Your OpSec is Your Problem

Scarlett Cavendish

Scarlett Cavendish

β€” 5 min read
Your OpSec is Your Problem
Photo by Joan Gamell / Unsplash

If you've been around the internet for as long as I have, you might have come across the incredibly annoying, and, quite frankly, weird phenomenon that is people not knowing their own email address.

You see, one of my email accounts is a Gmail account that I got back when Gmail was invite-only. It's a fairly simple email address: first name plus last initial @gmail.com. Easy. Or so I thought. I get emails from hundreds of services I never signed up for, invoices for products I never purchased, authentication codes to platforms I don't use, password reset links to websites in countries where they speak a language I do not speak, etc. I even set up a filter that moves variations of my username like first name dot last initial to a different folder. That filter is called "Idiots".

This weird preamble has a purpose. It serves to illustrate a fact that I wish people would spend a little more time considering: your digital operational security is not a super high-priority to many enterprises that collect and process your personal data. At times, it's quite the opposite. It's all fun and games when I receive an email from a restaurant in Florida (where I very much do not live) confirming a dinner reservation, and there's a big, fat "Cancel Reservation" link right there, but some matters are not so trivial and low stakes. I don't condone messing up other people's dinner plans, but, come on! Even ifβ€”and that's a big ifβ€”I don't cancel your dinner reservation, I know what you're doing Saturday night.

That's not just annoying, it is something that can turn an honest mistake into a nightmare. Imagine signing up for some app that collects information that can be used against you, typing the wrong email address, and realizing too late that someone's been impersonating you. Maybe you're part of a group that's at risk where you live. Maybe you're just a teenager, and your already confusing and overwhelming social life is derailed by some asshole who got a password reset link to one of your social media accounts? The horrible possibilities are endless.

And to think that a simple email with a "click here to confirm that you actually control this email address so we don't inadvertently give someone else access to your stuff, because it's really very easy to prevent that from happening. It takes one email and half a line of code from our end!" would have taken care of things.

It would be good practice to think about these things before you sign up, but it's hard to get that kind of information prior to creating your account. At least try to do a quick sanity check before you start volunteering your most critical information. There are some red flags to look for:

🚩 No confirmation email when you sign up.
🚩 "This username doesn't exist" errors anywhere.
🚩 Arbitrary password requirements.
🚩 Blocking paste on password fields.
🚩 No support for ANY kind of two-factor authentication.
🚩 No support for TOTP or FIDO2 hardware keys

Some of the reasons behind red flag number one are given above. "This username doesn't exist" errors are bad because they can lead to user enumeration and not doing that is very easy.

πŸ’‘
Enumeration happens when you can figure out if a certain username is a valid one. For example, if I go to something.com, type myemail@email.biz in the login or reset password field, and get a "this username does not exist" message in return, one can reasonably assume that, if you type another email and you DON'T get that error, you will know that this particular email is a valid one. With a valid username, you're just missing a password if multi-factor authentication is not enabled or available. What you want to see is something like "Either your username is invalid, or your password is wrong. I won't tell you which." when you mess up your login, and "If this account exists, we'll send you an email" when you try to reset a password.

Arbitrary password requirements make zero sense if you're storing passwords properly, and having those requirements in place might actually indicate that they do not store passwords properly. Not allowing your users to paste the passwords they just copied from their password manager is incredibly dumb because it disincentivizes people from using password managers. Not supporting multi-factor authentication is just lazy.

All of that is to say this: if low effort, bare minimum cybersecurity measures that are known to help the user's privacy and security are not implemented by that app or website or company or service, that app or website or company or service doesn't care about the user's privacy and cybersecurity. When you remove the "click here to confirm your email address" emails from the onboarding process, you're indicating that you care more about making the signup process as frictionless as possible, because you care more about numbers than privacy. Which, of course, is not surprising to anyone because the main challenge is to get you to sign up. After that, who cares?

Well, a lot of people do. Even if the government of the country where the most popular apps or websites or companies or services hail from gives very little of a damn about data protection and the privacy of the users. If they did, Spokeo wouldn't exist. Data brokers are a blight on society. Which brings me back to the title of this post: not a whole lot of people out there are looking out for you, so you need to take matters into your own hands. Be very discerning when signing up for new stuff online. Assume anything you post, upload, share, buy, read, and watch online are just bits of information that can be used against your best interests. Can you state for a fact that you know how many absurd EULAs you're bound to right now? Think about your most critical internet accounts, and act accordingly: if your bank doesn't support TOTP and/or FIDO2 keys, consider moving to a bank that does.

πŸ’‘
Confused? TOTP (Time-based One Time Passwords) are those numbers that change every 30 or 60 seconds you get from apps like Authy, Google Authenticator, and Microsoft Authenticator. Some password managers like 1Password can do it all in one place: store your username, password, and handle the TOTP for you. FIDO2 keys are actual hardware you need to use to authenticate, the most famous example being Yubikeys.

On top of being selective and diligent when signing up for stuff, consider going the extra mile with your OpSec. Guides like this one, and this one are super useful, even when you think it's all very overwhelming and you can't possibly do everything there. Still struggling? I'd be more than happy to personally help you. Just come over to our Discord (I know, I know...) server, and we'll figure it out. Stay safe.

Join the Cranky Comrades Discord Server!
Check out the Cranky Comrades community on Discord - hang out with 1054 other members and enjoy free voice and text chat.
Discord

Read more