Online data breaches have been big in the news again recently. While many breaches are the result of sloppy behavior by big companies, there is a lot you can do to make your digital life more secure. No, these steps are unlikely to protect from a determined, skillful hacker specifically targeting you. But if you’re not a politician or a celebrity, following these steps should drastically reduce your personal exposure.
Here are some thoughts on things you can do. They are roughly grouped with the most important impactful things at the top of the list.
- Place two factor authentication on your email account. What this mean is your email account is protected by more than just your ID and password. With two factor authentication in place, any time you access your account you will be prompted for a second action, such as typing in a second code sent to you via text or a mobile app, or confirming your login from a mobile app or an email message. Some accounts let you set this behavior only when it recognizes your device (phone, tablet, computer) as a new device so you don’t have to do it EVERY time. Your email is one of your most important digital assets, as it can be used to reset password on many other websites or applications. All major email providers have this capability. See how to do it on Gmail, Yahoo Mail, Outlook,com
- Use two factor authorization or your bank/financial related accounts. Right up there with your email account is your bank and financial accounts. Nearly all of them now offer some form of two factor authentication. Very high priority to go out and secure.
- Don’t use the same password for different websites or applications. Many people use the same password on multiple sites. That means if your credentials are exposed by one site, you are highly at risk for your other sites with the same password. A password manager (#6 below) can help you generate and track unique passwords.
- Use a PIN on your phone. Most people have lots of sensitive stuff on their phone. From contacts and email to password lists and other personal info. Do you know anyone who hasn’t lost their phone, at least for a few minutes? Locking your phone with a PIN is a slight inconvenience but a pretty easy tradeoff.
- Freeze your credit files with the 3 major credit bureaus. Especially given the major recent breach with Equifax, this is a no brainer. Freezing your credit report will stop any attempt at ascertaining your credit history (it will get rejected). How often do you need someone to run a credit check? Applying for a loan, opening a new credit card, starting a new job are some common examples. But even these events happen pretty rarely for most people. I froze all my credit reports about 6 years ago and have had to temporarily unlock them 3 times in the last 6 years (at a cost of $10). It boggles my mind that the credit bureaus don’t have this as the default position for everyone.
- Use a password manager. Keeping track of lots of passwords can be difficult (i.e. you are following #3 above). There are several reputable password managers on the market. Some store those passwords on your local machine, some store them on the cloud. The cloud option has some risk itself, but all the reputable ones store your passwords with strong encryption where not even their employees (let alone hackers) can access your passwords. While the cloud has this additional risk, the major benefit is having access to your password across your multiple devices (phone, computer, tablet, etc). Some programs I recommend are Lastpass, Dashlane, 1password, KeePass, Roboform and other popular ones are reviewed here. I use LastPass.
- Use two factor auth on other websites/apps that offer it. We covered this for email and financial accounts already; more and more sites/apps are allowing this feature such as Amazon, Facebook, etc. In general, if it is a site/app I use regularly and 2 factor auth is available, I use it. I’d put any file sharing/cloud storage accounts (e.g. Dropbox, OneDrive) pretty high on this list.
- Use long passwords for more security. If you are using two factor auth, this becomes less critical but it is still useful. Brute-force password cracking algorithms get more effective every time Intel and Nvidia make faster chips. While most sites have forced users to at least 6-8 characters in length, their insistence on using upper case, special characters and numbers is not nearly as effective as making passwords longer. My standard passwords are 12 characters and my more sensitive ones are 20+. Unfortunately, some sites don’t except long passwords, in some case limiting you to 8 or fewer characters. A password manager (#6 above) can help you automate the generation of secure long passwords.
- Use OpenDNS at home. OpenDNS (now owned by Cisco) is a simple system that can bring great protection to your home. Parents can block websites from any device on their home network without installing anything. You can configure categories to block (porn, drugs, hate, etc.). It works by replacing your ISPs DNS service (the thing that tells it where to find a web URL, like bestbuy.com). They have free and premium plans, but the free plan is sufficient for my needs. Check out their webpage with full setup guide.
- Don’t click on links that are not trusted. If someone sends you an email with a link and it’s at all suspicious, don’t click on it. Even when the link is from someone you know, that person’s email could have been hijacked or spoofed. If you want to try to investigate the promised $1M payout of that email just in case, use com, a website that will run a browser for you from their machine, so your machine can not be infected with anything.
- Set up notifications on purchases of your credit cards. Many credit cards now let you set up alerts for purchases to your mobile device, either through texting or a mobile app. They often allow you to set up some parameters on what types of transactions you get notified (only over a certain dollar limit, card not present (i.e. online), foreign transactions, etc.) I highly recommend you use this feature as credit card theft, while not as painful as identity theft, is best nipped as early as possible. If your credit card doesn’t offer this, consider switching.
- Use one-time use credit card numbers. While not as common as transaction notification (#6 above), some credit cards let you generate single use virtual account numbers. For online purchases, this lets you enter a credit card number that can only be used once. In the event that the merchant’s data is compromised, the CC# will not be useful to the hacker. As a side benefit, this is also useful for “first month free” trial accounts as the expiration date for the one time use is often set as the same month; if you forget to cancel your free trial, the following month your transaction gets rejected. One provider, Privacy, has their entire business model based on this virtual account number, allowing even more configuration such as the ability to allow a virtual # to be reused, but only at the same merchant, etc.
- Don’t use default passwords on home wifi. Most manufacturers of wifi routers have moved away from default user ids and passwords (e.g. admin/password), but many still have not. You should use a unique password like any other account, especially if you live in a more dense housing community (i.e. city apartments).
- Be careful when using free public wifi. I haven’t encountered it frequently, but it quite easy for an attacker to set up free wifi access point and then to capture and log the data you send to websites. This access point would then have access to when you send your userID and password for a site you logged into.
- Encrypt your laptop hard drive. If you use a laptop and ever take it out of your house, encrypt the hard drive. If your laptop is lost or stolen, and the hard drive is not encrypted, everything on your laptop is easy to access, even if you have a login password for your laptop. This is because the hard drive can be removed and connected to a different computer where all the data files can be accessed without a password (unless the individual file is password protected, like with an Excel spreadsheet). Microsoft Windows can encrypt the hard drive using a built in feature called BitLocker. Macs can be encrypted using FileVault. If you have a Linux laptop, you don’t need advice 🙂
- Educate your children. While all of this may not be applicable to children, once kids become proficient online they become potential weak points in your defense. Many websites advertising cheats or cracks for games online are malware distribution points.
- Home alarm system with notifications and geo-fencing. Modern alarm systems are also internet connected and can be set up to notify you of events (doors opening, glass breaking) even independent of whether the alarm is armed. Some even have a function called geofencing that would suppress the notifications if you are home (by knowing the location of your phone). If you have an older alarm system, get it modernized. I actually benefited from this once (intruders in my house) when I was on vacation (because I’m an idiot and forgot to activate the alarm – now my alarm system notifies me if I am more than 50 miles from home and I didn’t arm the system).
- Facebook/social media security. Many people use Facebook and other social media to keep their circles of friends, relatives, and even the rest of the world up to date on what they are doing. I strongly suggest that you set your default Facebook posts to be only visible to your friends, or at worst your friends of friends. When made public, those wonderful vacation photos of your kids on the beach in Aruba is a public broadcast that your home is empty.
- Home security cameras. This is more about the physical world than the digital world, but along with #17 on upgrading your alarm system, consider some home security cameras. They can be integrated with your alarm system or can be set up independently. If you want to go the DIY route, I like Nest and Blink. Most of these systems allow remote viewing, motion activated recording and notifications. If you are a bit geeky and want more features and control, you can leverage any cheap off the shelf IP camera and a great software package called Blue Iris to have great flexibility.
- Track your kids. This recommendation may be a bit controversial and is clearly up to you. If your kid is old enough to have a cell phone, he or she can be tracked real time, as long as their phone is on and connected. There are 3rd party apps that do this but there are two very good free solutions: If you are an iPhone family, this can be set up by using the family sharing features. If you’re not an iPhone family, or if you are a mixed denomination household (Android and iPhone), you can use the Google Maps app to enable location sharing with each other. I do this with my kids and my kids know that I do it. I suggest you have an open conversation about it, but again, that’s up to you. Especially if you decide to track your spouse 🙂
Do you have more good practices I missed? Leave them in the comments and I’ll update the article with the best ones.