Don’t use biometrics to secure your devices. Biometrics are a convenience feature to make it easier to access your device. Biometrics are NOT security. You can be compelled to unlock your device by having it pointed at your face or your finger forced onto the reader. Don’t do it.
Use 2FA/MFA everywhere you can. If it’s an option, turn it on.
Use a password manager that generates strong passwords and use a different password for every service you use.
Update, update, update. Allow your devices, OSes, and software/applications to update automatically.
Talk to your parents about safe surfing. Tell them that their bank won’t send them an email or text asking them to send personal information. Set a password with your family to identify them if they are in trouble and need help. Tell parents and grandparent not to send you bail money to get you out of jail in Morocco.
Teach your kids that everything they post on the internet is public and permanent. Teach them that if they do something that they think will get them in trouble and someone is blackmailing them that it’s better to tell you and ask for help than to give in to the blackmailers.
Regarding biometrics, I’ve felt that one advantage is that if I’m in a public space, I don’t have to worry about someone watching me enter my password over my shoulder. If I got into a situation where someone is physically overpowering me to get my finger onto my device against my will, I’m probably going to give them whatever password they want so I don’t get a beat down.
That’s a threat and risk assessment. You’ve decided you’re willing to accept the risk of anyone being able to unlock your phone. For me, I’m not really worried about someone in the street strong arming me. I’m more worried about a state actor, border guard, police officer, etc demanding that I unlock my phone. They can physically compel you to unlock your phone by pointing it at your face or putting your finger on the pad but they cannot compel you to give them your password.
I’m probably preaching to the choir, but for those who don’t know, at least on an iPhone and I’m sure android has something similar, if you foresee the situation coming you can just hold the sleep/wake button for a few seconds (even while your phone is in your pocket) and it will require the passcode and not allow biometrics.
Edit: my memory, it’s the sleep/wake button and volume down. Similar to android as per the below.
For android it’s power+volume up to bring up the power options menu (shutdown, restart, etc) and there is a “lock down” option that disables biometric unlock.
Wish I could do it with one hand, but good to know it’s there.
I definitely see your perspective, but mostly wanted to make sure I wasn’t overlooking some obvious downside in my risk assessment.
I figure my chances are low that I will get into the situation where an authority demands access to my phone but I also don’t have the opportunity to lock out biometrics. Like if I get pulled over I just hold power and volume up buttons for three seconds and biometrics is off. That said, it certainly doesn’t eliminate my risk completely, and I wouldn’t consider anyone crazy for just opting out completely.
The other problem with biometrics is you can’t change them. With the OPM breach a few years ago they lost 5.6 million finger prints. Those finger prints are now useless since they are in the wild and can’t be changed. Not a problem for your average phone user but in my world that’s a really big deal. In my world biometrics are a convenience and convenience is bad for security.
As long as you’ve considered and accepted the risks you’re good.
Allowing apps to update automatically often means that advertising and feature removal or nerfing, etc., can happen. Checking manually has saved me a lot of grief.
You’re exposing yourself to unpatched vulnerabilities for convenience instead of updating or deleting the app. If you lose half the functionality because of an update it’s time to find a new app in my books.
You’ve done a threat and risk assessment and decided that the inconvenience of uninstalling or disabling the app is with accepting the risk of your device being competing and your data stolen or ransomed, your banking or other credentials being stolen, your friends, family, and other contacts being targeted, and your employer being put at risk if you use your device for work. That’s an acceptable way of handling the situation. You can always accept the risk.
I’ve heard this sentiment for almost 20 years. “The app works fine, why update, it only breaks things.”
Then they blame me when it starts being incompatible with the current OS or some other application. Even if the only fix is to update they still resist or refuse outright.
I finally let my phone do some app updates the other week, my banking app now displays full screen ads for their credit cards, conveniently right as you go to click the transfer button.
I don’t update shit anymore. I update my OS and apps on my desktop, but my phone is now being actively neglected in regards to app updates.
Every single app update breaks something, removes a feature, or brings ads into the picture.
Yup. Also having an agreement that an X from any family member means they are uncomfortable or in trouble and you should call them in one minute, tell them that there is an emergency, and you need to pick them up right now. Get them safe and don’t ask questions unless they want to talk.
I work in information security.
Don’t use biometrics to secure your devices. Biometrics are a convenience feature to make it easier to access your device. Biometrics are NOT security. You can be compelled to unlock your device by having it pointed at your face or your finger forced onto the reader. Don’t do it.
Use 2FA/MFA everywhere you can. If it’s an option, turn it on.
Use a password manager that generates strong passwords and use a different password for every service you use.
Update, update, update. Allow your devices, OSes, and software/applications to update automatically.
Talk to your parents about safe surfing. Tell them that their bank won’t send them an email or text asking them to send personal information. Set a password with your family to identify them if they are in trouble and need help. Tell parents and grandparent not to send you bail money to get you out of jail in Morocco.
Teach your kids that everything they post on the internet is public and permanent. Teach them that if they do something that they think will get them in trouble and someone is blackmailing them that it’s better to tell you and ask for help than to give in to the blackmailers.
Regarding biometrics, I’ve felt that one advantage is that if I’m in a public space, I don’t have to worry about someone watching me enter my password over my shoulder. If I got into a situation where someone is physically overpowering me to get my finger onto my device against my will, I’m probably going to give them whatever password they want so I don’t get a beat down.
That’s a threat and risk assessment. You’ve decided you’re willing to accept the risk of anyone being able to unlock your phone. For me, I’m not really worried about someone in the street strong arming me. I’m more worried about a state actor, border guard, police officer, etc demanding that I unlock my phone. They can physically compel you to unlock your phone by pointing it at your face or putting your finger on the pad but they cannot compel you to give them your password.
I’m probably preaching to the choir, but for those who don’t know, at least on an iPhone and I’m sure android has something similar, if you foresee the situation coming you can just hold the sleep/wake button for a few seconds (even while your phone is in your pocket) and it will require the passcode and not allow biometrics.
Edit: my memory, it’s the sleep/wake button and volume down. Similar to android as per the below.
For android it’s power+volume up to bring up the power options menu (shutdown, restart, etc) and there is a “lock down” option that disables biometric unlock.
Wish I could do it with one hand, but good to know it’s there.
I definitely see your perspective, but mostly wanted to make sure I wasn’t overlooking some obvious downside in my risk assessment.
I figure my chances are low that I will get into the situation where an authority demands access to my phone but I also don’t have the opportunity to lock out biometrics. Like if I get pulled over I just hold power and volume up buttons for three seconds and biometrics is off. That said, it certainly doesn’t eliminate my risk completely, and I wouldn’t consider anyone crazy for just opting out completely.
The other problem with biometrics is you can’t change them. With the OPM breach a few years ago they lost 5.6 million finger prints. Those finger prints are now useless since they are in the wild and can’t be changed. Not a problem for your average phone user but in my world that’s a really big deal. In my world biometrics are a convenience and convenience is bad for security.
As long as you’ve considered and accepted the risks you’re good.
Time to start using the middle finger, until the next data breach. Then the ring finger.
Allowing apps to update automatically often means that advertising and feature removal or nerfing, etc., can happen. Checking manually has saved me a lot of grief.
That’s my expert opinion. Take it or leave it. It’s your device.
In this day and age where updating an app means losing half the functionality, no thanks. Would love a way around that though!
You’re exposing yourself to unpatched vulnerabilities for convenience instead of updating or deleting the app. If you lose half the functionality because of an update it’s time to find a new app in my books.
If only that were an option…
You’ve done a threat and risk assessment and decided that the inconvenience of uninstalling or disabling the app is with accepting the risk of your device being competing and your data stolen or ransomed, your banking or other credentials being stolen, your friends, family, and other contacts being targeted, and your employer being put at risk if you use your device for work. That’s an acceptable way of handling the situation. You can always accept the risk.
I’ve heard this sentiment for almost 20 years. “The app works fine, why update, it only breaks things.”
Then they blame me when it starts being incompatible with the current OS or some other application. Even if the only fix is to update they still resist or refuse outright.
I finally let my phone do some app updates the other week, my banking app now displays full screen ads for their credit cards, conveniently right as you go to click the transfer button.
I don’t update shit anymore. I update my OS and apps on my desktop, but my phone is now being actively neglected in regards to app updates. Every single app update breaks something, removes a feature, or brings ads into the picture.
A verbal secret passphrase to identify yourself to your family would be pretty smart.
Yup. Also having an agreement that an X from any family member means they are uncomfortable or in trouble and you should call them in one minute, tell them that there is an emergency, and you need to pick them up right now. Get them safe and don’t ask questions unless they want to talk.