News about the Marriott / SPG data breach shouldn’t have surprised anyone. Yes, it’s awful when companies fail to adequately protect our data, but it doesn’t do any good to get angry. The thing to do is to protect yourself. Here’s how to protect yourself from data breaches:
- Protect your email accounts
- Get insured
- Lock your virtual doors
- Watch for danger
1. Protect your email accounts
If a thief could gain access to your primary email account, then they would have the keys to your digital kingdom. With access to your email they can search your history for every type of account you have. Financial accounts, digital currency accounts, rewards accounts all have value. With any one of these it wouldn’t be hard to click the “forgot password” button to have a temporary password sent by email. Then, they’re in, and they can clean you out.
For the above reason, I believe that if you do nothing else to protect yourself, you must do this: protect your email accounts:
- Change your email account password [If you do nothing else, do this]. Ideally you should use a strong password with a mix of characters, numbers, and symbols, but mainly you should make sure that your email password is different from all other passwords you use. If you use the same password on other sites, then there’s a good chance that your password is available to hackers. A good option is to use a password tool like LastPass to generate and protect your passwords.
- Add 2-Step or 2-Factor Authentication. Using a strong password isn’t enough. Given enough information about you, a hacker may be able to click “forgot password” to get into your account. Or, you might accidentally fall prey to a phishing attack where the hacker makes it appear that your email program is asking for your password when in fact it is that hacker waiting to claim that information.2-Step Verification generally works like this: The first time you try to log into your email from a new device, you’ll have to do more than just enter your password to get in. What the next step is depends upon which 2 factor options you pick and which are supported by your email service. A common (but not very secure) approach is to get a code via text message that you have to enter to get into your email. Since phone accounts can be easily hacked, you’re better off picking a different option.Gmail offers a number of options including Voice or text message, Google prompt, Authenticator app, Backup codes, and Security Key. The easiest option is to make sure Gmail is installed on your cell phone and use that as your second factor authentication (choose “Google Prompt” when running your Gmail security checkup).
- Disable voice or text as a 2nd step option [Optional]. Text messages via SMS can be easily hacked. Phone numbers can be hijacked or forwarded without your permission. For these reasons, your phone number is not a great security option. That said, having your phone setup for a 2nd factor is much better than having nothing at all. Still, you might as well protect yourself!
2. Get insured
The free credit monitoring tool, Credit Sesame, offers identity theft insurance for free. Simply sign up for Credit Sesame and you’re covered for up to $50,000.
Credit Sesame’s identity theft insurance covers the following (More info can be found here):
- Fraud or embezzlement
- Data breach
- Stolen identity event
- Unauthorized Electronic Fund Transfer
I previously reported that another free service, Civic, offered up to $1 million in protection, but they no longer do.
3. Lock your virtual doors
You can’t make it impossible to get hacked, but you can make it difficult. Each of the following are recommended:
- Setup 2 factor authentication for your email accounts as described above
- Setup strong passwords with all accounts. LastPass is a very well regarded password manager that helps make this possible.
- Setup 2-factor authentication with other accounts that you care about. With these it should now be okay to opt for email as your second factor if you’ve taken the above steps to secure your email.
- Protect your home network. Make sure you have it encrypted and password protected.
- Use a VPN when outside of home or work. This will encrypt all traffic between your device and the internet. I like privateinternetaccess (~$40 per year) but free options exist.
- Consider freezing your credit reports. When seeking new credit, you’ll have to use a PIN to temporarily unfreeze your account. This would make it harder for a hacker to open credit in your name. Freezing and unfreezing accounts is now free via these portals:
4. Watch for danger
Another way to help protect yourself is to proactively watch for evidence of hacking. This way you may be able to take action before the hackers have done too much harm. A number of services can be used to alert you to potential hacks:
- Monitor your credit. Get alerted to any changes to your credit report. This way, if someone tries to open a loan or credit card in your name you’ll know right away. For details about how to monitor all three credit bureaus for free, please see: Equifax Hack Rx: Free credit monitoring.
- Monitor your finances. If someone steals your credit card number or hacks into your bank account and starts spending your money, it would be great to be alerted right away. Mint is a popular (and free) tool that helps you keep track of finances across all of your accounts. Mint can be configured with Spending Alerts so that you’ll know when there are unusual or large transactions.
- Monitor your rewards. If you’re like me, you have airline miles, hotel points, bank points, store rewards, and more across dozens of websites. Many of these have poor security and can be easily hacked. Award Wallet can be used to monitor balances across almost all of these accounts. If you see your account balance unexpectedly drop, you’ll know something went wrong. Unfortunately this won’t give you real time monitoring so it may be too late by the time you discover a breach, but it’s much better than nothing.
- Monitor your info on the internet. Two free services promise to scour the internet for evidence of your private information being traded on risky websites. If you have a Discover card, you can enroll in Discover Card SSN alerts. And if you have a Mastercard, you can enroll in Mastercard ID Theft Protection. Honestly, it seems unlikely to me that these services will really be helpful, but I don’t think it would hurt to sign up for either of them. The Mastercard option has the advantage in that it also offers Emergency Wallet Replacement and Expert Resolution Services.
It’s impossible to protect yourself from all possible cyber-dangers. Your goal, though, should be to take reasonable precautions. If you do nothing else, turn on two-factor authentication for your primary email address (the one that you use with your financial accounts, for example). Let’s at least make those hackers work for it. And if they meet resistance, maybe they’ll move on in search for lower hanging fruit…