reader comments
47 with 41 posters participating
View more stories
In the first half of this guide to personal digital security, I covered the basics of assessing digital risks and protecting what you can control: your devices. But the physical devices you use represent only a fraction of your overall digital exposure.
According to a report by Aite Group, nearly half of US consumers experienced some form of identity theft over the last two years. Losses from these thefts are expected to reach $721.3 billion for 2021—and that’s only counting cases where criminals take over and abuse online accounts. Other valuable parts of your digital life may not carry specific monetary risks to you but could still have a tangible impact on your privacy, safety, and overall financial health.
Case in point: last September, my Twitter account was targeted for takeover by an unidentified attacker. Even though I had taken multiple measures to prevent the theft of my account (including two-factor authentication), the attacker made it impossible for me to log in (though they were locked out of the account as well). It took several weeks and some high-level communication with Twitter to restore my account. As someone whose livelihood is tied to getting the word out about things with a verified Twitter account, this went beyond inconvenience and was really screwing with my job.
The attacker found the email address associated with my Twitter account through a breach at a data aggregator—information probably gleaned from other applications that I had linked to my Twitter account at some point. No financial damage was done, but it made me take a long, hard look at how I protect online accounts.
Some of the risk tied to your digital life is taken on by service providers who are more directly impacted by fraud than you. Credit card companies, for example, have invested heavily in fraud detection because their business is built on mitigating the risk of financial transactions. But other organizations that handle your personal identifying information—information that proves you are you to the rest of the digitally connected world—are just as big a target for cyber crime but may not be as good at preventing fraud.
Authy, Duo, Google Authenticator, or Microsoft Authenticator can be paired with a wide variety of services to generate 2FA temporary passwords or to send “push” notifications to your device so that you can approve a login. You can also use a hardware key, such as a Yubico YubiKey, to further segment authentication from your devices.
- Set up a separate email address or email alias for your high-value web accounts so that all email regarding them is segmented off from your usual email address. This way, if your primary email address is caught up in a data leak, attackers won’t be able to use that address to try to log in to accounts you care about. Using separate addresses for each service also has the side benefit of letting you know if any of those services are selling your personal information—just look at where and when spam starts showing up.
- If you’re a US resident, make sure to claim an account for your Social Security number from the IRS for tax information access and other purposes. Much of the refund and stimulus fraud over the past few years has been related to scammers “claiming” accounts for SSNs that were unregistered with the IRS, and untangling that sort of thing can be painful.
- Register for account breach checkups, either through the service provided through your browser (Firefox or Chrome) or through Troy Hunt’s haveIbeenpwned.com (or both!). The browser services will check stored passwords against breach lists using a secure protocol, and they can also point out risky reused credentials.
- Consider locking your credit reports to reduce identity theft risks. Equifax provides an app called Lock & Alert that allows you to lock your credit report from all but existing creditors, then unlock it from the app before you apply for new credit. TransUnion has a similar free app called TrueIdentity. Experian charges $24.99 a month to lock your credit checks, and TransUnion has a “premium” version of its service that locks both TransUnion and Equifax reports on demand for $24.95 a month. In other words, if you want to have tight control over all your credit reports, you can do it for $300 a year. (You can, with some searching, find the free versions of those credit freeze services—here’s Experian’s and here’s TransUnion’s—but man, those companies really, really want to lift a giant pile of money out of your wallet in exchange for a bunch of highly dubious “value-adds.”)
and a code generated by your phone.”>
This is an example of a situation where “normal” risk mitigation measures don’t stack up. In this case, I was targeted because I had a verified account. You don’t necessarily have to be a celebrity to be targeted by an attacker (I certainly don’t think of myself as one)—you just need to have some information leaked that makes you a tempting target.
For example, earlier I mentioned that 2FA based on text messages is easier to bypass than app-based 2FA. One targeted scam we see frequently in the security world is SIM cloning—where an attacker convinces a mobile provider to send a new SIM card for an existing phone number and uses the new SIM to hijack the number. If you’re using SMS-based 2FA, a quick clone of your mobile number means that an attacker now receives all your two-factor codes.
Additionally, weaknesses in the way SMS messages are routed have been used in the past to send them to places they shouldn’t go. Until earlier this year, some services could hijack text messages, and all that was required was the destination phone number and $16. And there are still flaws in Signaling System 7 (SS7), a key telephone network protocol, that can result in text message rerouting if abused.