PrivacyWiki

Guide:Resisting technological domestic abuse: Difference between revisions

Guide Discussion

Guide:Resisting technological domestic abuse (edit)

Revision as of 18:32, 18 June 2021

3,505 bytes added ,  2 years ago
no edit summary
VisualWikitext
No edit summary
No edit summary
Line 102:
==Account compromise==
Another way to compromise you is to compromise your online accounts, such as your email, social media or Google account.
===SharingOn sharing passwords===
You may be used to sharing passwords and giving access to your partners, parents or people you trust. As a privacy resource, {{SITENAME}} always advocates against sharing passwords. But, it may be worth considering that other resources focusing on the socialinterpersonal aspect of this decision warn that this is [https://www.loveisrespect.org/resources/should-we-share-passwords/ not a healthy relationship dynamic].<br>Privacy is a human right, and our thought and actions cannot just be sorted into good/transparent and bad/hidden. Exercising your right to privacy is not something you need to apologise for.
 
The remainder of the 'Account compromise' section assumes you do not willingly share your passwords with the perpetrator.
===KeyloggingMethods===
====Keylogging====
While genuinely hacking a major online service like Amazon or Google is very very difficult, a much easier way way to compromise an account is to simply keylog the password while it is being entered by the legitimate account owner.<br> A keylogger is software which simply records everything that is type on a particular device and makes it available to the perpetrator. This of course includes all the private conversations you may have had (at least, your side) but it also means that all your passwords will be recorded (as you enter them using the keyboard). Keyloggers may be stand-alone malware, but keylogging may also be a feature of the aforementioned stalkerware.
======Countermeasures======
Best countermeasure against any password based attack is multi-factor authentication (sometimes know as second factor authentication). When you provide a password, this is considered one piece of evidence (a so-called factor) that you're authorised to access the account. A password is 'something you know'. However, if you simply add other factors (bits of evidence) to the authentication process, now you have a login which requires more than just a password; multi-factor authentication. The end result is that the perpetrator cannot log in even if they know the password, and they cannot keylog the temporary password, because it expires very quickly.<br>
In practice, the most common multi factor authentication method is an one-time password. This can take shape of a SMS message being sent to your phone with a time limited code or an authenticator app which calculates a temporary password using the [[w:One-time password|OTP protocol]].<br>
Many online accounts support multi factor (or two factor) authentication. Usually you can find this setting next to the option to change your account password.<br>If the service requires you to use an authenticator app, a good choice is the open source [https://getaegis.app/ Aegis] for Android, or open source [https://www.tofuauth.com/ Tofu] on iOS.
 
Most keyloggers are also detected as malware by most antivirus packages, so consider scanning your system. See our advice on [[Recommended:antivirus|antivirus]] software.
====Phishing====
[[Phishing]] is the act of creating a fake login page for a service that looks identical to the target login page of a legitimate service and using it to harvest the login details of the victim.<br>Given that the perpetrator has physical access to your WiFi, they could use either a man-in-the-middle attack to force your browser to the fake page, or more common external page.
=====Man-in-the-middle=====
By executing man in the middle attack, the perpetrator can force you to a fake login page even if you took care to make sure you're on the right site. However, all modern browsers will detect this, and give you a certificate error, as detailed in the 'Certificate error' section.<br> '''If you see such an error, do not simply click 'Add exception'.''' Instead, try accessing the website using a different internet connection (such as using your mobile data) or ask a friend if they see the same error. If your device does not give you an error from a different connection, or your friend does not see it, you are likely a target of a Man-in-the-middle attack.<br> Although possible, it is very very unlikely that a major service such as Gooogle, Facebook or Amazon would have a legitimate TLS certificate error (this is a sort of super basic error that gets website administrators of major companies fired).
=====Normal phishing=====
You could also be a target of a more conventional phishing attack, where the perpetrator sends you to a website which looks like the target website, but in fact is on a different address. In these cases, the browsers will not popup a warning, because there is no man-in-the-middle being detected.<br>
The best advice here is to not blindly trust links sent to you. Instead, enter the web address manually in the address bar, and go from there. If you must follow a link, look at the page address in your browser, such as {{SERVER}}. Do not get distractedby any anything after the address, even if it looks convincing.
=Setting up a safe computing environment=
While we cannot possibly anticipate every exact combination of technology-enabled domestic abuse you may face, we can help you set up a safe working environment that you can use for your essential computing needs without the fear of being spied upon or intercepted by the perpetrator.<br>
Retrieved from ‘https://privacywiki.xyz/wiki/Special:MobileDiff/15954