WASHINGTON - They know the risks of the Internet better than anyone, but most cyber experts still shop and bank online - with care. "We operate in the 21st century ... I've got to shop online, I've got to pay my bills online," Brigadier General Paul Nakasone, deputy commander of US Army Cyber Command, said at the Reuters Cybersecurity Summit this week. "You can't really function without it," agreed Nart Villeneuve, researcher at the cybersecurity firm FireEye.
Some actions can leave you wide open for data abuse, like checking into a hotel and handing over a credit card, he said."I guess you could pull up with a money clip but I don't know that you can even do that," he said.
The tricks that the smartest cybersecurity minds use for online safety hygiene are basic: avoid websites that are visibly questionable, don't thoughtlessly click on links or attachments, monitor your account activity regularly and only give away the minimum amount of information.
On passwords, the bulwark of online security, experts also stuck to simple rules: make them complex and change regularly. Some also said they use more secure login processes when available. "I tend to be a bit of a two-factor authentication freak,"said Eddie Schwartz, cyber chief at Verizon, saying he always takes advantage of any extra security steps offered, like confirming his login with a code sent to his cellphone.
Another key to safe online shopping and banking is using Internet connections that are as secure as possible. "I never do it on the road. I never do it from my mobile device," said Michael Hayden, former director of the CIA and the National Security Agency.
While most experts avoid using public wireless Internet connections, some go further. "I have a separate computer and router for financial transactions," said Dan Kaufman, director of information innovation at the Defence Advanced Research Projects Agency (DARPA), the arm of the US Defence Department credited with inventing the Internet.
Kaufman said he searches for potential online purchases on one computer, them moves to a second computer to make the transaction.
Digital Bond CEO Dale Peterson had a similar strategy: a separate computer, "with its own 20-plus character password,"for online banking and payroll purposes.
In a breach revealed in December by US retailer Target Corp., some 40 million credit or debit card records and 70 million other customer records, such as addresses and telephone numbers, were stolen. The perpetrators remain at large.
Several cyber experts said they felt less concerned about the potential to lose credit card data, because of limited liability, but draw the line at online banking and modern conveniences like depositing checks by smartphone. "I'm paranoid about online banking," said Stuart McClure, CEO of security firm Cylance. "I'm a little bit more comfortable now but I hate to do online banking. I hate it. "I used to change my passwords so much that I'd forget them over time. And I never ever put my PIN into anything electronic, only physical devices. And even then, I'm pulling up, looking for skimmers," he said, referring to devices made to secretly swipe card information from ATM machines.
Is total avoidance a solution? "I am not one who says that the answer is to withdraw from the digital world that we live in. I just don't think that's particularly realistic," said Admiral Mike Rodgers, the new director of the NSA. "Let's deal with the world the way it is."