Unless you’ve been truly off the grid the past few weeks, you’ve heard about the hack of Ashley Madison, the website dedicated to making extramarital affairs as easy as online dating.
Are you one of those unlucky would-be Romeos whose account details on Ashley Madison are now bared to hackers, crooks, journalists, and security analysts?
Yes? Oops. Well, here are some suggestions for how to avoid this kind of stress in the future.
No? Whew! But that doesn’t mean you’re safe from future attacks of this kind, even if the sites you tend to spend your time on are more reputable.
So let’s take a look at some practical lessons from the Ashley Madison hack from a security and privacy perspective.
Morality is not the lesson
First, let’s talk about what should not be the lesson, at least from a security standpoint: Morality.
A lot of the snickering schadenfreude out there about Ashley Madison users getting their comeuppance through public shaming misses the point. This kind of attack could have happened to any special interest site on the Internet for any reason (and it does, as I’ll discuss shortly).
This time the attack was on (mostly) men that wanted to have an affair, and the attackers’ reported motive was the unscrupulous practices of Ashley Madison’s business policies, especially the company’s offer of “deletion” of account information for a fee, which apparently was a service that didn’t quite deliver on its promises.
But next time the attack will be on a completely different service with different users and for different reasons. These kinds of attacks happen all the time.
Don’t believe me? Let me give you a real-life personal example of a similar kind of attack on a more mainstream site. I have an account on Forbes.com, and I got notice from Forbes in February of last year that their site had been hacked and email addresses and hashed passwords had been downloaded. Why was Forbes.com a target? Well, turns out an organization called the Syrian Electronic Army took exception to articles about Syria and decided to get some payback.
Do you shop online? Zappos and Living Social have been victims of hacks in the past few years.
Are you a techie? Gawker/Gizmodo/Lifehacker were breached.
Are you a gamer? Sony’s PlayStation Network was hacked.
Do you have health insurance? Anthem was hit by an attack.
I’ll stop with the examples. You get the idea.
No one’s activity online is really safe, no matter what the areas of interest are.
So let’s get to some of the practical lessons from the Ashley Madison attack.
First lesson: Use multiple email accounts
These days, everyone who is active online should be using multiple email addresses.
You should have one email address for work, one for people and businesses you know and trust, and at least one address for everything else.
The reason should be obvious at this point. Email is a key to your privacy kingdom. If someone has access to a primary email account, even just knowing what the address is, they can often find out a lot about the person who has it.
Why is this a problem?
Some 15,000 government workers reportedly used their government email addresses to sign up for Ashley Madison. Many more used their business email accounts to sign up, and they are now facing the consequences of being exposed.
As an example, the executive director of the Louisiana GOP is trying to explain he was using Ashley Madison for “oppostion research.”
So you need to think carefully about what email address to use when you register for a website.
You should think about your email addresses and how you use them like the rings of defense in a fortress. Castles had different lines of defense that were progressively stronger, and so should you.
The Citadel: Your business email address
Never sign up for anything not business-related with your business email account. This should be an absolute rule. Even more true if you work in government, in education, in media, or in any high profile position. Let me say this again because it is so important: Only use your business email for business sites and services. Sites that you wouldn’t mind if your boss or colleagues found out that you had signed up for.
Examples of “citadel” email accounts:
The Inner Wall: Your primary personal address (or school address)
Obviously you need a primary email address for your friends and family and a small number of important websites that you trust or simply have to trust like those of financial institutions.
This primary email is likely the Gmail, Yahoo, Apple, or AOL account you’ve had for some time.
But this account should only be used with friends, family, and those handful of critical sites like your bank and your insurance company and your utilities. Don’t use your primary email address for registering for any other websites, including online shopping, games, or promotional offers.
If you’re using this account for other sites, go to those sites and change the email to your second address below (the “outer wall”).
Example “inner wall” email accounts:
The Outer Wall: Your “everything else” address
This should be an additional Gmail, Yahoo, or other online email address you create just for signing up to all those other sites and services out there that you’re interested in — everything from social media to shopping to news to blogs.
Using this second address instead of your primary address will help inoculate you when (not if) these sites are hacked.
I know it’s a pain to have another email address, but the added security is well worth it, and you don’t have to check this email every day. You’re mostly going to receive marketing here.
Example “outer wall” email accounts:
Additional Defensive Line: Your “other” address
Okay, now let’s say you’re interested in something online that you know might be a little risky or potentially embarrassing from a security or privacy standpoint. Let’s say you want to sign up for something like Ashley Madison. Or Seeking Arrangement. Or really any dating or adult site.
You can obviously choose not to sign up for these because of the risk. But if you really want to, then create another email address that doesn’t use your real name and isn’t in any way tied to your real identity.
Example “other” email accounts:
Want to take this idea to the next level?
Optional Skirmish Defenses: Throw-away email accounts
For many sites you have to register for on the web, you really only need an email account to confirm your registration. You may not want or need the site to know your email address after that.
In these cases, you can sign up for accounts using a “disposable” or “throw-away” email account. These accounts last for only a short period — long enough for you to confirm the account with the website you want to register for. Sites like the ones below offer these account free and they are anonymous. I’m guessing a lot of Ashley Madison users wish they had used one of these right about now.
Disposable email providers include:
Example disposable email accounts:
Second lesson: Don’t use personal information
Like with Lesson 1, there are going to be some sites and services like your online bank where you have to use real personal information. But for almost any other site, if you can avoid it, you should.
Use a fake name
When signing up for most websites, there’s no reason to use your real name. Just make one up.
This is especially true if your name is distinctive. If your name is John Smith, you may not have much to worry about if your name is released from a hack. If your name is Xavious Thorplewood, you really need an alias.
Use a fake address or a PO box instead of a home mailing address
Again, with most websites, there is no reason to use a real street address. Make one up. If it’s a site for e-commerce and you need goods delivered, use a PO box if at all possible.
Don’t use a “real” phone number
Never input your home number into a webform and and don’t use your mobile number, either.
I know some of you are thinking: But what if I’m signing up for a dating site, and I want those women/men to be able to call me?
This is what virtual phone numbers are for. Get a Skype virtual number or a Google Voice number. You can take the calls online or forward to your mobile phone.
Third lesson: Don’t use your real credit card
Most sites you sign up for don’t require a credit card. If it’s an e-commerce site that you really think you’ll be using often (like Amazon), go ahead and use your credit card.
But if you’re signing up for a dating site or an adult site or a gambling site, forget about using a card from your wallet.
I know some of you might be asking, “But what about when I really do want to sign up for the premium features at Ashley Madison or Seeking Arrangement or whatever my fetish site might be?”
This is where gift cards come in handy.
Go to the supermarket or drug store and buy a prepaid Visa gift card. Don’t buy a prepaid credit card (the key difference is that even a prepaid credit card needs to be registered online with real information). Don’t get a refillable gift credit card (ditto). Get a prepaid fixed dollar value gift card with an amount that covers the first month or two of the subscription you want to buy.
Then, register this card online using the instructions on the back of the Visa gift card’s package. When you register the card, don’t use any of your real information. Use your fake name and address. Then use the card to sign up for your payment or subscription on the website you’re interested in.
Fourth lesson: Use different passwords
One of the simplest things you can do is also one of the most effective:
Use a different long password on each and every site you sign up to. Make sure the password is not just a number and not a word in the dictionary. Multiple words separated by spaces or dashes work well as passwords.
I know it’s a pain, but better passwords are absolutely necessary in today’s world of constant data breaches. If you re-use passwords like most people do, you’re in constant risk of multiple accounts being compromised from a single hack.
How do you keep track of the dozens or hundreds of long passwords you’ll need? Use a password manager like SplashID.
No single one of these lessons is guaranteed to maintain your against all online threats, but taken together simple measures like these will help protect you in the vast majority of cases. Certainly right now there are a lot of embarrassed Ashley Madison users who wish they had followed these lessons.
Pingback: 4 Security Lessons from the Ashley Madison Hack | Talon360 Content Marketing and Public Relations
Thank you! 🙂
I had already been doing everything you suggested EXCEPT the pre-paid fixed amount gift cards recommendation. I never thought about it because of many of the issues with using them, such as:
1) Monthly fees
2) The company is holding your money and they’re getting it to work for them.
3) etc.
I’d love to hear your thoughts on dealing with a JIT (just in time) use of cards to reduce the loss in interest. (Though the interest would need to be REALLY HIGH to make up for a breach, right!?) Also monthly fees and I’m sure you’ve heard of other issues using the cards.
Thank you for a good / great article. I liked it on my Stumbled list.
You’re welcome, glad you liked the article.
Good points about the downsides of using gift cards to make web payments. There’s definitely a cost to using gift cards versus normal credit cards. Typically you have to pay a fee of around $3-$5 at checkout when you buy a gift card, so that’s a fairly high premium to pay if you’re buying a $50 or even a $100 gift card. I do think the gift cards can make sense, though, if we’re talking about using them to buy a subscription to a service like a dating site that you’re not likely going to use for more than a month or two (hopefully!).
I use multiple e-mail accounts and then link them so they all flow to my primary e-mail for the convenience of not needing to check multiple accounts. I still use the individual accounts when needed.
Does this present an easy breach for hacking my information and tracing it all back to the primary account or does it still provide security?
Dennis, great question. I do the same thing for a number of my email accounts. I don’t see a significantly enhanced risk in this as long as you are using a really strong password and two-factor authentication on your primary email.