We discussed how to understand hackers in part 1 and phishing emails in part 2. Now we discuss managing your personal information.
Managing your personal information is an important but often overlooked aspect of security. Unfortunately, many organizations use personal information to establish identity. As a result, details about us that weren't designed to be secure, like birthdates and Social Security numbers, need to be guarded as confidential. An attacker doesn't necessarily need to know your passwords; if they have enough information about your life, they can still steal from you. Electronic theft isn't a distant threat: I'm aware of my information being compromised six times in the past two years. Half of the incidents were data breaches at organizations with which I communicate primarily in person, rather than on the internet; they had received my information on pieces of paper, not electronically. Even if you avoid technology, you are still at risk.
While it's possible to glean a lot of information about a specific person from public records, doing so is slow and expensive. Hackers would much rather go after large databases containing personal information about many individuals: it's more efficient than researching each person individually. They can then sell the information en masse to identity thieves and rival governments.
You can't completely protect your information: you need to provide it to numerous organizations just to receive basic services and citizenship. However, you can monitor how organizations handle your information and break ties with those that are careless. You can also quarantine certain communication channels if they are ever compromised, thereby limiting what hackers can gain from using your information.
The first step is to develop a secure mentality. Assume that every organization you give any of your information to will be compromised. You don't know when it will happen or who will do it, but, at some point, everything is going to get hacked. The more information an organization asks of you, the more likely it is that they will be targeted. You should also assume that you will not be informed when this compromise occurs. History shows that companies usually only acknowledge a breach when the occurrence has already been publicized by security researchers, affected customers, or the hackers themselves. Even then, by the time you hear about it, you could already be a victim. Most incidents go unacknowledged, often even undetected. What are you okay with hackers knowing about you?
Create a database detailing who has your information; this could be as simple as a physical, pencil-and-paper notebook. Every time you give out personal details, add it to your database along with the applicable privacy policy. Websites tend to have the clearest privacy policies. Sadly, most organizations to which you give your information in person won't have strict policies governing their use of your information. For example, schools and government organizations love to hand out personal details to their friends; they rarely keep any record of where your information goes.
Using the same database, look to see what information you can vary between information handlers. For example, it's easy to use a different password for every website on which you have an account. Good password managers will let you store additional information—not just usernames and passwords—so you can use a secure password manager to store your entire database along with the unique passwords. You can also configure wildcard email addresses such that [email protected] forwards to your inbox. This will allow you to give every website a unique email address. If you start receiving spam, you'll be able to tell from the "To" field which information handler either lost or sold your information. Depending on your assessment of the situation, you can then take action by changing passwords, blocking email to that specific address, or replacing your credit card. It's important to note that these tricks might not work if you use predictable patterns; for example, [email protected] would not be a suitable unique email for NamePros because an attacker could guess your email address for other sites. The same goes for passwords. Unique fields should be randomly generated so it's difficult for someone to frame the wrong organization or derive your details for other websites. The recommended approach to this is to use a password manager, which can seem a little inconvenient at first. However, they save a lot of hassle and have the potential to significantly increase your security when used properly.
Credit monitoring is another easy safeguard. If someone is creating new accounts in your name, often the first sign of a problem will be an unexpected credit score decrease. You'll see a slight decrease as soon as someone attempts to open a line of credit, even before they accumulate any debt. Credit monitoring services directly from the four credit bureaus will provide details about why your credit score has changed; keep a close lookout for any unexpected credit checks, as those will be the first decreases that you'll see. Additionally, credit monitoring services usually come with identity theft insurance, which can save a lot of headaches if you're ever targeted.
As a fallback, it's always a good idea to keep up-to-date with the latest security breaches. A quick web search reveals sites such as Privacy Rights Clearinghouse that document publicly disclosed breaches and similar hiccups. Take what you read with a grain of salt, though: many articles written about security breaches are inaccurate. This stems from the technical nature of the topic; reporters rarely understand the concepts they're discussing and incorrectly paraphrase what they're told, changing the meaning of the content in the process.
Your information is valuable. The more carefully your manage your personal information, the less likely you are to be targeted, and the easier it will be to recover if the worst should occur. It only takes a few minutes each day to maintain your records and monitor for problems. As the threat of electronic theft continues to increase, you'll be ahead of the game and prepared for the inevitable.
Previous:
Managing your personal information is an important but often overlooked aspect of security. Unfortunately, many organizations use personal information to establish identity. As a result, details about us that weren't designed to be secure, like birthdates and Social Security numbers, need to be guarded as confidential. An attacker doesn't necessarily need to know your passwords; if they have enough information about your life, they can still steal from you. Electronic theft isn't a distant threat: I'm aware of my information being compromised six times in the past two years. Half of the incidents were data breaches at organizations with which I communicate primarily in person, rather than on the internet; they had received my information on pieces of paper, not electronically. Even if you avoid technology, you are still at risk.
While it's possible to glean a lot of information about a specific person from public records, doing so is slow and expensive. Hackers would much rather go after large databases containing personal information about many individuals: it's more efficient than researching each person individually. They can then sell the information en masse to identity thieves and rival governments.
You can't completely protect your information: you need to provide it to numerous organizations just to receive basic services and citizenship. However, you can monitor how organizations handle your information and break ties with those that are careless. You can also quarantine certain communication channels if they are ever compromised, thereby limiting what hackers can gain from using your information.
The first step is to develop a secure mentality. Assume that every organization you give any of your information to will be compromised. You don't know when it will happen or who will do it, but, at some point, everything is going to get hacked. The more information an organization asks of you, the more likely it is that they will be targeted. You should also assume that you will not be informed when this compromise occurs. History shows that companies usually only acknowledge a breach when the occurrence has already been publicized by security researchers, affected customers, or the hackers themselves. Even then, by the time you hear about it, you could already be a victim. Most incidents go unacknowledged, often even undetected. What are you okay with hackers knowing about you?
Create a database detailing who has your information; this could be as simple as a physical, pencil-and-paper notebook. Every time you give out personal details, add it to your database along with the applicable privacy policy. Websites tend to have the clearest privacy policies. Sadly, most organizations to which you give your information in person won't have strict policies governing their use of your information. For example, schools and government organizations love to hand out personal details to their friends; they rarely keep any record of where your information goes.
Using the same database, look to see what information you can vary between information handlers. For example, it's easy to use a different password for every website on which you have an account. Good password managers will let you store additional information—not just usernames and passwords—so you can use a secure password manager to store your entire database along with the unique passwords. You can also configure wildcard email addresses such that [email protected] forwards to your inbox. This will allow you to give every website a unique email address. If you start receiving spam, you'll be able to tell from the "To" field which information handler either lost or sold your information. Depending on your assessment of the situation, you can then take action by changing passwords, blocking email to that specific address, or replacing your credit card. It's important to note that these tricks might not work if you use predictable patterns; for example, [email protected] would not be a suitable unique email for NamePros because an attacker could guess your email address for other sites. The same goes for passwords. Unique fields should be randomly generated so it's difficult for someone to frame the wrong organization or derive your details for other websites. The recommended approach to this is to use a password manager, which can seem a little inconvenient at first. However, they save a lot of hassle and have the potential to significantly increase your security when used properly.
Credit monitoring is another easy safeguard. If someone is creating new accounts in your name, often the first sign of a problem will be an unexpected credit score decrease. You'll see a slight decrease as soon as someone attempts to open a line of credit, even before they accumulate any debt. Credit monitoring services directly from the four credit bureaus will provide details about why your credit score has changed; keep a close lookout for any unexpected credit checks, as those will be the first decreases that you'll see. Additionally, credit monitoring services usually come with identity theft insurance, which can save a lot of headaches if you're ever targeted.
As a fallback, it's always a good idea to keep up-to-date with the latest security breaches. A quick web search reveals sites such as Privacy Rights Clearinghouse that document publicly disclosed breaches and similar hiccups. Take what you read with a grain of salt, though: many articles written about security breaches are inaccurate. This stems from the technical nature of the topic; reporters rarely understand the concepts they're discussing and incorrectly paraphrase what they're told, changing the meaning of the content in the process.
Your information is valuable. The more carefully your manage your personal information, the less likely you are to be targeted, and the easier it will be to recover if the worst should occur. It only takes a few minutes each day to maintain your records and monitor for problems. As the threat of electronic theft continues to increase, you'll be ahead of the game and prepared for the inevitable.
Previous: