On August 3rd, 2012, a tech writer for Wired’s “Gadget Lab,” Mat Honan, was the victim of identity theft. His iPhone, iPad and MacBook were remotely wiped, his Twitter account hijacked and his Gmail deleted. He lost irreplaceable photos from the first year of his daughter’s life, hundreds of emails, and his ability to ever again feel secure online. Here’s how to significantly reduce the chances it could happen to you.
In the immediate wake of the attack, Mat Honan assumed that his Apple ID password had been compromised. It turns out the perpetrator provided just two pieces of information to Apple’s phone support – the victim’s billing address and the last four digits of his credit card number – and the phone support representative gave the hacker a temporary password, despite the fact he couldn’t answer security questions correctly. Known as social engineering, a customer support representative was convinced to provide personal information to someone posing as the account holder.
Before you breathe a sigh of relief because you don’t have an Apple ID or iCloud account, know that this can happen at any company where someone other than you has access to your information and the power to push through a password reset – that’s right, everywhere.
A better password is certainly an important piece of the puzzle. Don’t use the same one across multiple sites. Ideally, use a password management program like LastPass to set up unique passwords at every site you visit. Utilize passphrases (a series of unrelated words is best) instead of an odd jumble of characters. Not only are they easier to remember so you’re less likely to get locked out, they’re actually harder for a computer to hack.
Don’t put all your data in one digital basket. The cloud is a great resource for backing up your data, but if losing something would be devastating it’s best to double up and back it up locally as well. Get an external hard drive and use a program like CrashPlan to set up an automated backup to both a cloud storage location and a local backup device.
A big part of the problem for Mat Honan is that he connected his logins and email’s through a very common process known as “daisy chaining.” He set his Apple email as a backup to his Gmail and used his Gmail as a login for his Facebook and Twitter. If you use Google, Facebook or Twitter to login to other social networking sites or websites, a hacker need only to access one of your accounts to gain control of all of them. Ideally, establish a recovery email address for password resets that you don’t use for any other purpose – don’t set it as your username and don’t post it anywhere on the web.
Using the same email prefix across multiple accounts (for example, firstname.lastname@example.org, email@example.com, and firstname.lastname@example.org), makes it easy for those with malicious intent to locate and hack into additional pieces of your digital profile. This is particularly dangerous if you use the same prefix as your username to login to financial institutions or as your “handle” on social networking sites.
Set up login notifications and two-factor authentication when it’s available. Google and Facebook both offer it. Basically, whenever your account is accessed from a new computer or mobile device, you have to enter a second code. This code is typically texted to your phone. While it can be a pain in the rear when you’re trying to login from a new device, this step would have given Mr. Honan an early warning that someone was attempting to access his account. It also would have stopped the perpetrator from using his Gmail to access additional logins.
Review your security questions to make sure that the information isn’t easily found through your online presence. For example, the name of your dog isn’t hard to ascertain if you post about her on Facebook or Twitter. Your high school mascot, family names, and the street you grew up on are just as easy to glean.
Consider using a Google Voice Number when online accounts require you to provide a phone number. The hacker who attacked Mr. Honan used his phone number as one piece of authenticating information to get his Amazon account password reset.
While convenient, storing your credit card number online with retailers makes your bank account more vulnerable. The same goes for using your smartphone for online banking, logging into Facebook or Twitter, or anything else tied to your personal information. While just about every smartphone owner stores logins and personal info on it, make sure you set a password on the device so if it’s lost or stolen you aren’t compromising your data and accounts.
For more tips to protect yourself from online identity theft, contact me. I’m a better safe than sorry kind of girl.
Photo used by permission: Don Hankins