When Sandra Bullock starred in The Net in 1995, identity theft seemed new and unbelievable. But the world has changed. Starting in 2017, nearly 17 million Americans are victims of identity fraud every year.
Identity Theft Is Serious
Identity crimes include scenarios like a hacker who steals your credentials to break into your accounts or assume your financial identity, or someone thousands of miles away from you who runs up charges on your credit card and takes out loans in your name.
If you need something else to keep you awake, the FTC describes identity theft scenarios in which a thief gets a credit card in your name, sends the bill to another address, and (of course) never pays. Or he uses your personal information to steal your tax refund or pretends to be you if he’s arrested.
It can be hard to untangle yourself from identity theft, both legally and financially. And the damage to your credit history can be long-lasting. If there ever was a scenario in which an ounce of prevention is worth a metric ton of cure, this is it.
How Your Identity Can Be Stolen
Unfortunately, your identity is low-hanging fruit, able to be plucked in tons of ways. Offline, criminals steal mail from mailboxes or dumpster dive through trash, both of which might be chock full of credit offers and personal finance information (which is why you should own a shredder). Skimmers connected to gas pumps can capture your credit card info and so can restaurant staff. And recently, a cashier was arrested for stealing 1,300 credit cards he’d memorized.
Online, it’s even more dangerous, but people are increasingly more savvy to the most egregious hacks. Fewer and fewer unsecured retail web sites (those that begin with “http” rather than “https”) conduct transactions, but it’s still something to keep in mind.
This requires ever-more subtle phishing campaigns to trick people into giving up their personal information via credible-looking fraudulent emails. And there’s always a new scam around the corner.
“Another popular scam is through online dating apps,” said Whitney Joy Smith, president of The Smith Investigation Agency. “Scammers look for vulnerable people to build a relationship. After that, they ask for money or get enough personal information to conduct identity fraud.”
And then there are plain old hacks, such as when databases full of personal information are cracked.
How You Can Protect Yourself
“Unless you’re willing to take extraordinary measures, like abandoning all technology and relocating to the Amazon to live with an uncontacted tribe, real privacy is almost impossible to achieve,” lamented Fabian Wosar, chief technology officer at Emsisoft. But Wosar also acknowledged there are reasonable and pragmatic precautions people can take.
Many of these are part of the usual cybersecurity hygiene you’ve heard for years. But to be truly be protected, you need to do these things, and regularly. After all, identity theft is usually a crime of convenience and opportunity, so your goal is to make yourself the smallest target possible.
And while the more precautions you take, the better, the reality is not everyone is going to be ultra-diligent. With that in mind, we’ve separated the precautions you should take into three levels: Common sense (the stuff everyone should be doing), heightened security (for the savvier), and bunker-mentality (for those who are willing to take extreme measures).
Common Sense Precautions
If you’re not doing these things, you might as well stop locking your front door and leave your unlocked car idling in your driveway:
- Use strong passwords: The conventional wisdom is that a strong password is some combination of upper- and lowercase letters, numbers, and special characters. The reality is the longer your password is, the harder it is to crack. XKCD did a good job breaking it down.
- Use a unique password for every site and service: This should go without saying, but it’s still routine to encounter people who re-use passwords. The problem with this is if your credentials are compromised on one site, it’s trivial for hackers to retry those same credentials at thousands of other sites. And according to Verizon, 81 percent of data breaches are possible due to compromised, weak, or re-used passwords.
- Use a password manager: A tool like Dashlane or LastPass is table stakes in the games of online security. According to Dashlane, the average internet user has over 200 digital accounts that require passwords. And the company expects that number to double to 400 within the next five years. It’s pretty impossible to manage that many strong, unique passwords without a tool.
- Beware of public Wi-Fi: Don’t join a free public Wi-Fi network unless you’re certain it’s trustworthy. You could join a network set up exclusively to monitor your traffic. And if you use a public or shared computer (such as to print a boarding pass when you’re on vacation), make sure you don’t allow the browser to remember your credentials—clear the cache when you’re done.
As the saying goes, you don’t have to run faster than the bear; you just have to outrun your buddy. If you implement these security best practices, you’ll be well ahead of the majority of the online population:
- Never use your social media profile to sign in to other sites: When you sign up somewhere new, you often get a “single sign-on” option to log in with your Facebook or Google account. While this is convenient, one data breach exposes you in multiple ways. And “you risk giving the site access to the personal information contained in your sign-on account,” warned Pankaj Srivastava, chief operations officer of the privacy company FigLeaf. It’s always better to sign up with an email address.
- Enable two-factor authentication: This effectively prevents bad actors from using a password reset to take control of your accounts. If you require two factors, they need access not just to your email account, but to your phone, as well. And you can do better than this, too (see the bunker advice below).
- Minimize your social media footprint: Social media is an increasingly dangerous landscape. Also, don’t accept connection or friend requests from anyone you don’t know. Bad actors use that as an opportunity to research a phishing campaign, or she might use you as a jumping-off point to attack your contacts.
- Dial back your social media sharing: “The more you post about yourself, the more a hacker can learn about you,” said Otavio Friere, chief technology officer at SafeGuard Cyber. “And the more effectively you can be targeted.” There might be enough information on your Facebook profile right now (email address, school, hometown, relationship status, occupation, interests, political affiliation, etc.) for a criminal to call your bank, pose as you, and convince a customer service rep. to reset your password. Simon Fogg, a data privacy expert at Termly, said: “As well as avoiding using your full name and date of birth on your profile, consider how all your information connects. Even if you don’t share your home address, your phone number could be used to find it. When combined with geotagged photos, you might be surprised how much of your daily life you’re revealing to strangers, and how vulnerable you have made yourself to threats.”
Into the Bunker
There’s no end to the security precautions you can take—we didn’t even cover using a TOR browser, for example, or making sure your registrar keeps the WHOIS information on your website (if you have one) private. But if you already do everything we mentioned in the previous sections, these remaining precautions should put you in the top one percent of safe internet users:
- Never use your phone number for two-factor authentication: “Phones can be cloned,” said Initial Coin Offering (ICO) consultant, Steve Good. That makes your second factor in two-factor authentication less secure than you might think. Thankfully, it’s easy to set up Google Authenticator or Authy to consolidate all of your two-factor-authentication needs.
- Encrypt your USB flash drives: How do you transfer files between computers? With flash drives, of course. And these devices are often the weak link in your security regimen. If you lose it, anyone can pick it up and read it. You can encrypt individual files, but a better solution is to encrypt the entire device. Kingston offers a family of drives—the DT2000—that range from 8 to 64 GB. They have built-in numeric keypads, and protect your data with hardware-based, full-disk AES, 256-bit data encryption—no software required.
- Use a Virtual Private Network (VPN): When you use this type of network, you connect to the internet (at least somewhat) anonymously. It’s especially useful when you connect to public Wi-Fi, but there could be merit in using it at home, as well. “A VPN disguises your IP address and location,” said Srivastava. “So, it looks like you’re browsing from a completely different location. You could be at a local café in Boston, but others will think you’re browsing from Sydney, Australia, or wherever you’ve chosen to virtually connect from.” However, you might want to look for a VPN that doesn’t maintain logs, as they can identify you and your online activities.
- Monitor yourself: “Periodically reviewing your online presence will help you discover how much of your personal information is public,” said Fogg. It’s easy to create Google alerts for yourself which can help you get a sense of what the internet knows about you.