In the first half of this guide on personal digital security, I covered the basics of digital risk assessment and protecting what you can control – your devices. But the physical devices you use represent only a fraction of your overall digital exposure.
According to a report from Aite GroupAlmost half of American consumers suffered some form of identity theft in the past two years. Losses from these thefts are expected to reach $ 721.3 billion by 2021, and that only counts the cases where criminals take control and abuse online accounts. Other valuable parts of your digital life may not carry specific monetary risks for you, but could still have a tangible impact on your privacy, safety, and overall financial health.
Case in point: Last September, an unidentified attacker pointed to my Twitter account for me to take over. Even though I had taken various steps to prevent my account from being stolen (including two-factor authentication), the attacker prevented me from logging in (although they were also locked out of the account). It took me several weeks and a high level communication with Twitter to restore my account. As someone whose livelihood is tied to getting the word out with a verified Twitter account, this went beyond the downsides and was really ruining my job.
The attacker found the email address associated with my Twitter account through a breach in a data aggregator—Information probably obtained from other applications that I had linked to my Twitter account at some point. There was no financial damage, but it made me take a hard look at how I protect accounts online.
Some of the risks related to your digital life are borne by service providers who are more directly affected by fraud than you. Credit card companies, for example, have invested heavily in fraud detection because their business relies on mitigating the risk of financial transactions. But other organizations that handle your personally identifiable information – information that shows that you are you to the rest of the digitally connected world – are an equally important target for cybercrime, but may not be as good at preventing fraud.
Everything counts in multiple accounts
You can do several things to reduce the risks posed by data breaches and identity fraud. The first is to avoid accidentally exposing the credentials you use with your accounts. A data breach from a service provider is especially dangerous if you haven’t followed best practices on how to configure credentials. These are some of the best practices to keep in mind:
- Use a password manager that generates strong passwords that you don’t have to remember. This can be the manager built into your browser of choice, or it can be a standalone application. Using a password manager ensures that you have a different password for each account, so a violation of one account will not spread to others. (Sorry to call back the person who is reusing
letmein123!for everything, but it’s time to face the music.)
- When possible, use two-factor or multi-factor authentication (“2FA” or “MFA”). This combines a password with a second temporary code or recognition from somewhere other than your web browser or application session. Two-factor authentication ensures that someone who steals your password cannot use it to log in. If possible, don’t use SMS-based 2FA, because it’s more prone to interception (more on this in a minute). Applications like Authy, Duo, Google authenticator, or Microsoft Authenticator it can be combined with a wide variety of services to generate temporary 2FA passwords or to send “push” notifications to your device so you can approve a login. You can also use a hardware key, such as a Yubico YubiKey, to further segment the authentication of your devices.
- Set up a separate email address or email alias for your high-value web accounts, so that all email related to them is segmented from your regular email address. This way, if your primary email address is affected by a data breach, attackers won’t be able to use that address to try to log into the accounts you are interested in. Using separate addresses for each service also has the added benefit of letting you know if any of those services are selling your personal information; just watch where and when spam starts showing up.
- If you are a US resident, be sure to claim an account for your social security number from the IRS for access to tax information and other purposes. Much of the rebate and stimulus fraud in recent years has been linked to scammers “claiming” SSN accounts that weren’t registered with the IRS, and untangling those kinds of things can be painful.
- Sign up for account violation checks, either through the service provided through your browser (Firefox or Chrome) or through Troy Hunt’s haveIbeenpwned.com (Or both!). Browser services will match stored passwords against violation lists using a secure protocol, and may also point to risky reused credentials.
- Consider locking your credit reports to reduce the risks of identity theft. Equifax provides an application called Lock and Alert which allows you to lock your credit report from all creditors except existing ones, then unlock it from the app before applying for new credit. TransUnion has a similar free app called True identity. Experian charges $ 24.99 per month for block your credit checksand TransUnion has a “premium” version of your service which blocks TransUnion and Equifax reporting on demand for $ 24.95 per month. In other words, if you want to have tight control over all your credit reports, you can do it for $ 300 a year. (You can, with a few searches, find the free versions of those credit freezing services:here’s the one from Experian and here is TransUnion—But man, those companies really, Really you want to get a lot of money out of your wallet in exchange for a lot of very dubious “added values”).
When 2FA is not enough
Security measures vary. After my Twitter experience, I found that setting 2FA was not enough to protect my account; there is another setting called “password protection” that prevents unauthenticated password change requests via email. When submitting a request to reset my password and change the email account associated with it, my 2FA was disabled and my password was reset. Fortunately, the account froze after multiple reboot requests and the attacker was unable to gain control.
This is an example of a situation where “normal” risk mitigation measures do not stack. In this case, I was attacked because I had a verified account. You don’t have to be a celebrity to be attacked by an attacker (I certainly don’t consider myself one), you just need some information to leak out that makes you a tempting target.
For example, I mentioned earlier that text-based 2FA is easier to bypass than app-based 2FA. One targeted scam that we see frequently in the security world is SIM cloning—Where an attacker convinces a mobile phone provider to send a new SIM card for an existing phone number and uses the new SIM to hijack the number. If you are using SMS-based 2FA, a quick clone of your mobile phone number means that an attacker now receives all of your two-factor codes.
Also, weaknesses in the way SMS messages are routed have been used in the past to send them to places they shouldn’t go. Until earlier this year, some services could hijack text messages, and all that was required was the destination phone number and $ 16. And there are still flaws in Signaling System 7 (SS7), a key protocol of the telephone network, which can result in redirection of text messages if abused.