I got HACKED TWICE in 24h!

Today, Facebook alerted me: A hacker tried to get into my account from Turkey! I checked out my windows and quickly realised I still wasn’t in Turkey… nor a hacker for that matter. Plus, since I deleted the app from my phone, and put the website behind a Screen Time wall, I also realised it took hours from the moment of force entry up to the moment I was informed! By then, the hacker could’ve done anything! I was TERRIF……

no, I wasn’t.

The erroneous location was due to Apple hiding my IP address through a secure relay so the Zuck cannot track me. Yesterday, another service informed me I was sitting in the US, somewhere between New-York and Chicago. That’s a big somewhere.

Wait, there’s more.

Cupertino also implemented “Hide My Email”. It creates a randomized dummy address that will relay to your real one so again, no one can track you. So I went ahead and created dummies and changed my primary address on Soundcloud, Instagram, Linkedin, GAFAM… or rather GFAM, since only 1 letter out of 5 cares.

To me, it’s a feature based on decades old user-generated habits: We all have separate accounts depending how serious the emails we expect to receive i.e. Online banking vs. Fancy-Furnitures.com. Now it’s made simpler by being integrated into the system the people uses.

Email randomisation or ”pseudonymisation” is now being deployed. But it is still quite today a heavy process as for the newbie and/or if you have 30+ accounts.

But let’s stop for a minute and gaze at aaalll that we have:

• auto-generated email adresses, so complex and so numerous it’s not made for a human mind to remember.
• attached passwords: same humanly limitations
• Most of us have two 2FA apps because not all services are compatible with our favourite
• 3rd party code generators such as Facebook (if you don’t know what that is, please go secure your FB account now!)
• 2FA by SMS (has a major risk as anyone can generate your phone number and receive the precious sesam on their end, after retrieving your password from say, a data leak)
• and “Sign in with *insert GAFAM*”

That’s a lot. And it’s kind of a mess. Which begs the question:

What’s next?

I pulled out my crystal ball, gazed into the future and… mark my words:

The adoption of “Sign In with *BigTechNameHere*” is rather sporadic as websites aren’t obligated to offer it and merely did for user base growth and data selling. Plus, I personally feel users didn’t understand well the risks of binding their accounts together or even, understandably so, didn’t care changing what that’s been working well for them for decades. Plus, having Google, Facebook and Amazon doing the same thing elbow to elbow did minimize the “trust” selling point of that feature. So what’s coming in place of that?

I’m predicting the following:

• Apple’s Hide My Email is rendering “Sign in with ____” mandatory by turning the above server-sided feature into a client-sided one, meaning: you won’t have to even think about it: if you want to be protected when you’ll create an account, your device will generate a dummy email when you create an account thus, forcing services to comply. In terms of user experience, it will be integrated in the device software and you’ll no longer have to look for “Sign in with ___” anymore. At this point, knowing manufacturers are doing their best at building a continuous experience between devices, we might as well expect ourselves to log in once on one device and subsequently be logged on all of them.
• In security/privacy, your system is only as secure as its weakest node. Therefore Apple did announce their in-house solution similar to 2FA that I expect to be one that governs them all: you’ll just delete the others. Bonus: it’ll also enable that one layer of protection to span across all your Apple devices. One more hint at logging everywhere at once.
• You will be able to change existing accounts’ credentials just by going to the website’s “Account settings” and there, your device will generate everything for you, easing things a little if you have 30+ accounts.

As a result, you’ll be protected from data leaks, data brokers, etc and in control of those features explained to you in all transparency. Because remember:

→ The Right to Privacy ain’t nothing without your consent, control and your informed self←

Yes, I’d plaster it on your wall if you ask me.

But let’s dive a little more into the future:

Today, I can log into my Mac without typing my password by wearing my watch. What if websites behaved the same?

That would be a demonstration of a password-less Product Experience Design and I confidently say it is exactly where we are going, disregarding manufacturers.

In conclusion,

After this morning discovery, I’m now feeling much safer and more in control of my personal data. Yet, bear in mind 100% privacy in tech is only theoretical and can never be achieved. Although, rest assured, even 1% can give a lot of trouble to companies with business models you deem harmful and to that effect, a combination of easy to set up means can take you very far. If you can’t hide, you can at least get rid ads or “poison your data” to fight back. For my part I have/use/do the following from most accessible to least:

• Use Safari, it hides my IP as a built-in feature and encrypts my DNS from ISP across all my devices
• Use 3 best free ad-blockers, Ghostery Lite, AdGuard and 1 Blocker (some of this
• Set DuckDuckGo as my default search engine
• Delete apps I don’t use or that I suspect breaching my privacy (incl. social networks and messaging apps for my own sanity, and keeping them would quite defeat the purpose)
• Inform myself about apps that seems harmless like Foodnom. Marketed as the most privacy focused food diary app… so why collect my location data? Your eating habits are an incredible data point to profilers, especially crossed with other data.
• Set up all my devices to lock at the minimum time: if I’m not looking at my screen, nobody else should: They’ll lock within a minute.
• Use a Pi-hole on my network, network-wide ad & tracker blocker based on community-generated black list.
• Plugged my homekit security cameras to smartplugs that turn off when I’m home (homekit in fact does deactivate streaming on a software level but I’d rather have an additional hardware safeguard)

I wish I could use the name of other companies than that of Cupertino but it seems that there’s literally only 1 letter in GAFAM that cares for the user in the whole of the tech world, to the point that the other competitors do shenanigans like these:

1. Their marketing department say they are aligning.. while their engineers confess they made it impossible for the users to hide their location,
2. In a world where concerns to privacy grows, some companies interestingly choose not to talk about privacy *at all* while demo-ing with grandiose their latest software.
3. Others develop a shadow network from wihtin the users home from which users can’t opt out
4. Or litterally troyjan horse you and proudly state they are ditching cookies… but are caught developing an even more invasive trackign tech
5. Last but not least: Microsoft forcing the creation of an online account to use W11 home + a mandatory amazon account if you want to use Android apps. Privacy? anyone? Their excuse: they wish to be the epicentre to your tech-life, we see you coming Microsoft)… It’s always the same thing: if it’s not done with privacy by design, what will it cost?

Disclaimer:

This post, to some of you, may feel like an Apple FanBoy’s verbatim but I did start with a clear factual demonstration and ended with… well, facts that some business models are incompatible with the human basic need for Safety and Reassurance and the human basic right to Privacy, both of which, by design. Furthermore, whilst giving a little of everything when it comes down to privacy, security and awareness in tech, I probably got mixed up in the middle but by design: only as a way to illustrate one of the paths we are walking as we journey towards a password-less world while doing Privacy by Design.

So there you go, now you know, do what you will.

Peace!