feed our covetous animalistic urges. People are told that the wealthy have taken their money and that particular races and sexes have been deprived of resources. It’s no surprise that books such as In Defense of Looting, which advocates for looting as a means of “redistribution,” are published unashamedly. It’s also no surprise that many hackers are anarcho-communistic, by and large targeting large corporations, who face the brunt of cyber attacks.
The interconnectedness of our animalistic tendencies in the digital age has made things worse. Think about this. Go to the website where you log in to your banking account. Or your WordPress website. Now realize that anyone in the world can visit that login page and try to guess your username and password. In some cases they can test this endlessly, 24/7 and 365 days a year, especially with some of the bots they create for specifically this purpose. You are under digital attack ceaselessly and you don’t even realize it.
It’s no wonder that cybercrime is so prevalent: by some estimates costing the world $10 trillion per year. The Internet you use to visit your favorite online shop—where you also store your credit card info—is the same Internet used by amoral and outright malicious people the world over. The anonymity of the Internet pushes people to crime who otherwise would never think about taking something from a physical shop. They sit in shabby apartments having some fun by visiting stolen credit card forums—a more popular pastime than you realize—or by sending out phishing emails to try to get someone to surrender their login credentials willingly. Cybercrime is pervasive and inevitable.
We haven’t even mentioned the new age of cyber attacks perpetuated by nation states. This is the new frontier of battle and you can be sure that governments are on top of it. Regular citizens and businesses are obviously fair game. Modern governments are the richest entities in world history with technology that most of us cannot even guess at. This power has been yielded to murder nearly 300 million people in the twentieth century alone: one of the most barbaric centuries in that regard that humans have ever known. The gun-wielding patriots who think that their AR-15s are going to hold off tyrannical governments haven’t considered that they have given these governments 50% of all the money created for the last hundred years. This money has been funneled into defense technologies. Governments have tremendous power—today they print their money—and they now leverage it in the form of cyber attacks.
Such state-level or pseudo-state technologies are also leveraged against regular people. ISIS is always looking for hacking opportunities—you can be sure that they will show no restraint—and they use the same Internet as you do. As does Al-Qaeda. Indeed, one famous Al-Qaeda figure has talked about the plan “to take the holy war into cyberspace by attacking U.S. computers, with the particular aim of committing credit card fraud.” Al-Qaeda has funded many of their attacks from doing precisely that. China has been documented as having nearly half of all cyber attacks. The West of course are no saints, as Snowden and others have shown us. And we shouldn’t forget about supposedly backwater North Korea, which views the citizens of most nations as enemies. North Korea gets a significant stream of income from hacking and fraud by exploiting people and businesses the world over. Now your grandmother in Edmonton who refused to learn two-factor authentication from you will get her crypto retirement account compromised, lose $10,000, and fund 10 North Koreans being sent to death camps. Few of us appreciate enough to fear this interconnected world we live in.
Many of your valuables as a person are online somewhere. It might be the 95% of wealth that exists as digits on a screen. Maybe it’s your retirement account, your crypto account, or your medical insurance account. Perhaps it’s your kids photos on Dropbox. Or you NSFW photos that you trusted to iCloud. With access to a single email address a bad person can do tremendous damage. There was a famous bank robber who was once asked why he robbed banks. “Because that’s where the money is,” he answered. Many of the things we value are now online, and the cybercriminals are here with us.
The weak points in all of this are the companies and services that we trust. We don’t use the Internet raw. We trust third parties just to be able to access the Internet and then every step along the way. As Web 2.0 progressed it got to the point where we are now, with most websites relying on third parties. A website such as eBay is not self-sustaining. Instead it relies on dozens of other services to host pictures, arrange customer accounts, and process payment. These are often independent services with independent companies. All it takes is for one of these third parties to mess up for a cybercriminal to take action. And this happens often: we typically call them data breaches. Such breached information end up in the dark places of the Internet where they will be used either to attack you directly or for a follow-up attack once you have let your guard down months or years down the road.
So yes, there is an underappreciated sense of the threat people face by using the technology of the Internet. But there is also an over-appreciation of how inevitable this is. You can do a lot to prevent or lesson the cyberattacks you face: what I call striving to become “hackproof.” Whenever people say “privacy is dead” or “I expect to get hacked at some point” what they are really saying is that they lack the discipline to make improvements to greatly reduce the likelihood of this happening. Do not be this kind of person.
Let’s talk about what it means to be hackproof. When I say “proof” I mean moving in the direction of protection. It’s probably impossible to be 100% immune to cybercrime, but we can get close. The first step is to recognize what you are up against. Knowing something about how the Internet works and how the various branches of cybercrime work is half the battle.
The next step is to take stock of your exposure to the Internet. After that, you must start to organize your digital life and in the process return to your accounts to strength or delete them. From here, you can use many digital tools to boost your security. In the end, minimalism will be your main and greatest strength. That’s it in a nutshell. So let’s get into it.
We can break down cybercrime into three main components: hacking, fraud, and identity theft. Hacking means that some malicious actor has purposefully and specifically gotten access to your account or device. From here they can wreak havoc. Fraud means you have given away access to your account or device, albeit from someone who has tricked you to click or type something. Identity theft is a combination of these two with a much more pernicious result of ruining your identity in the eyes of the bizarre credit system that we have.
There are many variations on these themes. Ransomware for example, is either a hacking or a fraud where the bad actor gains access to important data on your own devices and then encrypts that data. He then threatens to delete it, expose it to the world, or keep it locked unless you pay him in Bitcoin. It’s a very tricky situation where prevention is worth a hundred pounds of cure.
And, as my guest from episode 50 Josh Summers said, a lot of the vulnerabilities out there exist from our own poor decisions. The things you post on Facebook and LinkedIn and Instagram are public knowledge. OSINT (open-source intelligence) practitioners have become quite skilled at finding out a lot of information about people from these repositories alone. They can quickly find out where many people live, what email addresses they commonly use, who their friends are, and whatever other things we expose recklessly on a daily basis.
So to boil it down: we’re attacked, tricked, or willingly give up our data.
Your main defense against cybercrime is to recognize the new paradigm of digital account access. What lies behind the password to your email account could easily be more valuable than the precious metals you keep in a safe at home. Why then have you not taken steps to protect your email account? For example, by selecting a zero-knowledge service provider as Protonmail, which means that the company itself does not have or store your login details. Or by segmenting your email accounts so that the email address you use to log in to financial accounts is not used by any other service you have. Or by setting up two-factor authentication for your account to increase the resilience of random attacks. The hackproof mindset respects the danger of the Internet, it takes time to understand vulnerabilities at the company level, the technological level, and the user level. And it takes steps to mitigate these issues and establish good habits, whatever the inconvenience.
Unfortunately, what I just described is advice rarely given out. And this is a primary reason for creating the course Hackproof. There are far too many articles talking about how in order to avoid hacking and scams one should “download an antivirus suite.” Seriously? Downloading a highly invasive piece of software to control your computer and that often has no bearing on the underlying behavior that caused the problem? Behavior is one of the main causes of cybercrime, so first you have to get your mind right. You can take shortcuts along the way. Using a Linux operating system is going to give you extra protection if you do slip up and download malware, for example. And learning how to verify software you download will also diminish your odds of using malicious software. Using a temporary debit card system like Revolut or Privacy.com and pausing the card after each purchase will protect you after you trust your card to an online merchant. Choosing an LLC in a state that does not reveal the owners can protect you if someone tried to go after you in that way. And having a separate device or at least a virtual machine that is used only for your business or for your financial accounts or crypto is a fairly simple and excellent method to mitigate cybercrime disasters. These are the kinds of things that are going to give you real value when it comes to not getting pwned.
Let’s move on to five basic concepts that are at the foundation of becoming hackproof.
Concept 1: Don’t make things worse.
If you find yourself in a hole, stop digging. That’s the most important thing anyone can do. To put it simply: the more data that you have out in the world and on the Internet, the more vulnerable you are. So stop contributing to it. Skip services that require accounts and look for free and open-source alternatives that often will not ask for anything. Use more offline software instead of online all-in-one suites. When you do have to give information, think if you can get away with fake data. Or use buffer data such as the alias email provider SimpleLogin.
Understand what you’re required to give out. Press “continue” to view the required text boxes. That applies to online and real life. For Americans, your Social Security Number is used for, well, social security, but also for taxation. It’s not meant to be used for anything else. So don’t go giving it out to anyone who asks. That includes your utility companies.
You don’t have to stand in front of every camera you come across, including at the checkout till. You don’t have to leave your device cameras uncovered. You don’t have to have Bluetooth running on a device just because it’s an option. Start thinking about all the ways you are leaking and cover them up.
When someone asks for something from you develop a thick skepticism to reject or demand to know why. You can reduce your online data leakage tremendously just by saying no more often.
The minimalist approach is the only true solution to the privacy and security onslaught that we face today. And notice that it is the total opposite of what a lot of people say; people who want you to add more software, or more companies that you’re trusting to protect you. We’re moving into a world where cars are computers, where microchips are being used inside of bodies, where more things are asking for biometrics as passwords. We rely on computers and the Internet for utilities, and infrastructure. We have all of these so-called Internet of Things devices that each have an IP address and thus each have vulnerabilities. Start seeking out dumb things and don’t support so-called smart technologies. We live in societies that are almost 50% free market: start recognizing that the things you purchase and sign up for encourage a company to do more of it.
Don’t add to the data that already exists. Don’t give out more. Don’t expose things that don’t need to be exposed. And start learning to say NO and do without.
Concept 2: Organize your digital life
So we have to give out information at some point, and we probably gave out a lot before we came to this realization. All of this data is floating around the Internet. And the Internet has a long, long memory.
Once you are serious about your digital life you start organizing. You download a password manager such as KeepassXC or Bitwarden and you start to think of every online account you have. And you slowly put them all into that password manager. As you go about it, you go into these accounts, change the password with a randomly-generated 40-character password, remove any unneeded personal data, and flat out delete them if you have no need for them. Remove all saved payment options. Sabotage them with fake information before you delete and especially if you can’t delete.
Once this is done you will feel much more in control. It’s a truly amazing feeling.
While you’re doing this you should also add two-factor authentication to any account that will allow it. We’ll discuss this in the next step.
The process I just described is simply one of the basics of being a human being today. If you’re not managing every account you possess, you’re driving a motorcycle without a helmet. You’re being foolish. And you deserve all of the cybercrime that is coming to you. Organize your accounts with a password manager, delete the unnecessary ones, add random long passwords, and add two-factor authentication. That is simply what you must do.
Concept 3: Two-Factor Authentication
Two-factor authentication or 2FA is at the vanguard of online protection. It’s really good and it makes your accounts much more hackproof.
Two-factor authentication demands you to have another piece of information besides your password and username. Passwords and usernames get stolen because they are part of that service’s system. So we want another factor required to log in that is not in control of that service.
This could be an SMS message, an email message, a physical device such as a Yubikey (which you plug into your computer), or a code from an authenticator app such as Authy or even Standard Notes.
Any of these is better than nothing. I tend to recommend people use an authenticator app because it is the most convenient, while not being as vulnerable as a phone number or email address.
Far more important than having the right app for 2FA is enabling it and using it exclusively as a login method. Go into all of your accounts and see if it will allow 2FA first of all. Some services don’t. Some only allow one kind of 2FA and not others. Unfortunately I find that the accounts that need 2FA most, such as banking, do not have serious 2FA options. One authenticator app I’m serious about right now is the one built-into Standard Notes. Standard Notes 2FA is great because it’s tied to your account and will not disappear if you get a new device. This is a danger of Authy.
But 2FA is a requirement for account creation now and fortunately it has the added benefit of making that service less suspicious about you logging in as a privacy-focused user. Regardless of what service you’re using, as soon as the account is created, you must go in and set up 2FA. In 2023 this is non-negotiable.
Concept 4: Learn proper disposal
A big source of identity theft arises from improper disposal of your sensitive data. Paper documents should stop arriving to your house and the ones that do arrive should be scanned, protected behind a Veracrypt folder, and shredded with a powerful micro-cut shredder. You should then burn the pieces if you can.
All paper documents in my house receive this treatment, including any labels on packages. No mercy. And of course you should be using a mail receiving agency that is away from your house to receive most of these things.
As regards digital data, you should give your old computers and hard drives a similar treatment. It’s not worth the risk of selling them. Either reuse them, or remove the storage drive and destroy it. Destroy it well.
Disposal also pertains to data about you online. Any hackproof program, including mine, requires a description of how to scrub your personal information on people search databases. Such information is a collection of our trust and stupidity in the digital age, and the methods for erasing it are straightforward provided you make it a priority.
Concept 5: Segregation
Interconnected systems are as vulnerable as they are convenient. Don’t connect your accounts and services unless you absolutely have to.
Any shopping account that has your active credit card is an interconnected system. You can mitigate this best with temporary debit cards as I’ve previously mentioned. Or with gift cards and cryptocurrency where it is accepted.
Remember that the moment you give your physical card to a waiter at a restaurant, or to a utility company, or to anyone else, you have given them the right to charge you at any time. And if someone compromises that company the hackers have that authority now as well. So use cash, use temporary cards, use prepaid cards, at least use contactless payment apps to avoid card skimming, and use discretion.
Segregation involves other aspects of your life. Be purposeful about the email accounts that you have and reserve a single email address for your most important accounts. Start to learn VirtualBox to have operating-system-level separation between your business and personal lives. If you get a new MacBook, set it up without using your previous email address: in fact, try to set it up without an email address at all. Such are the basics of a segregation lifestyle.
I hope you enjoyed this snapshot of my course hackproof. In the course we spend several hours going over the hackproof plan in a much more structured order, obviously. For your financial well-being and peace-of-mind I would encourage you to consider signing up at hackproofcourse.com. Your participation directly supports Watchman Privacy. I hope to see you there.
Yours in peace and privacy,
Gabriel Custodiet
https://watchmanprivacy.com/