Just how hackable is your digital life?
When Wired News reporter Mat Honan had his digital life hacked—and subsequently, virtually wiped out—in August, the significant loss of data he endured wasn't the scariest part of the experience. Much more terrifying was the method by which hackers drilled into his digital accounts.
Using clever social engineering exploits, the hackers posed as Honan and succeeded in extracting key bits of personal information from Amazon and Apple customer support. With the critical data in hand, the hackers then locked Honan out of his Google account, commandeered his Twitter stream, seized control of his Apple ID number, and wiped his computing devices clean.
It was momentarily life-wrecking, at least.
If a hacker wanted to ruin your life—whether by identity theft or by a simple Honan-esque data wipe—how difficult would that objective be to achieve? The answer is that it's likely a lot easier than you think.
Are you an easy target?
According to a recent Harris Interactive poll commissioned by Dashlane, a company that manages passwords and personal data, most online Americans are concerned that their personal data might be used online without their knowledge. Approximately 88 percent of the 2208 adults surveyed cited being at least "somewhat concerned," and 29 percent claimed to be "extremely concerned." In addition, three out of five respondents were worried that they were vulnerable to being hacked.
John Harrison, a group manager at Symantec Security and Response, says that people should be concerned, because they're sharing more than they think they are.
Because social networks, public records, and high-profile security breaches are so prevalent, a lot of potentially sensitive information is just floating around the Internet.
"Each piece of information adds to the puzzle," Harrison says. "We don't throw everything out there at once, but it eventually comes together. For example, you may not put your full birthday on Facebook, but it's not difficult for someone to find out what year you graduated from high school and put two and two together."
In other words, you may not think you're sharing too much—just a snippet here and a snippet there—but to a hacker, you're building an easily harvested online profile.
Protect yourself the easy way
If you use the Internet in any meaningful way—sending email, uploading photos, frequenting social networks, shopping—your online profile is likely already floating around in the ether. And even if you haven't been online all that much, bits of your personal data may be available for online viewing via digitized public records. An interested person could readily find out if you have a mortgage, for example, or if you've recently gotten married or divorced.
You probably know that a typical five-character, dictionary-word password is easy to hack, and perhaps you rely on something far less penetrable. But you probably don't have the time or bandwidth to memorize a complicated mix of numbers and letters. So here are a few quick, easy-to-implement security tips that will drastically reduce your hackability.
Search for yourself. Before you start worrying, it's a good idea to get a handle on how much information about you is out there by searching for yourself. Type your name into Google—both with quotation marks and without—and with relevant keywords, such as your address, phone number, email addresses, job title, company, and alma mater.
See what you find, and try to look at the information the way a hacker would. Is there enough data there for someone to piece together your life? If so, you need to take steps to improve your personal security.
Use passphrases instead of passwords: Passwords are a tricky security issue. The best passwords are computer-generated mixtures of letters, numbers, and special characters (such as exclamation points and question marks). Unfortunately, the resulting alphanumeric strings are also extremely difficult for most people to remember. But since most passwords are hacked via brute-force methods—that is, by having a computer go through all possible combinations of characters—longer passwords are more secure simply because they take longer to discover.
For example, an Intel Core i7 processor takes just hours to crack a five-character password, but it takes more than 10 days to crack a seven-character password. That's why security experts recommend using passphrases instead of passwords. See Alex Wawro's password primer for pointers on building a good passphrase.
Stay updated: One of the easiest ways to prevent intruders from compromising your computer is to make sure that you're always running the latest version of all your PC applications—including your antivirus program.
"Drive-by downloads—malware that downloads to your computer when you click on a malicious link—often work by exploiting known bugs in software," Harrison says. "These bugs are usually fixed in updated versions of the software, but that won't help you if you're still running the old version."
Prioritize accounts: You may not be able to remember complex passphrases for every account you have, and that's okay. According to Doug McLean, senior director of product marketing at McAfee's Global Threat Intelligence, the average online American has more than 100 accounts, not all of which are important.
Instead of creating different passwords for every account, create unique ones for only the important accounts—email accounts, online banking accounts, social networks, and other accounts that contain sensitive information. For relatively trivial accounts, such as message boards, it's fine to use an insecure, hackable password.
McLean also suggests creating a "junk mail" email address for accounts that you don't really care about. You can use this junk email address to sign up for message boards, contests, and newsletters. Then, if one of the junk accounts is compromised, hackers won't have your real email address or your real passwords.
Lie: Speaking of junk accounts, be careful about what information you give away to random websites. Sure, your bank needs to know your home address, but does a message board really need to know your zip code or your full birthday? If you can't get past a screen because the website wants you to give up too much information, Harrison suggests that you make things up. After all, he notes, message boards are notoriously hackable, and they really just want to verify that you're over a certain age.
Protect yourself offline: According to McLean, offline identity theft is still much more common than online identity theft. The reason: Email addresses have passwords, while mailboxes, dumpsters, and lost wallets do not. To protect yourself offline, McLean suggests that you get a locking mailbox (if you don't already have one), shred all important bills and documents before you throw them away, and never carry your Social Security card with you.
Use a password manager: Though password managers require a little setting up, they're worth it if you're worried about the integrity of your passwords or passphrases. Password managers such as Dashlane, 1Password, and LastPass not only store all of your passwords in a neat little encrypted program that you can unlock with a master password; they can also create secure, computer-generated passwords that even you don't know.
In choosing a password manager, it's important to pick one that's compatible with all of your devices, including your phone and tablet. Dashlane, 1Password, and LastPass are compatible with Windows, Mac OS X, iOS, and Android; and LastPass is also compatible with Linux, BlackBerry, Windows Phone, WebOS, and Symbian. Password managers can store form data, so you don't have to park credit card information on the Web.
Freeze your credit report: Freezing your credit report is the single most effective way to prevent identity theft, according to McLean. If you're over 30 and you're not getting married or divorced, you probably won't be applying for new credit cards, loans, or mortgages, so you don't need your credit report to be readily available.
To freeze your credit report, you must contact each of the three major credit bureaus (Equifax, Experian, and TransUnion), fill out a form, provide proof of identity, and pay a small fee (around $10, depending on your state). You'll then receive a PIN or password that will allow you to "thaw" your credit report (either temporarily or permanently) if you ever need to use it. Temporarily thawing your credit report usually takes less than a minute, McLean says.
Credit report freezes are free in the United States for victims of identity theft.
Even a little security goes a long way
McLean suggests that taking minimal security precautions is like outrunning a bear: You don't have to be faster than the bear; you just have to be faster than your friend who's also being chased.
Hackers are smart, but they're also somewhat lazy. So unless you happen to be a high-profile target, a hacker will likely give up if your data defenses prove to be too difficult to breach. Mat Honan's hackers even admitted that their attack was nothing personal—they simply wanted to break into his Twitter account because the three-character handle "@mat" signified the property of a Twitter superuser. Nothing more, and nothing less.
Ultimately, even taking small security steps, such as creating an eight-character password instead of a five-character password, can protect your personal information just well enough to convince hackers to move on to the next digital door.
[Illustration by Michael Byers]