Guide:Resisting technological domestic abuse: Difference between revisions

← Older edit

Guide:Resisting technological domestic abuse (edit)

Revision as of 11:49, 15 July 2022

5,607 bytes added , 1 year ago

commenting out the warning, pending the discussion on the talk page. also restoring the more firm warning

VisualWikitext

21x

Bureaucrats, Administrators

440

edits

Revision as of 11:00, 18 June 2021 (edit) 21x (talk \| contribs) No edit summary Tag: Visual edit ← Older edit		Latest revision as of 11:49, 15 July 2022 (edit) (undo) 21x (talk \| contribs) (commenting out the warning, pending the discussion on the talk page. also restoring the more firm warning)
(10 intermediate revisions by 4 users not shown)
Line 1: {{Warning\|1='''All the advice given below is followed at your own risk. Do NOT follow the advice below if any of it will place you at risk of further harm should you be discovered.'''<br /> We are not domestic abuse experts and cannot make judgement calls regarding advisability of resisting the perpetrator given the prospect of further abuse. <br /> If you need further non-technical support, please reach out to one of the resources [[w:List of domestic violence hotlines\|listed on this page]].}}▼ ~~{{Template:Draft}}~~ <!--{{Warning\|'''The page needs to be cleaned up.''' <br>Reasons:<br>This page focuses on security such as 2FA and passswords more than privacy. Out-of-scope content should be removed or replaced. }}--> ▲{{Warning\|1='''Do NOT follow the advice below if any of it will place you at risk of further harm should you be discovered.'''<br /> We are not domestic abuse experts and cannot make judgement calls regarding advisability of resisting the perpetrator given the prospect of further abuse. <br /> If you need further non-technical support, please reach out to one of the resources [[w:List of domestic violence hotlines\|listed on this page]].}} {{TOC right}} Purpose of this guide is to help victims of technological domestic abuse resist surveillance and recover from privacy or security compromise by perpetrators of abuse, whether romantic, familial or otherwise. <br />Technologically savvy perpetrators have more options than ever before to keep tabs on their victims, take away control and agency and continue abuse from afar. We will try to give you the tools and knowledge to resist technological aspects of the abuse, and once you're able to leave the abusive situation, recover from the privacy compromise. Line 15: }} <br> = Core assumptions = In this guide we are assuming following: Line 44 ⟶ 45: If you answered yes to any of those, you may be a victim of stalkerware. ===Countermeasures=== * If you can, do not allow physical access to your device. Do not leave your device unattended. Most ~~stalkerwire~~stalkerware has to be ~~instlled~~installed using physical access, so if you're not infected, this is the best method to keep it that way. ** Use a strong screen lock method, and do not use fingerprint scan or face unlock (as those methods are rather easily fooled). There is no substitute for a [[Choosing better passwords\|good password]]. * Most stalkerware programs run in the background all the time, using your battery (if applicable). Be mindful of your battery performance, particularly if it suddenly drops. Line 61 ⟶ 62: [[File:Cydia logo.png\|thumb\|Cydia app store logo]] Apple, like Google, also actively removes stalkeware apps from its store. To install external apps on iOS devices, generally the device has to be [[w:jailbroken\|jailbroken]] (basically, unlocked to enable non-Appstore apps). Most jaibroken devices have an alternative app store on it, called Cydia. If your device has Cydia on it, but you did not jailbreak the phone yourself, you might be a victim of stalkerware. ===Should you remove stalkerware?=== We cannot say, given that this depends on your personal circumstances. The perpetrator is very likely to notice this, and if attempting to resist may result in further abuse, it may not be advisable.<br> Line 67 ⟶ 69: If you suspect stalkerware there are couple reliable ways to remove it: * if it is an Apple device, take it to the nearest Apple Store; they ~~will~~should be ~~happy~~able to ~~un-jailbreak it for~~help you ** note that jailbreaking usually voids Apple warranty, but does not generally void any statutory warranty * in most cases, a simple factory reset will be sufficient. Any phone repair store will be able to do it for you.▼ * with Android, in most cases, a simple factory reset will be sufficient. ▲** inIf ~~most~~you're ~~cases,~~not aconfident ~~simple~~in ~~factory~~doing ~~reset~~it ~~will be sufficient.~~yourself, ~~Any~~any phone repair store will be able to do it for you. * for Windows devices, reinstalling Windows is the safest option (any computer tech can do this easily) but absent of that most reputable anti-virus solution will catch it ** even in-built Windows Defender may be able to catch it; the perpetrator would have disabled it when installing, but if you simply make sure that Windows Defender is re-enabled it may be enough Line 99 ⟶ 103: This indicates that somebody may be trying to intercept your connection, and might be serving you something your browser does not expect. '''Try your very best to resist the urge to click 'Add exception'''' as doing so is basically giving permission to the perpetrator to continue observing and interfering with your traffic. Just come back to the website later. If it is a genuine certificate error, the website will fix it soon (because everyone, not just you, is seeing this error). However, if you are the only person seeing this error, or all your websites show this error, this is a good indicator of a man-in-th-middle attack. ==Account compromise== Another way to compromise you is to compromise your online accounts, such as your email, social media or Google account. ===On sharing passwords=== You may be used to sharing passwords and giving access to your partners, parents or people you trust. As a privacy resource, {{SITENAME}} always advocates against sharing passwords. But, it may be worth considering that other resources focusing on the interpersonal aspect of this decision warn that this is [https://www.loveisrespect.org/resources/should-we-share-passwords/ not a healthy relationship dynamic].<br>Privacy is a human right, and our thought and actions cannot just be sorted into good/transparent and bad/hidden. Exercising your right to privacy is not something you need to apologise for. The remainder of the 'Account compromise' section assumes you do not willingly share your passwords with the perpetrator. ===Methods=== ====Keylogging==== While genuinely hacking a major online service like Amazon or Google is very very difficult, a much easier way way to compromise an account is to simply keylog the password while it is being entered by the legitimate account owner.<br> A keylogger is software which simply records everything that is type on a particular device and makes it available to the perpetrator. This of course includes all the private conversations you may have had (at least, your side) but it also means that all your passwords will be recorded (as you enter them using the keyboard). Keyloggers may be stand-alone malware, but keylogging may also be a feature of the aforementioned stalkerware. ======Countermeasures====== [[File:Logging in with 2FA on Wikipedia.png\|thumb\|A typical login screen requiring another factor, in this case a temporary password.]] Best countermeasure against any password based attack is multi-factor authentication (sometimes know as second factor authentication). When you provide a password, this is considered one piece of evidence (a so-called factor) that you're authorised to access the account. A password is 'something you know'. However, if you simply add other factors (bits of evidence) to the authentication process, now you have a login which requires more than just a password; multi-factor authentication. The end result is that the perpetrator cannot log in even if they know the password, and they cannot keylog the temporary password, because it expires very quickly.<br> In practice, the most common multi factor authentication method is an one-time password. This can take shape of a SMS message being sent to your phone with a time limited code or an authenticator app which calculates a temporary password using the [[w:One-time password\|OTP protocol]].<br> Many online accounts support multi factor (or two factor) authentication. Usually you can find this setting next to the option to change your account password.<br>If the service requires you to use an authenticator app, a good choice is the open source [https://getaegis.app/ Aegis] for Android, or open source [https://www.tofuauth.com/ Tofu] on iOS. Most keyloggers are also detected as malware by most antivirus packages, so consider scanning your system. See our advice on [[Recommended:antivirus\|antivirus]] software. ====Phishing==== [[Phishing]] is the act of creating a fake login page for a service that looks identical to the target login page of a legitimate service and using it to harvest the login details of the victim.<br>Given that the perpetrator has physical access to your WiFi, they could use either a man-in-the-middle attack to force your browser to the fake page, or more common external page. =====Man-in-the-middle===== By executing man in the middle attack, the perpetrator can force you to a fake login page even if you took care to make sure you're on the right site. However, all modern browsers will detect this, and give you a certificate error, as detailed in the 'Certificate error' section.<br> '''If you see such an error, do not simply click 'Add exception'.''' Instead, try accessing the website using a different internet connection (such as using your mobile data) or ask a friend if they see the same error. If your device does not give you an error from a different connection, or your friend does not see it, you are likely a target of a Man-in-the-middle attack.<br> Although possible, it is very very unlikely that a major service such as Gooogle, Facebook or Amazon would have a legitimate TLS certificate error (this is a sort of super basic error that gets website administrators of major companies fired). =====Normal phishing===== You could also be a target of a more conventional phishing attack, where the perpetrator sends you to a website which looks like the target website, but in fact is on a different address. In these cases, the browsers will not popup a warning, because there is no man-in-the-middle being detected.<br> The best advice here is to not blindly trust links sent to you. Instead, enter the web address manually in the address bar, and go from there. If you must follow a link, look at the page address in your browser, such as {{SERVER}}. Do not get distracted by any anything after the address, even if it looks convincing. =Setting up a safe computing environment= While we cannot possibly anticipate every exact combination of technology-enabled domestic abuse you may face, we can help you set up a safe working environment that you can use for your essential computing needs without the fear of being spied upon or intercepted by the perpetrator.<br> Line 154 ⟶ 180: Ask your financial institution to reissue your credit cards. Remove them from utilities or bills. *Sweep your car for unknown electronics. Consumer grade trackers are easy to come by and don't even need external power (such as [[w:Tile (company)\|Tile]]). =Closing thoughts=