security

Circles of defense: your online accounts that really matter

When was the last time you changed your password for your GMail account? Do you know which of your accounts have your credit card details linked to them? Accounts with recurring fees? Let's sort these out.

Andras Kora

Andras Kora

3 min read
Circles of defense: your online accounts that really matter

How many online accounts do you have? 5? 20? 50? 200? 500+? Are they equally important to you? Let me rephrase it: if one of them gets compromised (meaning being part of an identity theft), which one would have the biggest blast radius?

Storing your secrets

How do your store your secrets?

Having a single "master" password on a post-it. Which opens a password manager app. Not the worst combination to begin with.

The most obvious, and very convenient way is what is usually offered by web browsers: to let them store (and generate) your passwords and store them together with your username and the website link, as part of your browser's configuration.

Super easy to use, it auto-fills forms, and, most importantly it encourages/forces you to use unique passwords for each of your accounts. Nice!

Let's go a bit deeper.

Not all accounts are created equal

Yes, they are all yours, individual pieces of your digital existence, but let's just play the following thought experiment for a moment:

Someone manages to get hold of the password of one of your accounts. The person manages to successfully log in, and can act as if they were you.

Scary!

Which account would cause the greatest damage? To your online persona, your online identity, your reputation. A lot can be at stake.

For a moment let's make one single exception: let's not take your single most important bank account credential into account. Let's assume that one is not on the list of accounts for this thought experiment.

What types of accounts remain on the list can still cause some serious damage.

Let's see:

  • You once opened an account just to support some local business, and all they do is send you a newsletter once in a while. They only have part of your name (or nickname) and email address.
    • Not much of a damage - unless you used the same password elsewhere.
  • You registered on an online webshop, quite niche; they have your name, email address but they use a 3rd party payment provider with some external integration, meaning that they don't have your credit card information at all.
    • Again, not much of a damage.
  • You downloaded a software - which requires registration; no payment details, but the portal stores a copy of your license key.
    • Some damage, only if the license key is not tied to an online check; which you may or may not know. The maximum damage can be that you won't be able to use that software any more.
  • You purchased a domain name; the portal stores your personal data, even a "business address".
    • Hijacking your domain may not be possible, it depends where your DNS configuration is managed; but if managed here, then it can be serious enough.

...and the list goes on.

Let me take a jump here - to the most critical items:

Criticality: highest; at stake: your online identity and financials

  1. Your main email / mailbox account. This is the single most important account that you must protect at all cost, with any and all available protection you can get.
    1. By getting access to this one, it allows the actor to methodically explore all your other accounts (from past emails) get password reminders/resets for each and every account that was ever created using this email address.
  2. Your main "big tech" accounts at Apple (Apple ID), Microsoft, Google (GMail), Amazon, Facebook, etc.
    1. Similarly to the above, it allows the actor to methodically explore all other accounts quickly and efficiently.
  3. Your online password (or other secrets) management portals.
    1. The damage here is widespread: keys to your digital kingdom are compromised.
  4. Accounts where "one click payment" type options are available and set up.
    1. Here - to make it super convenient - you don't need to enter further details of your credit card when making a new purchase. This allows anyone - after changing your postal address - to order using your card.

Criticality: medium; at stake: your online reputation, some financials

  1. Social media accounts, including all accounts where you have public profile pages. Here, there is not much financial damage that can be done, also not critical for taking over other accounts en masse.
    1. By getting access to this one, it allows the actor to publish content under your name, to the public it seems that you posted it yourself.
  2. Crypto exchange portals. The main damage here is purely financial.
    1. The actor can send/withdraw money to an account that is not controlled by you.

Criticality: low; at stake: you lose access to some services

  1. A huge bucket containing online webshops, special web applications (e.g. note taking apps, drawing apps etc.), basically anything with a minimal level of service to you.
    1. Here the damage is the possibility to lose access and not able to recover access or reclaim that particular username.

Shall I continue?

What have I missed?

Read more