Data Breach Protection: How to Keep Your Personal Information Secure
Data breaches happen. In fact, data breaches happen more often than you might expect. And once your information is exposed, it can be sold and resold to anyone who might want to access your accounts or steal your identity. Data breach protection is essential to proactively secure your private information.
See Protect Your Social Security Number with Kevin Roundy for a complete transcript of the Easy Prey podcast episode.
Kevin Roundy has been a researcher at Norton LifeLock for a decade. He has a Ph.D. from the University of Wisconsin and has developed threat detection tools and tools to analyze malware. He is also the father of four daughters, which only increases his passion for protecting people from online threats. When he started in the field, he focused on malware and computer viruses. Over time, he realized that scammers were targeting vulnerable people, and that we need to have defenses in place and be aware of issues.
Scammers are Smart
Data breach protection won’t help if a scammer can get your information for free another way. And scammers are coming up with all kinds of clever ways to steal your information – and your money. They often use worldwide and local events as a jumping-off point for their scams.
When Kevin was a Ph.D. student investigating malware, the hot new topic was the storm virus, or storm worm. Scammers leveraged news stories about incoming hurricanes to try and get people to install malicious software. It’s not a new idea, but they’re getting smarter all the time.
They’re just trying to leverage topical themes that you were very curious about and want to be able to deal with.Kevin Roundy
Now they’re getting bolder and using topics that are explicitly financial, such as government grant scams or student loan scams. During the coronavirus pandemic, we saw coronavirus-related scams and scams related to the American government’s coronavirus relief program. More recently, the announcement of student loan forgiveness has led to student loan forgiveness scams.
Tips for Student Loan Forgiveness Scams
Student loan forgiveness scams are tricky because it can be hard to differentiate between legitimate communication from the government, communication from a legitimate third party who has some ability to help, and communication from a scammer. These communications often start via email, but could also be through SMS. Many of us are seeing SMS scams of all kinds these days.
Even a Google search isn’t necessarily safe. You could easily end up on a scam site. For student loan forgiveness in particular, make sure you end up on a site that ends with “.gov,” not “.com” to be sure you’re on a legitimate government site. Never click on the ads at the top of the search results. Scammers can easily pay for their fake sites to be on top. And generally avoid middlemen – people who say they can give you a better deal if you go to them instead of your bank or the government. They are generally not safe.
What Scammers Want
A scammer’s target can vary depending on the type of scam they’re running. But the end goal is always the same – they want your money. They might be trying to get at your money directly. Or they might be trying to get information that will give them access to your money. Whatever the method, scammers just want to get paid.
It depends on the scam, but a lot of them are just trying to get your financial information.Kevin Roundy
Take student loan forgiveness scams as an example. The most common one Kevin sees right now is scammers claiming they can give you better terms than your current creditor. They’ll offer low payments and much of your debt forgiven. To get started, you’ll just have to pay a $500 fee, then a regular monthly rate. They get a big payout right at the start. Now they have your information and can keep taking your money. By the time you realize it’s a scam, you’ve probably lost a lot of money.
Unemployment scams are a little different. The scammer has your social security number and some of your personal information – maybe from a data breach. They use that information to apply for unemployment in your name. You may be working still, but they’re collecting thousands of dollars in unemployment from the federal government. They didn’t steal directly from you, but the result is the same. The scammer got money, and you’re the one who gets a letter from the IRS accusing you of fraud.
How to Protect Your Social Security Number
Your social security number is key to much of your life. If a crook gets their hands on yours, they can do a lot of damage. Some steps to protect your social security number are simple, like shredding documents that have it before throwing them away. But if your social security number is exposed in a data breach, there are some data breach protection steps you can take.
Freeze Your Credit
If your information is exposed in a data breach, an important data breach protection step is to freeze your credit. Before your social security number is used, it’s verified through the credit bureaus with a credit check. By freezing your credit, you’re telling the credit bureaus, “No one is allowed to use my social security number for any reason, not even me.” If a criminal has your social security number, a credit freeze will stop them from doing anything with it.
You can go to government websites and the sites for Experian, Equifax, TransUnion, and Innovis to set up a credit freeze and fraud alerts. There are also services that can help you do this. Norton LifeLock, for example, offers monitoring services and allows one-click freeze on all major credit bureaus.
You have plenty of options – free and paid – that can help you get control over how your social security number is used.Kevin Roundy
Preventing unemployment scams and tax scams is more difficult because they don’t go through credit bureaus. A credit freeze isn’t going to provide data breach protection against these. Your best protection here is to create accounts on the government websites.
If you go to your state or federal unemployment site and create your own account, it’s protected. It has a password and you’ll get an alert if someone else tries to log in. But if you don’t have an account set up and a criminal has your information, they can sign up for the account in your name and you’re in trouble. The same is true for tax refunds. If you have an account set up, it’s hard for them to breach it. If you haven’t set up an account and they have your information, you’re vulnerable.
Even if you don’t plan to (or want to) use them, create the accounts yourself. Assume you probably won’t need it, but you want to be first. Once you’ve created your own accounts, nobody can create a fake account for you.
Data Breach Protection Strategies
There are many great services out there to provide data breach protection for you. But even if you don’t want to use a service, it’s important to monitor data breaches that might expose you and what information is available publicly and on the dark web.
Check Your Email
If a company experiences a data breach and loses your information, they are legally required to notify you if there is risk of financial damage. In the past, you might not have known there was a breach until your information was being sold on the dark web. Companies have gotten better recently. They know they need to notify customers fast or face hefty fines. They will inform you as soon as they know.
You can count on [companies] to notify you as soon as they know, but it is certainly possible that they might not realize the breach has happened until your information is already out there.Kevin Roundy
For your part, you need to monitor your email inbox. Companies will notify you through whatever email address you used to sign up. If that’s an old email address you never check, that’s where the warning will go. The best data breach protection in the world won’t help if the alerts are sent to an email inbox you never check.
Often when breaches happen, companies will offer a free subscription to a credit monitoring service like LifeLock. If they do, definitely take advantage of it. Tools like that are great. They will tell you any time a new account is opened in your name, and give you tools for freezing your accounts.
NEVER Reuse Passwords
This advice is very basic, but we often don’t follow best practices. Even those of us who know reusing passwords is dangerous still do it. But often data breaches expose passwords along with other personal information. Using a unique password for everything is a great step for data breach protection.
Be aware that with a lot of these breaches, a lot of times your passwords are being lost.Kevin Roundy
When a hacker gets your password in a breach, they immediately try to use it on wherever they breached. If they breached DoorDash and got your email and password, they will immediately try to log into DoorDash with that information. Then they’ll take that same username and password and try it on other sites. It’s called credential stuffing. They stuff those credentials into bank sites, online stores, and any other website they can think of. If you reuse passwords, the chances are high that they’ll get into more of your accounts and be able to steal even more of your information and money.
Stop Reusing Passwords with a Password Manager
One of the reasons we tend to reuse passwords is that we can only remember so many. Especially with password requirements making them longer and more complicated, there’s a limit to what we can remember. But a password you can remember is a weak password. To have good passwords, you need good tools.
It’s not possible to have good passwords that you can also memorize.Kevin Roundy
The solution is a password manger. Norton has one, and there are many great ones out there, both free and paid. You can install them on your phone and computer to make it very convenient to log into anything. With a password manager, you can have unique and strong passwords, keep them safe, and not need to worry about remembering passwords ever again.
Run a Data Breach Check
It’s hard to work towards better data breach protection if you never know your data was exposed. WhatIsMyIPAddress.com offers a data breach check tool. You can also visit haveibeenpwned.com to see all the places your email has been exposed.
LifeLock also offers dark web monitoring. Not only do they check for data breaches, they provide extra data breach protection by monitoring dark web marketplaces where your information might be bought or sold. If they find it for sale, they notify you. It saves time over doing it yourself, and LifeLock often has information faster than sites like haveibeenpwned.com.
Use Two-Factor Authentication
Even if you aren’t reusing passwords, two-factor authentication is important for data breach protection and all-around security. Hackers sell usernames and passwords on the dark web all the time, but if you don’t have two-factor authentication, your information goes from being worth pennies to being worth hundreds of dollars.
It’s an extra layer of data breach protection. It’s difficult for hackers to get that verification text. If they’re really dedicated, though, they can do a SIM swap to get access to your texts. SIM swapping is much more likely for high-value targets. It requires the criminal to know some of your information and convince your phone carrier to swap your number to a new SIM card that they have. That gives them access to your texts – and your authentication codes. Companies are getting better about preventing it, and it takes a lot of effort on the scammer’s part. For the average person getting authentication codes by SMS, it’s usually not worth the effort. But if you want the best protection, use an authentication app instead.
Do we love having to type in the number from our text message every time? No, we don’t, but it’s absolutely worth it to protect your assets.Kevin Roundy
Test the Password Recovery Process
Data breach protection requires you to be aware of clever methods criminals can use to get access to your information. For the most security, test the password recovery process for each site. Many websites give you the option to use authentication apps, but will let you do it with a text if you don’t have the app handy. And there are plenty of password reset processes that don’t require even the effort of a SIM swap.
Some password reset processes just require you to answer your security questions. If those questions are asking for your pet’s name and your mother’s maiden name, a crook can probably find that on social media. Make sure you’ve configured all your security options for better data breach protection. Don’t just set up two-factor authentication, but make sure there isn’t a lower-protection fallback an attacker could use.
Data Breach Protection Beyond Technology
We can’t solve everything with tech. As awesome as it would be if there was a tool you could activate and have perfect data breach protection, that just isn’t how it works. There is a human factor to security that affects our data breach protection just as much as the tools we use. To keep those we love safe, we have to have conversations with them to help them learn what’s out there and how to protect themselves.
Conversations With Aging Parents
As our parents age, they can be at risk of scams and financial exploitation. Widows and widowers among the older population tend to be lonely and more vulnerable to romance scams. It’s essential to talk to them about the risks and dangers and how to stay safe.
There are lots of programs out there to help older adults avoid scams. Government sites and other organizations have resources you can point to, which can help facilitate conversations. The important point is to have the conversations. You can’t just rely on technology to protect them. Kevin has an antivirus program on his parents’ computer, but he also has conversations with them. Adapt to where they are and talk about the dangers most relevant to them.
You have to talk to them about these things because they’re going to be targeted by very persuasive people who are trying to scam them out of their life’s savings.Kevin Roundy
Conversations with Children
Kevin has four daughters. The oldest just started college, and the youngest is in elementary school. He tailors the conversations to their age and what they’re doing. Starting earlier is better than starting later. Your kid’s first device is a great opportunity. Discuss rules of engagement and how to use it safely before giving it to them.
Kids will surprise you with what they want to do online. Snapchat has a feature called “streak,” which is how many days in a row you messaged one person. If your child is invested in their streak and you’re all going on a family camping trip where they won’t have access to wifi, they may be tempted to give their password to a friend to keep the streak going while they’re gone. This is a bad idea for many reasons. Maybe the friend isn’t a friend in a year; maybe they’re not as good a friend as your child thought; if your kid reuses passwords they’ve just given the friend the keys to their digital life.
It’s essential to have conversations and keep having them, sometimes over and over. Help them understand the risks. Work with them to solve problems – like allowing them to use your hotspot for a few minutes each day of the camping trip so they can keep their Snapchat streak. You don’t want to be a constant killjoy. There has to be a balance between letting them have fun and keeping them safe. Even if you don’t understand why a Snapchat streak is so important, you can still be on their side and help them keep what’s important to them while still being safe.
Parental Control Apps
Parental control apps and built-in tools can be great for monitoring your kids. But they are often used for spying. If your child doesn’t know about the monitoring, it makes any conversation about problems harder. If you see your child is being cyberbullied but you found out because you’re monitoring them without your knowledge, either you’re not going to talk about it or you’re going to first have to have a conversation about how you’re spying on them.
You need to be able to have those important conversations with your kids. Instead of using parental control tools to spy, use them to start conversations. Tell them they’re allowed to have a phone but you’ll be monitoring certain things. Be up front with them. Explain what it does and what you see, and offer to let them look at the reports you get. Kids don’t love it, but if you’re up front with them about what you see and the kind of threats you’re worried about, and if you approach it in a loving way, they’ll accept it.
- Easy Prey Podcast
- General Topics
- Home Computing
- IP Addresses
- Online Privacy
- Online Safety
You’re swiping on an online dating site when you come across someone attractive. You immediately swipe right,…[Read More]
The world’s most anticipated football event is here, and it doesn’t matter where you live – if…[Read More]