Online Security for the Disabled and Chronically Ill Community

Hints and tips to stay safe and protect your digital life

Audio version in the Substack mobile app

We’re going to explore something a bit different today, online security. Compared to five or even ten years ago, we live in a seriously changed world. Much of our lives and identities are wrapped up in our digital activity. 

This is magnified if one is disabled and experiences a chronic illness that limits our involvement in life. Many with Long Covid or ME have experienced a form of social death, a separation from society due to physical incapacity and stigma. Yet, many find a new form of social interaction online. We need to support one another to ensure that our online life is as safe as it can be within our capacity. How we keep boundaries and protect our data is a key disability issue.

Many organisations and initiatives also predominantly function online and significant authority is attributed due to follower numbers and digital presence. It is therefore important that accounts are not hacked and lost. 

It can be devastating for an individual or organisation to be hacked and to lose an account. There is a vulnerability, as many people with ME and Long Covid have cognitive dysfunction, which can make it harder to spot phishing and hacking attacks. We know, as unfortunately, we learnt the hard way when we lost our first Instagram account. (Take note Instagram is notoriously hackable and the customer service is notoriously non-existent!) Please ignore and unfollow or even report @LongCovidAdvoc on Instagram (we are now @LongCovidAdvoc8) So, in the spirit of the Brownie Guide law, we will help you ‘Be Prepared’.

You can find summaries at the end of each section and easy-to-follow infographics for different levels of online security at the end of the article. (They are also in our public Google Drive to download).

Passwords

The natural and easiest place to start is passwords. We all require them to enter the digital universe. Do not use the the same password for everything! This first point seems obvious, but many people do this for ease, as it’s nearly impossible to recall a unique password for each account. But for safety, we ideally need to do this. This can be difficult if cognitive PEM is a player. One way around this is to use a password manager. This stores all your passwords for you so you don’t have to remember! 

There are some free, like Sophos, Nord Pass or Log Me Once. For a fee, there are some excellent ones like Dashlane, Nord Pass or 1 Password. If you have several email accounts, are an org or a big family, you can set up a multiple option.

Length matters too. If you want your password to be more resistant to hackers, characters matter. Between 20-25 is a good sweet spot. Some people recommend a song line or quote, but if we’re talking optimal protection, the password should make no sense and be a combination of letters, numbers, caps and special characters. Yet again, this is very difficult to memorise, but many password managers have a password generator which can reduce the cognitive load.

If you are an org or have multiple people using an account, it’s also good practice to change passwords when someone leaves. 

• Use a strong, unique password with special characters, numbers and caps

• Aim for 20-25 characters

• Use a password manager

• Use a password generator 

  
  

2FA - Two Factor Authentication

There is another level of security one can use as well as passwords and this is Two Factor Authentication or 2FA. It simply means that you need two different authentication methods to prove your identity. There are some platforms that will offer and provide an automatic 2FA process. An example is when you will be asked to give a code sent to your phone via SMS. Generally, you will need to give permission to set up 2FA and you can turn this faculty on in most social media platforms.

There is a safer level though, and that is using an independent app for your 2FA codes. Examples are Authy, Duo Mobile or Google Authenticator. The advantage of this method, as compared to SMS, is that the codes are more difficult to be intercepted. These apps generate a TOPT or time-based one-time password. When using these apps, it’s good to keep them updated too.

Yet, 2FA, even via an app, can still be hacked. So, if this happens, it’s important to save the backup codes given at the time of set-up. You can also access these codes at a later date. This will enable you to access your account if it is compromised.

You can also use a different email or phone number for your 2FA than your log-in and use different 2FA methods across accounts if you want to dot more i’s and cross more t’s!

• Use inbuilt 2FA

• Use an external app for 2FA

• Save Backup Codes

• Use different apps, phone numbers and email for 2FA
  

Hardware Token

There are different types of 2FA and the safest is a hardware token. These, as opposed to soft non-physical tokens, are material objects you either plug into a computer or tap to gain a code. A hacker actually needs the token you have to generate the code. They are an ingenious bit of kit. Some of the best are from Yubico, Only Key or Nitro Key. There are even ones that need bio-identification like Kensington Veri-mark. Although we know that people with ME and Long Covid often have depleted fingerprints due to microvascular issues so these might not be the best option.

Now, these might be a step too far if you are an individual with a small account. But if you are an org or an influencer with a big follower base, they are worth thinking about. 

There are downsides, as you generally need a backup key or to keep the QR codes needed to set up. But it depends on your own risk assessment.

This might well be enough infomation for you, so feel free to stop reading! If you are interested in strengthening your computer and accounts even more, please read on.

• Invest in hardware 2FA

• Keep Backup and QR codes

• Have a spare
  

Protection from Hacking 

As more of our lives go online and the realisation that our data is valuable to all sorts of people for commercial or political use, hacking is common. 

Yet, if we have a basic understanding of how this can happen and how to protect our accounts, the better. There are several methods of accessing an account without a password and ways to obtain a 2FA code: Man-in-the-middle, pass the cookie, phishing, or proxy between a browser and a phished site.

Evilginx is a man-in-the-middle attack that will allow hackers to get an authentication cookie to bypass any 2FA code. To protect, one needs to monitor your URL and verify the domain or use a U2F (Universal 2nd Factor) security key.

Pass the Cookie is another method. This allows hackers to access your web browser with Mimikatz so they can use a cookie generated by your 2FA. To protect, one can add context to the user authentication method such as SrcIP or Client certification. Another method is to use browser fingerprinting which asks for new authentication whenever a new device or browser is detected.

SMS Attack is a SIM swap where a hacker can get your phone number and messages sent to a hacker's phone and receive tokens. 

Phishing is an attack when a hacker sends you an email or other communication that seems to be from a reputable source to try to get you to input your sensitive data or click a link that downloads malware. To counter you need to watch the reply-to email address and be careful not to give sensitive data away from an unsolicited email. 

Attacks on soft tokens can be either from malware on one’s phone and they can receive your one-time code or via a mirror victim phone. Actually, no soft tokens are safe from hackers which is why for ultimate security some use a hardware token.

Ideally, not saving passwords in the cloud is the best practice especially if you use one password for everything! 

• Use 2FA

• Monitor URL

• Check user authentication & browser fingerprinting

• Watch Reply-to from unsolicited emails, calls and texts
  

Browser Protection

What is browser fingerprinting? We tend to think our computer setup is much the same as many others. But our set-up is quite unique when one takes into account many data points like; precise browser and OS version, time zone, sound, plug-ins, apps, screen resolution etc. These create a fingerprint that companies can track and is much harder to block. You can even use a VPN, remove cookies and be trackable.

There are ways to test one’s browser’s fingerprinting and that is via the websites Am I Unique and Cover Your Tracks. It’s very difficult to stop browser fingerprinting but the below method can help.

To protect one’s browser, you can also use Ads Power or Private Browsing Methods which are available on browsers such as Firefox. There are also plugins available to your browser, such as Adblock Plus, Privacy Badger, Disconnect, and No Script. All of these block scripts that enable spying and tracking. Another way to stop cookies is to disable JavaScript and Flash, yet this and No Script, which blocks Java on every site, can make access to some sites tricky. You can white list trusted sites which enables Java but this can be a hassle.

You can also try using Canvas Blocker to help prevent fingerprinting.

Installing specific anti-malware software can help too. You can run this along with your anti-virus software and it gives a second layer of protection. Malware Bytes (there’s a free program) and Hitman Pro are very good. Super Anti-spyware also runs a free program (there is no automatic scan) but it is a deep run program that often finds tracking cookies other outfits don’t.

If one wants a mega-blocking browser, you can use TOR (The Onion Router). This aggressively blocks Java and tracking. Although it doesn’t run that quickly.

To protect your IP address you can use a VPN (Virtual Private Network). This effectively stops some hacking attempts. Although it won’t protect against a phishing attack, it can against man-in-the-middle and others. It also stops your internet service provider from seeing your traffic and data.

• Check the uniqueness of your browser fingerprint

• Use a privacy browser

• Use canvas blocker

• Install add-ons

• Use a VPN

• Install anti-virus and second level anti-malware software

  
  

Data

This is secondary to acute security risk, but our data, what sites we visit, and our personal information are all available online. This is very valuable to marketing and companies trying to sell you stuff. To have some agency about what we share, there are steps we can take. 

Investigate and set your privacy settings on your social media sites and internet browsers. How to’s here: Facebook Twitter Instagram Bluesky

Reject optional cookies on websites. EU Regulations mean every website has to warn you about adding tracking cookies before installing them. Note they are called nice, sweet things like cookies and not Big Brother! Ghostery add-on will get rid of cookie pop-ups and express dissent to tracking, as well as blocking ads and stopping tracking.

Install add-ons such as Don’t Track Me Google, Ad Nauseum, Clear URLs, Decentraleyes, and Privacy Badger.

It is your data so you can download it from your social media sites like Twitter and Facebook.

The ICO gives instructions on how to delete your data if that is what you want to do.

Check and customise your permissions on your phone. Many apps have access to your camera, microphone and all sorts. This can be adjusted in your settings and app permissions.

If you don’t think your data matters because you are a lowly Jo or Jane think again - it does. The Facebook Cambridge Analytica scandal showed that. There’s a good film about it The Great Hack.

Endorsement

One last note is left to a more subtle form of security and boundaries for our community. This isn’t overt attack, but it is how people or companies who are trying to sell a product or service use our accounts. Recently, (and it’s an ongoing problem) we have seen influencers and celebrities mention or endorse brain training courses. Many of these organisations are known for their aggressive marketing and regularly approach those with a large platform to offer or mention their service. We’ve seen this with Miranda Hart and Alice Ella and the Optimum Health Clinic, which promotes Alex Howard’s RESET program. Ren also endorsed brain training in a lengthy social media post. How some of these celebs think that these companies are being so nice to them is just beyond. There seems to be a genuine cognitive dissonance or ignorance in how harmful it is to expose a large audience to false hope with these programs or re-traumatise those who have just had enough. We keep ourselves safe as a community by protecting all of us from those offering programs that don’t work but make a lot of money in the process.

This isn’t just for private endeavours we also see those who are invested in dubious scientific theories very keen to be associated with those in the Long Covid and ME world. The key example for this is FND and scientists related to this field extolling how real they think our condition is. Too many Long Covid organisations and advocates have fallen for this and it’s not safe or the best trauma-informed practice. We as individuals as a community can do better than this.

Hopefully, you have gleaned some helpful information and practice here. It’s not exclusive so if you have a handy hint that can help us as a community then please do comment.