GUEST ESSAY: What ‘Fight Club’ taught me about protecting my online personas

By Thomas Yohannan

Dissociative identity disorder, AKA multiple personality disorder, is a human condition by which the victim’s personality becomes fragmented into two or more distinctive states.

DID has long been a rich topic for Hollywood screen writers. The movie Fight Club, in which Edward Norton and Brad Pitt portray polar opposite personalities of the main protagonist, is a classic example.

Related podcast: Phil Lieberman calls for resetting the C-suite mindset

DID sufferers subvert themselves in self-contained sets of memories, behaviors, attitudes, even perceived age. This is done so that the victim can insulate certain fragile areas of his or her psyche, and thus is able to function with a sense of security in otherwise threatening environments, psychologically speaking.

It may not be a bad idea to take a DID approach to protecting our digital identities. Why so? Because current password protection practices are no longer working.

Wise fakery

We’ve all had instances where we were asked the name of a favorite pet or model of our first car. These attributes were once effective identifiers. But no longer. Because of pervasive data breaches of major financial, healthcare, media and government organizations, all such personal information is readily for sale in the cyber underground.

If you doubt that, consider the recent breach of credit rating agency Equifax, in which personal data for 147 individuals was pilfered, and the data breach disclosed just last week by Uber, in which the ride-sharing giant lost personal information for 57 million riders and 600,000 drivers. What’s more, any imposter with a bit of time and determination can leverage our propensity to overshare on social media networks, and simply do a bit of digging to triangulate your online persona attributes.

Therefore, creating and using multiple distinctive profiles, that make use of faked attributes, to verify your online identity has actually become a wise thing to do.

Philip Lieberman, President, Lieberman Software, has been giving this advice for years. “Your answers should not be published or available anywhere on social media,” he says. “False, easy to remember answers are the best.”

While you can’t change authentic personal attributes, such as your mother’s maiden name, there is little stopping you from creating fictitious attributes when filling out online forms. Faked attributes cannot be easily triangulated by would-be fraudsters —because you made them up!

Yohannan

The security components of online forms typically ask for identifiers such as the name of a first pet or kindergarten teacher.  This opens the door for you to create your own “Tyler Darden,” the deviant personality played by Brad Pitt in Fight Club.

Tiered-approach

It is your chance to create a fictitious profile and stay a step ahead of malicious actors.  An approach recommended by experts is to do this judiciously to protect very sensitive accounts, and not across the board.

Jason McNew, CEO of Stronghold Security, for instance, recommends a three-tiered framework.  McNew worked for 12 years as the White House Communications Agency at Camp David, for which he was assigned a “Yankee White,” security clearance, one of the highest in the government. Here’s what he suggests:

•For accounts you deem deserve high security, always use a  strong password in combination with second factor of authentication, or 2FA. Google offers a robust 2FA service in which it sends you a single-use numeric code via a text message. For these accounts, make sure that your “security answers” are never anything that is public information or can be gleaned from social media.

•For medium security accounts, use strong passwords at a minimum, and avoid using security answers that are public information (such as your mother’s maiden name or your city of birth).

•Low security accounts are ideal for alternative profiles. Use a strong password to start; then create security questions and answers that are separate and apart from identifying attributes you use to set up your high and medium security accounts. Thus should one of your accounts get breached, the supporting attributes cannot be used to login to other accounts.

Robust protection

Someday, hopefully in the not too distant future, 2FA systems as well as biometric authentication will be used pervasively, and websites that support outdated security practices will be on an endangered species list.

Until then, creating tiered security layers that leverage faked attributes can be an effective workaround. It can  help prevent misuse of your online personas.  Keep in mind, this won’t necessarily be convenient or easy. There are password vaults that can help you. Think of it as a chance to be creative and proactive. Lay out a strategy and a framework that makes sense to you. This can add robust protection to key parts of your digital life.

It turns out that a split personality can be as very good thing — at least online.

About the essayist. Thomas Yohannan is an attorney who specializes in information security, compliance and payments.  He holds a JD degree from the University of Southern California, an MBA from New York University, and a BA from Binghamton Universiy

 

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone