2015 has been the worst year so far for security breaches. Although the state of online security reminds me of that scene in Office Space where Peter says that every day you see him is the worst day of his life, there’s a few things you can do to protect yourself against getting your data and online identity stolen. If you’re looking for a New Year’s resolution that isn’t “I’m going to buy a gym membership and only go for a week”, try this list (it goes to 11!) on for size.
- Change your passwords, just in case – chances are the password database of some online service that you use has been stolen sometime in 2015. While most companies don’t store the actual password, they do store a password hash (fancy term for encryption, basically) that can sometimes be used to reverse engineer your password. That can take some time on a powerful computer, so even though the breach might have happened 6 months ago and nobody’s hacked into your account yet, that doesn’t mean you are safe. Change your passwords regularly, just like you change the batteries in your smoke detectors.
- Use a password manager – every security boffin will tell you not to use the same password everywhere. The problem with that is that we all probably have at least 3 dozen online accounts. Remembering all those passwords, especially if you change them regularly, just isn’t feasible. That’s where password managers come in. Just remember one master password and the password manager software stores all the rest securely for you. It also fills in your password automatically if you use their browser extension. Don’t use the browser auto-fill for passwords, as those are usually not stored securely.
- Use good passwords – don’t use a password that contains any personal information about yourself, such as your birthday, your dog’s name or your favorite flavor of Ben & Jerry’s ice cream. Using that information makes it easier to break password hashes in the process mentioned in point 1. Good passwords should be long and random (that’s what she said!). If you do take the advice in point 2 and use a password manager, they typically offer a secure random password generator. If not, you can use this website: https://strongpasswordgenerator.com/
- Secure your WiFi – when you plugged in that new wireless router you got for Festivus, you probably didn’t realize that you had to change the password on it. If you don’t then anyone you let on your wifi (or who breaks in) can log in to your router and do whatever they like. While the wireless security might also be on by default, it doesn’t hurt to check and make sure it is using the strongest security setting, which is the WPA2 protocol. To log into your router you generally have to look at the info on the bottom of the device to see how to login and what the default login and password are. Typically you’ll put the IP address of the router into your browser to get started. If the only association you have when I mention IP is a joke about a book called The Yellow River, then find the nerdy kid who lives on your street (the one wearing glasses and a Minecraft shirt) and offer them a $25 Gamestop gift card to come secure your router for you. Remember to notify the kid’s parents first so they don’t think you’re kidnapping him or her.
- Change your PIN to something unpredictable – analysis of debit card PINs shows that over a quarter of them are one of 20 common combinations such as 1234 or 0000. If your PIN is one of the 20 on this list, then go change it right now to something that isn’t on the list. Also, saying “PIN number” is redundant since PIN stands for “Personal identification number”, so stop saying that.
- Freeze your credit – if you get your identity stolen you’ll eventually get it sorted out. The problem is that will take hundreds of hours of your time, and you might not have access to your bank accounts until you get it cleared up. Have you tried living without money lately? It’s not a lot of fun. If you want a story scarier than the Krampus movie, read this. You can regularly check your credit reports for new accounts that you didn’t open, but an ounce of prevention is always best. Call up the credit agencies and freeze your credit. That way nobody, including you, can open new lines of credit without first unfreezing using a secure procedure. It’ll also stop you from impulse buying a new Mustang that you can’t afford. The FTC has a handy guide here.
- Turn on two-factor authentication – two-factor authentication is one of the typical stupid names that techies come up with when naming technology. It should be called something self-explanatory such as “confirm my identity”. What it means is that when you log into an online service, they text you a passcode after you’ve logged in. You have to type in the code they text to your phone to confirm it’s really you. This makes sure that you not only know the password but also have access to your own phone. Two ways of identifying you – that’s what the phrase “two-factor authentication” means in plain English. It’s unlikely that a thief will be able to steal your password and your phone at the same time, which is why this makes things more secure. Good banks and credit unions will have this enabled by default. Some of your online services or banks might not have it turned on by default, which is dumb of them. If that’s the case, go into the settings and turn it on, or call them and ask them to turn it on for you. If your bank or credit union doesn’t offer 2FA (to make the phrase two-factor authentication even more obtuse) then it’s time to switch banking institutions.
- Enable a PIN on your phone – yes it’s annoying. If it bothers you that much, get a phone with a fingerprint reader. If you don’t, then whoever finds your phone after you leave it in the bar at 3am will have your entire life at their fingertips. They can reset all your passwords because they have access to your email. Then they can clean out your bank accounts and leave you with something worse than a hangover the next morning.
- Don’t believe anyone who contacts you – you know that guy who comes up to you at the gas station with an empty gas can and a story about a lost wallet? He’s a con man. Same goes for the person who calls you pretending to be Microsoft or the email pretending to be from Paypal. If someone initiates contact with you then chances are they aren’t who they say they are. If someone calls saying they are from your bank, from the IT department or from Microsoft and starts asking you for credit card numbers, passwords, or to remote into your computer, then hang up on them. The only legitimate call you’ll get from your bank is when their security department calls you in the middle of your holiday shopping spree to verify that you are the one who made those rash purchases. In those cases they’ll tell you what transactions were made with your card and ask you to confirm it was you and not a thief who stole your credit card details.
- Update all your software – most hackers breaking into online systems use known vulnerabilities that have already been patched. They look for computers that haven’t been updated to the latest patches. Run Windows Update to update your operating system and also update any other software you use regularly. That software will generally have a menu option to check for updates under the Help or About drop-down menu. Well-written software will check for updates automatically. A lot of software is not well written.
- Don’t open email attachments – especially from people you don’t know. Even if the email looks like it is from someone you know, it could be that their email account was hacked. If they didn’t tell you previously to expect an email with an attachment, then don’t open it. If you get a suspicious email from a friend or family member, call them up and ask them if they really sent it and why they attached a word document that it’s really, really important that you open right now. Most likely they’ll have no idea what email you are talking about. For a list of other common online and email scams, check out this page.
Wouldn’t it be nice if technology could be used to make all of the above something you don’t have to think about? Maybe in about 20 years this will be the case. In the meantime, it makes sense to spend a few hours protecting yourself now so that you don’t have to spend 100 hours on the phone with banks and creditors sorting out the mess when your identity gets stolen. Stay safe in 2016!