News about the Marriott / SPG data breach shouldn’t have surprised anyone. Yes, it’s awful when companies fail to adequately protect our data, but it doesn’t do any good to get angry. The thing to do is to protect yourself. Here’s how to protect yourself from data breaches:
- Protect your email accounts
- Get insured
- Lock your virtual doors
- Watch for danger
1. Protect your email accounts
If a thief could gain access to your primary email account, then they would have the keys to your digital kingdom. With access to your email they can search your history for every type of account you have. Financial accounts, digital currency accounts, rewards accounts all have value. With any one of these it wouldn’t be hard to click the “forgot password” button to have a temporary password sent by email. Then, they’re in, and they can clean you out.
For the above reason, I believe that if you do nothing else to protect yourself, you must do this: protect your email accounts:
- Change your email account password [If you do nothing else, do this]. Ideally you should use a strong password with a mix of characters, numbers, and symbols, but mainly you should make sure that your email password is different from all other passwords you use. If you use the same password on other sites, then there’s a good chance that your password is available to hackers. A good option is to use a password tool like LastPass to generate and protect your passwords.
- Add 2-Step or 2-Factor Authentication. Using a strong password isn’t enough. Given enough information about you, a hacker may be able to click “forgot password” to get into your account. Or, you might accidentally fall prey to a phishing attack where the hacker makes it appear that your email program is asking for your password when in fact it is that hacker waiting to claim that information.2-Step Verification generally works like this: The first time you try to log into your email from a new device, you’ll have to do more than just enter your password to get in. What the next step is depends upon which 2 factor options you pick and which are supported by your email service. A common (but not very secure) approach is to get a code via text message that you have to enter to get into your email. Since phone accounts can be easily hacked, you’re better off picking a different option.Gmail offers a number of options including Voice or text message, Google prompt, Authenticator app, Backup codes, and Security Key. The easiest option is to make sure Gmail is installed on your cell phone and use that as your second factor authentication (choose “Google Prompt” when running your Gmail security checkup).
- Disable voice or text as a 2nd step option [Optional]. Text messages via SMS can be easily hacked. Phone numbers can be hijacked or forwarded without your permission. For these reasons, your phone number is not a great security option. That said, having your phone setup for a 2nd factor is much better than having nothing at all. Still, you might as well protect yourself!
2. Get insured
The free credit monitoring tool, Credit Sesame, offers identity theft insurance for free. Simply sign up for Credit Sesame and you’re covered for up to $50,000.
Credit Sesame’s identity theft insurance covers the following (More info can be found here):
- Fraud or embezzlement
- Theft
- Forgery
- Data breach
- Stolen identity event
- Unauthorized Electronic Fund Transfer
I previously reported that another free service, Civic, offered up to $1 million in protection, but they no longer do.
3. Lock your virtual doors
You can’t make it impossible to get hacked, but you can make it difficult. Each of the following are recommended:
- Setup 2 factor authentication for your email accounts as described above
- Setup strong passwords with all accounts. LastPass is a very well regarded password manager that helps make this possible.
- Setup 2-factor authentication with other accounts that you care about. With these it should now be okay to opt for email as your second factor if you’ve taken the above steps to secure your email.
- Protect your home network. Make sure you have it encrypted and password protected.
- Use a VPN when outside of home or work. This will encrypt all traffic between your device and the internet. I like privateinternetaccess (~$40 per year) but free options exist.
- Consider freezing your credit reports. When seeking new credit, you’ll have to use a PIN to temporarily unfreeze your account. This would make it harder for a hacker to open credit in your name. Freezing and unfreezing accounts is now free via these portals:
4. Watch for danger
Another way to help protect yourself is to proactively watch for evidence of hacking. This way you may be able to take action before the hackers have done too much harm. A number of services can be used to alert you to potential hacks:
- Monitor your credit. Get alerted to any changes to your credit report. This way, if someone tries to open a loan or credit card in your name you’ll know right away. For details about how to monitor all three credit bureaus for free, please see: Equifax Hack Rx: Free credit monitoring.
- Monitor your finances. If someone steals your credit card number or hacks into your bank account and starts spending your money, it would be great to be alerted right away. Mint is a popular (and free) tool that helps you keep track of finances across all of your accounts. Mint can be configured with Spending Alerts so that you’ll know when there are unusual or large transactions.
- Monitor your rewards. If you’re like me, you have airline miles, hotel points, bank points, store rewards, and more across dozens of websites. Many of these have poor security and can be easily hacked. Award Wallet can be used to monitor balances across almost all of these accounts. If you see your account balance unexpectedly drop, you’ll know something went wrong. Unfortunately this won’t give you real time monitoring so it may be too late by the time you discover a breach, but it’s much better than nothing.
- Monitor your info on the internet. Two free services promise to scour the internet for evidence of your private information being traded on risky websites. If you have a Discover card, you can enroll in Discover Card SSN alerts. And if you have a Mastercard, you can enroll in Mastercard ID Theft Protection. Honestly, it seems unlikely to me that these services will really be helpful, but I don’t think it would hurt to sign up for either of them. The Mastercard option has the advantage in that it also offers Emergency Wallet Replacement and Expert Resolution Services.
Wrap Up
It’s impossible to protect yourself from all possible cyber-dangers. Your goal, though, should be to take reasonable precautions. If you do nothing else, turn on two-factor authentication for your primary email address (the one that you use with your financial accounts, for example). Let’s at least make those hackers work for it. And if they meet resistance, maybe they’ll move on in search for lower hanging fruit…
[…] Greg at Frequent Miler shares something that is increasingly important in today’s world: How to protect yourself from data breaches […]
[…] How to protect yourself from data breaches […]
This advice that everyone proffers regarding using VPN connectivity to enhance data security is complete nonsense.
If you’re accessing unencrypted resources, then traffic to and from your device is still able to be intercepted and read whether you’re using a VPN or not. If services and sites you use aren’t protected with TLS, app using them until that changes.
Additionally, keep all your devices patched – this protects from multiple types of attack that can expose credentials.
My VPN (PIA) encrypts all traffic by default, from my device to the resource, and vice-versa (https://www.privateinternetaccess.com/pages/vpn-encryption). No connection is 100% safe, but I rely on my VPN when I’m at home to block all traffic from my snooping ISP, and whenever I’m accessing a public hotspot at the airport, hotel or somewhere else, to hide my traffic and protect me. Are you saying that the benefit is limited to only services or sites that use TLS?
I’m also a PIA user – it’s a fantastic service that is provided however there’s a basic limitation that isn’t made clear by most VPN services that is inherent in the way VPN connectivity works.
Traffic is encrypted by the VPN client from your device to the egress point of the VPN provider (in this case, PIA). There is no additional encryption between the egress point out to the internet and the final destination of your traffic – this segment is just as vulnerable as any other to various forms of eavesdropping. Further, if the VPN provider itself were to be compromised, intercepting traffic would be completely trivial.
If you’re connecting to a service or website that is protected with TLS and set up properly, others intercepting your traffic doesn’t actually matter as they’re unable to decrypt the contents of your requests and associated responses.
We shouldn’t have to
My sister and I use LastPass; each has emergency access to the other’s account (I consider this estate planning). But: if I put 2-factor authentication on my email, she won’t be able to validate it, right? We live in different states.
I have LifeLock but which one do you use to Lock ur credit ?The lock isn’t new to me old stuff BUT the PIN is..Keep it simple post a Link ..
They can wipe u out forever.
CHEERs
CD,
I’ve found in practice that the PIN issue is nothing to worry about. If you FREEZE (not LOCK) your accounts, you’ll get a PIN number from each of the credit agencies (write this down or print the page before you leave the screen) that is used by anyone opening an account for you (Chase or Amex for instance).
In practice, you simply login to the account you created, and have the option to unfreeze or unfreeze for a period of time you choose (let’s say 24 hours) at which time it will refreeze your account until next time
See this page for more information, let’s stay safe out there!!
https://krebsonsecurity.com/2018/09/credit-freezes-are-free-let-the-ice-age-begin/
I get emails every day looking for me to Click This .
THANKs
Correction;
…that is used by you to unfreeze the account before having anyone opening an account for you (Chase or Amex for instance)…
Yes BUT what’s the LINK ($$) to get Set Up to Lock it and then they give you the Pin to unlock it and re lock it .
There is no charge to lock or unlock your files, Congress passed a law in May 2018 forcing the credit bureaus to provide this feature without cost. You can lock and unlock your files as you see fit without cost.