All the recent news of hacking, identity theft, and security breaches has gotten me really paranoid. If you’re not yet paranoid, read this story about a smart guy who had everything well protected and still got hacked: http://medium.com/p/24eb09e026dd
So I’ve started my own personal security initiative to protect myself from hacking and identity theft. Here’s what I’ve done:
1. YOUR EMAIL IS THE WEAKEST LINK
Your email provider is the weak link in all online security. Why? Because if a hacker gets access to your email account, they can go to the website of your bank, your broker, your PayPal, etc., claim that you lost your password, and have a new password sent to that hacked email address. Then they can change the password, letting them in and locking you out. Your email address is a gateway to a huge amount of online security.
There are several ways to strengthen that weak link:
A. Use extra security methods on Web sites that provide them. The most common is two-step authentication — if you log in from an unfamiliar IP address, the site texts a number to your cell phone, which you type into their Web page to get access. Paypal lets you do this, as does Gmail, Apple, Facebook, Dropbox, some domain hosts, and many others. Here’s an excellent list of places that allow it: http://twofactorauth.org
If you use Google or Gmail for your email, enable 2-step authentication for EVERY Gmail account. It’s under Settings -> Accounts -> Change Account Settings -> Security -> Password -> 2-step Verification.
Update, June 2016: Even 2-factor authentication can be hacked in some situations. Here’s how a Verizon cell phone was hacked despite 2-factor protection:
To protect against that hack, set up a special password or PIN to be used whenever you make changes to your cell account. The above link offers details for each provider. More info here:
B. Make sure your email password is super secure. For a while I used a 32-character password for email, but since I sometimes have to type it from memory, it was a long, absurd sentence I memorized. But that wasn’t perfect protection: I learned that I’d be better off using a string of randomly generated words. Here’s an article from 2013 that shows how hackers get access to even complicated passwords:
I recently switched to the Diceware Passphrase system — it creates a truly random set of words that make for an extremely secure password, and at the same time it’s relatively easy to memorize. I recommend creating at least a
five-word six-word password. Here’s a rundown of the system: http://world.std.com/~reinhold/diceware.html
An alternative for creating passwords you can memorize is this tool: https://www.xkpasswd.net/c/index.cgi
C. Create a special email address that you only use for a few important Web sites, like your bank and Paypal. Never use it anywhere else. That way, the email address that’s all over the Web — on Facebook and Twitter and everywhere, and is most likely to be hacked — has no connection to your most important sites. If your main email address is ever hacked, it’ll be useless to attack those important sites.
D. Consider Gmail for secure email addresses. A Gmail address is likely to be more secure than an address from your custom domain, because domain hosts can be more vulnerable to hacking than Google.
2. USE UNIQUE, SECURE PASSWORDS FOR EVERY WEBSITE
I’ve started using 1Password to create and manage 15-20 character passwords for all Web logins. 1Password is just one of several password manager applications which create (and automatically insert) secure passwords. (A friend adds this good twist: if you’re using a password utility, why limit the length of passwords? Create 50 character passwords wherever it’s allowed). Of course, be sure that each password is completely unique to each site; NEVER use the same password in two places!
And don’t forget to create a very secure password to protect your password utility. Again, consider Diceware http://world.std.com/~reinhold/diceware.html and xkpassword https://www.xkpasswd.net/c/index.cgi
3. USE FAKE SECURITY-QUESTION ANSWERS.
Many sites ask you to provide answers to security questions if you need to reset your password, questions like your mother’s maiden name or your elementary school. Of course you’ve probably already thought to make up fictional answers to the questions. But why even use real words? I use 1Password to create simple random passwords. I then make a note of the question and random answer in 1Password’s Notes field in that Web site’s record. When I need to answer the security questions, I look them up in 1Password and paste them into the Web page.
4. FREEZE YOUR CREDIT ACCOUNTS
Take the steps to freeze your accounts at all three credit ratings agencies: Experian, Transunion and Equifax. This will prevent anyone from allowing those agencies to approve credit cards, mortgages, store accounts, etc. in your name, without using a PIN that’s mailed to you when you order the freeze. (Keep those PINs in a secure place like the secure notes of your password utility.) Freezing will cause you a minor hassle every time you apply for a new credit card or change apartments, but it’s way less hassle than having your identify stolen.
Here’s a decent article about the process of the credit freeze: http://bit.ly/1cwF1II
5. DON’T STORE YOUR CC INFO ON WEB SITES
Don’t let Web sites store your credit card info. Some Web sites like Amazon and Apple give you no choice, but almost all others do. Just say no. Both Mac OS X and utilities like 1Password let you automatically paste credit card info into Web pages when needed.
Cybersecurity journalist Nicole Perlroth recommends avoiding self-checkout lanes at stores, since they’re the first to be attacked by hackers. http://www.nytimes.com/times-insider/2014/09/22/how-a-times-cyber-security-reporter-protects-her-data-and-what-you-can-do-to-protect-yours/
6. HIDE YOUR WHOIS LISTINGS
If you own your own domain, go to the domain host’s settings and turn on one of the domain security services like WhoIsGuard, which takes your name, address and phone number off the public WhoIs listings. (Instead, that info is kept by your domain host.) One way hackers use social engineering ( http://en.wikipedia.org/wiki/Social_engineering_(security) ) to gain access to accounts is to show that they know things like your address and phone number. I was shocked to discover that a major, national brokerage only needed a telephone number and birthdate to prove my identity on the telephone.
If you want to go a step further, you can start to contact all the online services that keep information on you. This Reddit thread has a good list: http://bit.ly/Ma8y4a — but as one of the commenters points out, those services only collect information that’s publicly available somewhere, so you’ll never be able to erase all traces; you can only make it a bit harder to dig your info out.
7. USE WPA2 ENCRYPTION ON YOUR WIFI ROUTER.
I’m not convinced that any significant amount of theft occurs by sniffing random, home WIFI streams, but security is easy to turn on and doesn’t hurt. Turn on WPA2 in your WIFI router and use a secure password (see above). But if you’re really paranoid about Wifi sniffing, or you’ve got extremely sensitive information online, skip Wifi altogether. Plug your computer directly into your router with an Ethernet cable (on portables like the MacBook Air which don’t have an Ethernet port, you can buy a $30 Thunderbolt-to-Ethernet adapter).
8. NEVER CLICK A LINK IN AN EMAIL.
Okay, maybe you can click links in emails from friends and family (maybe), but definitely don’t click links in emails from your bank, Paypal, eBay, etc. Be suspicious of all email from big companies and financial institutions, or from strangers in general. It’s getting really hard to tell fake URLs from real ones; fake Web pages can look exactly like the real thing. Instead, switch to your Web browser and type what you know to be the site’s real domain, then drill down from there to where the email was directing you.
9. PREPARE INFO ON WHAT TO DO IF YOU’VE BEEN HACKED
If all your precautions didn’t prevent you from being hacked, you can at least try to minimize the damage. Take a few minutes now to gather all the info on how to contact Paypal, your banks, and all other important accounts when you suspect fraud. Here are a few links to get you started:
Paypal has a good page on the steps you should take if you find that someone has stolen your personal information: https://www.paypal.com/us/webapps/mpp/security/report-identity-theft.
Banks usually have a page with contact info if you suspect a fraudulent email or find you’ve been hacked.
How to contact eBay if your account has been hijacked: http://bit.ly/Nr0UTH
As far as I can tell, it’s impossible to contact Google for help if your account has been hijacked, but they do offer a series of instructions for how to recover a hacked account: http://gmailaccountrecovery.blogspot.com/#security
Update, June 2016: This FTC site will lead you through the steps to take after you’ve been the victim of identity theft: https://identitytheft.gov/
That was a lot of dense text, so here are
1.A. Set up two-step authentication on all accounts that provide it.
B. Use Diceware to create secure passwords for all your email accounts.
C. Create a unique email address for your most valuable log-ins.
2. Use a good password utility to create unique, strong passwords for every site you visit.
3. Create fake security-question answers.
4. Freeze your accounts with all three credit agencies.
5. Don’t let Web sites store your credit card info.
6. Hide your Who-is listings if you own your own domains.
7. Set up WPA-2 encryption on your wifi router.
8. Never click links in email.
9. Prepare ahead of time for identity theft or hacking.