For those of you who don’t know, Equifax has recently announced one of the largest data breaches: names, Social Security numbers, birth dates, addresses, and possibly driver’s license numbers have been compromised for over 143 million US consumers. In other words, as many as 57% of all adults in America (when considering the figures from the 2016 US Census and the fact that few minors in the US have credit histories) have had highly sensitive information stolen and up for sale.
Other than signing up for a credit fraud alert or credit freeze, there is not much that can be done by those affected to prevent attackers from attempting identity theft. Those affected need to begin to ask themselves: if someone had this information about me, what harm could they cause? I have recently left one of the largest banks in the country because of their security practices leaving me vulnerable to those with this information. I thought I was reasonably secure with a strong unique password to my online banking and a security question required to gain access. I decided to call my bank to reset those questions since I had “forgotten” them. To my surprise, they were quite happy to reset them over the phone by confirming my address, date of birth, and full social security number – all of which may be public knowledge to those willing to pay!
Now is as good of a time as any to perform a security audit on all of your most important online accounts. Ask yourself: what are all the possible scenarios in which an attacker may have some access, and in each scenario, what is required to gain full access? For nearly everyone, they will want to make their email as secure as possible: if an attacker has locked you out of your email, they will be able to reset your password to most websites by simply asking for it. The other account most important to me would be my account to the online password manager I use, which stores the passwords to all my accounts. For both of these two accounts, I have two-factor authentication enabled via my smartphone, meaning if an attacker knows the password they will still not be able to get in. Considering I use strong, unique passwords to each account, even learning the password to one of those accounts would be pretty tough without a sophisticated attack. I have these two accounts intrinsically linked: even if an attacker somehow gained access in spite of my strong password and the two-factor authentication, they would still not be able to access the other1, and I only need access to one account to regain access to the other.
For those of you who wish to secure your accounts:
- Treat your email as your most important account. Like I’ve said, someone gaining access to that account will be able to gain access to most of your accounts by requesting a password reset link.
- Use two-factor authentication for your most important accounts if available. For those of you unaware, this requires you to enter in a one-time code when signing into the account on an untrusted or unexpected device. These codes can be emailed to you, sent to you via a text message, or generated in an app on your phone. For Google users with Android phones, this can even be as simple as a popup being sent to your phone asking you to approve the login.
- Use long, unique passwords for each account. If you’re using the same password for multiple sites, you’re asking for trouble: no matter how strong the password is, it only requires one website to have poor security to get that password stolen and inserted into a database, and now people have your password for every site. Use have i been pwned? to see if your password has been leaked on any of the websites you use, and if so, you need to make absolutely sure you don’t use that password on any site ever again.
- Use a password manager. The point above would be impossible without one. I rarely sign up for accounts, but as of today my password manager has over 100 accounts saved in it. There is no way I would be able to remember unique, long passwords for each one. Save yourself the trouble. These days with smartphones in our pockets, you can have your password manager synced with your smartphone and make it available offline.
I even tried emailing the Support staff of the password manager service I use, begging them to email me a password reset link. I claimed I lost my password, phone, and all my other belongings to Hurricane Irma and I pleaded with them to help. They stood their ground and said there was nothing they could do. ↩