So, quick question: have you done anything to protect your identity after the Equifax data breach? If you haven’t heard, or would prefer not to re-read the details, here’s a funny take by Stephen Colbert on the whole thing:
Whether you’re an individual, corporation, or government, your state of cybersecurity in 2017 is pretty bad:
- German bank accounts were hacked via 2-factor SMS authentication, using a vulnerability in cellular networks
- Election results have been influenced or directly tampered with in multiple countries
- Adobe unwittingly revealed its private PGP key online
- Deloitte was hacked and was unaware of it for over 6 months
- The SEC was hacked, and the information was potentially used to make insider trades
- A white-hat hacker (i.e. a good guy) found hundreds of companies that are vulnerable via their helpdesk systems
- The US government tried to force Twitter to identify people who criticized it
- People on both sides of the political spectrum have been doxxed, “outed” or fired because some strangers didn’t like them on the internet. Note: while I have no sympathy for some of the people being doxxed, it’s important to remember that doxxing is a double-edged weapon most frequently, most maliciously used against innocents.
In most of these cases, the hackers used well-known vulnerabilities, and the hacks went unnoticed for several months.
Some are suggesting completely overhauling the current systems, for instance:
- Using Blockchain for identity, e.g. MIT’s Core Identity project
- Getting rid of private data brokers like Equifax, replacing them with a centralized governmental system
But waiting for Blockchain to solve this issue is a bit like smoking 3 packs a day hoping “medical science will find a cure by the time I’m in trouble.” Your identity is at risk today. It has been for a while.
Which means it’s up to you to ensure the safety of your digital identity, not the government or the corporations that own your data. And that can be a scary thought.
So I decided to find out how vulnerable my information is. You can too.
For a start, please try this exercise from the book The Smart Girl’s Guide to Privacy (screenshot taken from Amazon’s “look inside” pages, Chapter 1):
I was shocked (shocked, I say!) to see how much of my information is online and easily available. For the low, low price of $0.95, websites like Spokeo, USPhoneBook and PeopleFinders will sell to anyone:
- my phone number(s)
- my age and birthdate
- my spouse’s identity
- my addresses (current and past)
- which cell phone carrier I use
And that’s just what is available for free on “your” profile. Their purchase page claims that they have even more information about you - information that opens you up to identity theft pretty easily:
So, let’s take some simple preventative actions:
- Freeze your credit. Yes, it sucks, you’re paying into a broken system - but just do it for your own sake.
- Add 2-factor authentication to all your online accounts - financial, social media, etc.
- Review your public profiles on Facebook, LinkedIn, Twitter, Instagram, etc. and remove any public information you don’t want strangers to have.
- Use a VPN client like PIA or Encrypt.me on your laptops and mobile devices. This is especially important if you’re frequently using unsecured Wi-Fi at airports, coffee shops or hotels. This will protect your data from sniffers.
- Use messaging apps that have end-to-end encryption like Signal and WhatsApp
- Use browsers built for security like Epic, Brave or Tor
- Important: Opt out from as many online data brokers as you can. This one will be an ongoing effort - here’s a great guide on getting started. Note: yes, they have an opt-out form, but do you really trust a website that sells your personal info without permission to honor your opt-out request? This one gives me the chills.
More importantly, let’s start educating ourselves on security and online attack vectors:
- Read Violet Blue’s The Smart Girl’s Guide to Privacy (Note: hat-tip to Coraline Ada Ehmke for referencing this book on a Ruby Rogues episode.)
- Follow people in the cybersecurity community like Troy Hunt and Bruce Schneier
- Read up on social engineering and how to prevent getting hacked
- If you are a developer, understand how to build security in your DNA… start by following the work of people on the Signal and Brave teams among others. This blog post is a great example of all the security considerations the Signal team goes through for a single feature.
- Know your legal rights and obligations about what to do when your identity is stolen. That knowledge might be invaluable:
Please share additional tips you have, and share this information with anyone who may find this useful. And remember, stay safe online!
- Doxxing defense: Remove your personal info from data brokers
- The paranoid’s survival guide
- Identity theft, Credit reports and You
- Opening Pandora’s Dox: The Unintended Consequences of an Internet That Never Forgets
- How to Lock Down Your Money After the Equifax Breach