Data Breaches and Protecting Yourself
This story was first published in 2011. It's worth re-reading in the wake of the massive password-data breaches this week at Target.
The two massive data thefts disclosed in April 2011 by Epsilon , which handles customer data for hundreds of large corporations, and Sony , which operates global gaming networks, involved the personal information of more than 100 million people.
That's more than 100 million people suddenly at greater risk of identity theft, suddenly more likely to become the targets of "spear phishing " emails that deceive by pretending to know you.
Yet those data breaches made headlines only because of their size. As security expert Bruce Schneier pointed out in an interview with the video-game blog Kotaku, network data breaches happen all the time, quietly affecting millions more people.
"No networks are really secure," Schneier said. "People have to come to grips with that."
To take a pessimistic but clear-headed view, companies and other organizations operating online can't be relied upon to guard your information. They may never be, no matter how often they ask for it.
Data breaches will happen. Your name, address and email address will probably get out there eventually, providing fodder for identity thieves and other online criminals.
Instead, you have to rely on yourself. The best way to avoid becoming a victim of data breaches is to minimize the amount of actual personal information you put online — sometimes by using the old-fashioned tactics of evasion, diversion and lying.
Here are a few tricks to help keep you as anonymous online as possible.
Use disposable email addresses.
Set aside one email address for communicating with friends and family only. Create another one for mailing lists, product giveaways and other online services.
Some people even use a third for social networking sites . You could even use a new one every time you sign up for something.
"I can see two positive effects in using a different email address for each service you subscribe to," said Guillaume Lovet, senior manager of the threat response team at Fortinet, a Sunnyvale, Calif.-based security company.
"One, if you receive spam or scams on one of your mail accounts, you can immediately deduce that the service you subscribed to with this address either got compromised or unethically sold your info to spammers," Lovet said. "You can then take relevant action, like closing your subscription."
"Two, if cybercriminals compromise one of your email accounts, they will only be able to compromise the sole service you used it to subscribe to (via the 'email me my forgotten password' ubiquitous feature)."
Use disposable credit-card numbers if possible.
Some banks and issuers, such as Bank of America, Citi and Discover, offer disposable credit-card numbers to their customers. You can go to their websites and generate a new, one-time credit-card number on the fly — one that's useless to data thieves.
(Never use a debit card online, since that money is deducted straight from your account and you have only 48 hours to notify the bank in case of fraud.)
Use a new password for every account.
Yes, it's hard to remember the password for each account, but it isn't safe to let your browser do it for you. If your computer is compromised, the passwords are readily available and your accounts can be hijacked.
Some, but not all, Web browsers allow you to encrypt your passwords and create a master password for the "vault."
You'll be better off signing up for one of the many free or inexpensive password-management services that do this better.
Catalin Cosoi, head of Romania-based BitDefender's online threats lab, adds that it's not enough to just have a different password for any account.
"It must be an un-guessable password," Cosoi said. "If you use 'facebook_password' for your Facebook account or 'twitter_password' for your Twitter account, that's not protection.
"As an advice, think of a proposition, something like: 'I'm the smartest person on this planet." Then pick only the first letters: 'ITSPOTP.' Then replace 'O' with 0 (zero) and you get 'ITSP0TP.' It's easy to remember. And you can easily add other characters in there to make it even more complicated."
Don't provide any nonessential personal information.
No one really needs to know your mother's maiden name or your place of birth. You may need to give the right year of your birth to ensure you are of legal age, but fudge a little on the month and the day.
This includes information you provide to social networking sites. It's very easy for thieves to "scrub" Facebook or MySpace in order to steal your identity.
If, when setting up an online account, you're asked to create "identity challenge" questions such as "What was your mother's maiden name?", then make things up.
Tell them, for example, that your mother's maiden name was "Michael Jackson," that you grew up at 1313 Mockingbird Lane, and that your first pet's name was "Cujo."
It doesn't matter if that's not true. What matters is that you know the answers — and that identity thieves don't.
Never give out your Social Security number.
Don't tell anyone except your employer, your spouse and your accountant your Social Security number, or any other personally identifiable number. No business requires such information for typical transactions.
"Such info pieces are often used as security questions by various services, in case you lost your password, and sometimes even as identification elements on the phone (with your bank, for instance)," Lovet said. "Thus you don't want these data pieces to sit in a vendor database that can be compromised by cybercriminals who may use them afterwards for stealing your identity."
You may still have to give out your address.
Some companies will verify credit cards by matching them with names and addresses, and in those cases, you'll have to use your real one.
If you're buying things online, you'll probably want to use your real address — unless you take the time and expense to rent a P.O. box.
In the end, always be vigilant.
"If you install an app that requires permissions (like a Facebook app or an Android app), think a little: Why would a game need to access the SMS service or the ability to call other people?" Cosoi said. "There are several apps out there that don't do much in the foreground, but in the background they are just sending away information about you, like your contacts, private info and your emails and so on."