If you haven't heard about how Mat Honan's digital life was erased by hackers in less than an hour, you should read his story here. It's chilling. He lost data saved on the Internet (that venerable cloud) and on his iPhone, iPad and MacBook, including irreplaceable pictures of the first year of his daughter's life. He lost control of his Twitter and his email. His accounts and computer were taken out his control and his data was gone without warning.
The prime sources of vulnerability that lead to Honan's hacking were weak security policies at Amazon and Apple (which are supposedly being improved in light of this event). A lot of what happened was beyond Honan's control, which is part of why his story is so terrifying, but even he admits there are things he could have been doing that would have mitigated the damage from this attack. Additionally, the attack on Honan was unusual in its scope and technique; many common risks to personal information are far more preventable.
Below are listed 40 ways to protect your data, your finances and your reputation. It's a long list, and it could easily be longer. I don't expect that you will do all these things. Heck, even I don't always do all these things. But hopefully you already do some of these and will consider adding a few more.
- Use strong passwords. Strong passwords don't use personal information or words from the dictionary. They combine letters, numbers and symbols. They don't use common patterns or repeating characters. I could do a list of 40 attributes of strong passwords, but for now if you want more guidance there is an article and infographic on Lifehacker here.
- Don't re-use passwords on multiple systems or websites.
- Don't write down your passwords even if you think you have a really good hiding place for that Post-It or notebook. This is the item I most wish I didn't have to include on this list, but I know that people still do this and others access their accounts as a result.
- Don't save passwords in a spreadsheet or document on your computer, particularly one called "password list."
- If you need help keep track of all those strong, not-re-used, not written down, not in a file on your computer passwords, consider a password storage solutions such as Password Safe.
- Activate two-step verification on Gmail and any other system for which using authentication beyond just a password is an option.
- Consider alternate answers to security questions. This is a tricky one. Sure, security questions are a weak form of security because most of the answers can be easily researched. On the other hand, if you use a crazy answer (This article includes the example, "My mother's maiden name is 4dAm3Y3fv9nIks." ) you might not be able to remember it, which will prevent you from accessing your account. I'll just say, use answers to security questions that are as obscure as you'll be able to remember.
- Don't have all your password resets go to one email account. You don't want one account being compromised to give access to everything else.
- Do not give out your password. Most legitimate companies will not call or email you to ask for your password as a way to verify your account information. If you think a request may be legitimate, call the company back at a number you know is authentic or go to the web site directly (not using a link in a questionable email).
- Do not click links in suspicious email even if the text matches what you know to be a real website address. Where a link takes you does not have to match the displayed text.
- Don't trust an email just because it came from a friend. Email addresses are easy to spoof. If something seems suspicious verify before opening an attachment, clicking a link or wiring money abroad.
- Use anti-virus software, keep it updated and active. Free options are available, but their scope of protection may be more limited than a paid option. Still, free anti-virus is better than no anti-virus.
- Select auto-updates for software if the feature is offered. Otherwise, apply updates and patches to software and apps as soon as they are available.
- Remove unused software. If it's not there you don't have to update it or worry that someone will exploit a vulnerability in it.
- Remove unused app authorizations from Facebook, Twitter and any other linked accounts.
- Don't send sensitive data such as social security, credit card and bank account numbers via email. Don't ever do this. (Particularly don't do this if the information is being requested by someone in Nigeria who promises you a lot of money for your trouble.) Most email can be read by anyone on the network, and it is easy to filter for data of a specific pattern as those numbers have.
- Don't plug in a flash drive that you found somewhere. This is a clever way that hackers use to get software onto a computer. They leave a flash drive somewhere knowing that the person who finds it is likely to plug it in to a computer either to try to determine the owner or to use it themselves.
- Turn off auto-play/auto-run functions on Windows systems. Instructions for doing this in Windows are here.
- Back-up important and cherished files. Consider using an external hard drive in addition to online "cloud" storage.
- Keep some paper records. I know it seems old fashioned, but it is a good back-up strategy. Print account statements every quarter or at least once a year.
- Print photos. Digital photos are great for many reasons, but files can be deleted or corrupted and hardware can fail. Some online photo printing services even run "penny print" specials. Print 100 prints for a $1, and put them in a box.
- Have a record of important contact information. If your contacts were deleted would you be able to call your mom?
- Enable a screen lock on your smart phone or tablet. Think of all the power you have connected to apps on your phone. Don't give that access to anyone who picks it up.
- Use the "remember my password" option sparingly, if at all. This applies to all devices but particularly mobile ones for the reason mentioned above.
- Consider recovery software that allows you to remotely disable and/or remove data from a device that has been lost or stolen. Of course, without the "Find My Mac" application in place Mat Honan's hackers could not have erased his data, but in most cases this software is a strength not a weakness to your security.
- Don't accept Facebook friend requests from people you don't know even if you have mutual "friends." People do use fake accounts to get access to your information.
- Use lists to limit what access different Facebook friends can see. (This is especially important if you ignore the previous item.)
- Use Google+ circles to control what people can see. That is, if you are actually using Google+.
- Periodically check your Facebook privacy settings. It seems like these are always changing, so you may not be sharing or limiting posts the way you think you are.
- Periodically check privacy settings on any online service. Look for not only how your information is viewable online but also whether your information can be sold to a third-party. Determine whether you are comfortable with a company's policy before you choose to give them your information.
- Avoid posting anything online that you would not want attributed to you. Even when you delete things they usually have been cached somewhere (as demonstrated by the Politiwoops site of deleted tweets from politicians). Even if privacy settings are in place they may change over time or one of your "friends" may decide to take an unflattering screen shot.
- Use credit rather than debit cards online. Although many banks now offer similar protections for debit cards as is legally mandated for credit cards the investigation may take days or weeks. If thieves get your number and drain your bank account you won't get your cash back until the issue is resolved. Similarly, don't link directly to your bank account for payments either.
- Have a credit card with a limited balance to use online. Sure you are protected from fraudulent charges, but more charges will mean more investigation. Unless you plan to spend $20,000 on Amazon you don't need to use a card with a limit that high.
- Don't save credit card information in e-retailers' systems. It's a pain to re-enter your credit card number for every purchase, but thieves can't steal a credit card number that isn't there. At minimum, don't save your credit card data on a site from which you don't purchase things frequently.
- Buy a good shredder and use it for everything.
- Check your credit report. The Fair Credit Reporting Act guarantees that you can do this for free every year, and you don't need to sign up for one of the services that advertise on TV claiming to be free but are not. The truly free site is www.annualcreditreport.com.
- If you have a wireless network at home, require a passcode for access and encrypt it with the strongest security available (currently WPA2). Securing your wireless network not only protects your accounts and data but also prevents others from using your network for illegal activities.
- Limit work on public or unknown networks where others may be able to monitor your work. Use a virtual private network (VPN) if you have access to one.
- Set up Gmail (and other systems with this option) to always use https to avoid others from being able to see your email on the network. Instructions for doing this in Gmail are here.
- Limit work on public or shared computers since keylogging or other monitoring software may be loaded. If you need to use an unknown computer empty the browser cache when you are done. Reset your passwords (from a different computer) as soon as possible.
Is this all a pain in the butt? Yes. Most things that make it harder from someone else to get at your data will make it harder for you too. It comes down to how much you value the confidentiality, integrity and availability of your digital life. My guess is that you probably value it more than your security choices reflect.
What security changes are you going to make?
Sources:I have master's degree in information security policy from Carnegie Mellon University. (You're welcome, Alumni Association.) This may or may not qualify me as an expert, but it does mean I can come up with a list such as the one above out of my own head. Of course, the information had to get into my head from somewhere. I do a lot of reading on the subject of information security and it would be impossible for me to trace back everything I have ever read that may have inspired the above content. I did, however, review some publications specifically for this post. Most are linked above, but I also read a list from Lifehacker here. In addition, I sought feedback from some of my friends who work in the information security field. Thanks to Steven Frank, Josh Hammerstein and Barrett Weisshaar for their input and support.