Essentially everyone in America has had their personal information stolen as of the last major security breach a few months ago. These breaches happen all the time. You must assume that your name, SSN, birthday, address, online passwords and other personal info are for sale on the dark web right now. It’s only a matter of time before your info is used by hackers to really mess up your life.
Here are the things you need to do right now to limit the damage when it happens. If you don’t take the time to follow these guidelines, your identity, money, health records and/or credit will eventually be stolen.
I know this is long, but PLEASE read the whole thing. Please feel free to share this with everyone you know who might be receptive. They’ll either thank you later or really wish they had listened.
Freeze your credit
Freeze your credit for free at all 3 credit reporting agencies: Experian, Equifax and TransUnion. This ensures that nobody can get credit cards or loans using your identity. When you apply for a credit card or loan, you can do a scheduled "thaw" for one day which will then automatically re-freeze. You’ll have to create accounts at all three agencies - use strong passwords when you do.
Links to the credit freeze sites:
Change your passwords (and use a password manager)
You’ve all heard me talk about this, I know. I’m sure it’s annoying, but hear me now.
• Unique passwords are essential – never reuse passwords across sites! The first thing hackers do when they buy your usernames and passwords is try using them to see if they work on other sites too.• You need to use strong passwords - either random-word phrases like correct-horse-battery-staple-but-not-that-one, or random strings consisting of lower- and upper-case letters, numbers and special characters. Length is even more important than randomness – each password need to be at least 14 characters to be really secure. Short passwords can be easily broken with tools all hackers have access to.• Password managers are an easy way to manage all this. Roboform is a good choice and is supported on Windows, IOS and Android, and the free version is just fine for most people. There are plenty of others to choose from as well.
You can also use the password managers built into browsers like Google Chrome and Microsoft Edge. They are not as secure, but they’re easy to set up and use, and are synced between browsers on your computer and your phone.
Use MFA (multifactor authentication)
Many sites give you the option to use some form of MFA, like using an authenticator app on your phone or texting you a code the first time you log in to the site from a specific device. Hackers can't log into an MFA-protected account even if they have your username and password without also having access to your MFA codes, whether generated by your authenticator app or sent to you in a text.
Set up MFA for every important site that has the option (especially for banks, credit cards, social media and healthcare providers), and get an authenticator app for your phone, which is the most secure form of MFA today. I recommend Google Authenticator or Microsoft Authenticator. They’re available on the Apple App Store or Google Play for free.
Some sites have lesser forms of MFA such as calling you or sending a text with a code that you type into a form on the site when you log in, which is certainly better than nothing.
Enable security measures for your mobile phone
The reason texts containing a security code can be vulnerable is that unless you perform this step, hackers with your personal info can tell your mobile carrier that they need a new SIM for their phone, which is actually your phone. Then they install it in their own phone and can intercept texted codes. Likewise, if phone number transfer is unprotected, hackers can ask for a port-out to simply transfer your number to their own carrier.
What you should do:
- Set up an account PIN or passcode with your carrier - This is the one thing that stops SIM-swap attacks cold. Set a unique PIN with your mobile carrier.
- Disable port-out and SIM-swap without PIN - Most carriers let you lock your line so your number cannot be moved to a new SIM or carrier unless your PIN is entered.
- Put a note on your account requiring in-person verification for changes - Ask your carrier to only swap your SIM or transfer your number if you go to one of their stores in person with your ID. Take that, hackers!
- Lock down your Apple/Google account - Your phone account is one thing, but the ecosystem account holds the actual keys to the kingdom.
- Strong, unique password
- Authenticator-app 2FA
- Review your recovery email/phone
- Kill any old devices and app passwords
Don’t ever give anyone a security code or any personal information unless you called a trusted number
This was my basic mistake – a scammer asked me to read a code from a text and I did. That’s all it took for him to take over my bank account and steal my money.
If anyone contacts you saying they are from your bank (for example) and says something like there has been fraudulent activity on your account or asks you for any credentials, codes or personal information, say “Thank you for calling. I’m going to call the bank myself right now.” Then hang up, call your bank right away and tell them what happened. They’ll help to make sure everything is okay (or not), and because you called them, you’ll know the person you’re talking to is legit.
