We live in the age of large-scale data breaches. Equifax, Target, Home Depot, LinkedIn - take your pick. Users have become jaded to such phenomena since they seemingly occur on a daily basis. This fact only exacerbates the problem even further. We are all guilty of hearing about a breach and simply looking the other way in the hope that our data wasn’t affected. After all, who am I that a criminal on the other side of the world would want MY personal information? Well, you may not see yourself as being important, but that doesn’t mean that your data is equally unimportant. Identity theft is a festering wound that we would rather ignore than acknowledge and treat. If we have learned anything from the 24 hour news cycle it should be that we can no longer simply rely on companies to protect our personal information. Due to this fact, it is now the responsibility of the consumers to protect themselves and their information. This sounds like an impossible feat, but I assure you it is easier than it sounds. Following several simple steps can vastly increase your protection against bad actors.
The first step is awareness. This is not simply being aware that a breach has occurred, but going so far as to validate the exposure of your data in the breach. Sites such as Have I Been Pwned are invaluable resources for accomplishing this task. This site and other similar services allow you to enter your email address and it will return any breaches that have exposed your information. It also details the type of information that was leaked as a part of each breach; whether it was usernames, passwords, or other Personally Identifiable Information.
The next step in protecting yourself against data breaches is rather simple yet often overlooked: user account inventory. This seems obvious. After all, you can’t protect against something you don’t know exists, right? This is exactly why it is of the utmost importance that you have a full understanding of what services and apps have access to your data. Whether this information is from creating accounts with these services or allowing some third-party software access to other accounts such as Facebook. This article explains how you can go through the process of auditing your Facebook - from managing 3rd-party applications, to your public profile permissions. With the knowledge of where your data lives, you will have a better idea of whether your information has been affected if tomorrow a service announces that they have been breached. However, this is much easier said than done. How does one remember all of the accounts and services they signed up for when some were created a decade ago? I would recommend first compiling a list of all of your email addresses. This should be followed by checking to see if you can still access these email addresses. If not, I would highly recommend contacting the email provider and doing whatever is needed to regain control of these accounts. Once you have regained control of these accounts it will be much easier to go through and compile a list of all services that have accounts connected to these email addresses. If any of these accounts or services are no longer in use, it may be worthwhile to delete them. You should also go into all of your accounts and check what emails are listed as the primary and backup. This is often overlooked and can pose a major threat to the accounts and information of individuals. All it takes is a malicious actor gaining control of an old email listed as the backup on an account to take over said account. If the backup email listed for your Google account is one that you no longer have access to, REMOVE THE BACKUP EMAIL.
I regret that I even have to mention this, but please for the love of all things good, don’t use passwords like ‘stuff’, ‘password’, or your first name. Password security is a major problem for individuals and organizations across the world. With high-powered computing devices such as GPU’s being easily available, it is trivial for an attacker to bruteforce a password consisting of 4 alphanumeric characters. Another major issue in password security is reusing passwords across many different services. If you use the same password across all of your accounts, all it takes is for one of these accounts to get breached to allow someone access to the rest. This type of attack is known as credential stuffing. There are databases out there containing billions of usernames and passwords, and it’s not just the big bad Russian hackers who have access to them. For this reason, I implore you to use strong unique passwords for each of your different accounts. I’m not asking you to remember 12 different passwords each of which are 15-characters long. That’s insane. What I am asking you to do is get a password manager. Password managers are like lock-boxes for your passwords. When you go to log into one of your accounts, you simply grab that password from the password manager and login. Most of them will also suggest strong passwords to use for new accounts that you create. You never have to remember any of your passwords - except maybe the password for the password manager. This allows users to use strong unique passwords across every service they utilize, greatly reducing the chance that the breach of one account will lead to the compromise of other accounts.
The last recommendation I have for securing your online accounts is implementing multi-factor authentication. This generally takes the form of an access code being sent to your phone via text message or phone call which you then enter upon logging in. Multi-Factor Authentication can also be implemented via 3rd-party apps such as Duo and Google Authenticator, or hardware authentication tokens. If an unauthorized user attempts to login to one of your accounts with MFA enabled, they will not be able to successfully login without first obtaining the authorization token from you personally. A downfall to multi-factor authentication is that it must be supported by the service-provider in order to be implemented on an account. I strongly advise that you implement MFA where possible. It is our duty as consumers to demand MFA and other security measures be implemented by service providers.
As of now, this article has mainly consisted of ways to protect your online presence. This is a major issue, but I feel I cannot end without mentioning another area in which protection is often misunderstood: your personal identity. With the breach of Equifax, over 100 million Americans had their Social Security Number along with other sensitive information leaked into the public domain. This afforded criminals all over the world the opportunity to steal the identities of those affected. Companies like Equifax and Experian stressed that people freeze their credit altogether. However, what most people do not realize is that freezing your credit does absolutely nothing to affect the lines of credit already open in your name, it simply stops new lines of credit from being opened. Freezing your credit is not a silver bullet that will stop identity theft and credit card fraud in its tracks. If you believe that you are a victim of identity theft or credit card fraud, freezing your credit is a good first course of action. This should then be followed by the enlisting of a credit monitoring service for your pre-existing lines of credit.
The world is a scary place and it’s very hard to know what to protect yourself against. As always, being aware and implementing proactive security measures go a long way in securing yourself against malicious actors. I hope that this article was able to illuminate some strategies for protecting your identity both online and off. Cheers!