You know you’re vulnerable to cyber attack. You know you need to protect your identities and finances. You know you need to update those 10-year-old passwords that are variations on your kids’ names. But if you are like me, you were put off by the ridiculously long list of steps recommended by scolding cyber nannies
So you put it off. And put it off.
Well, no more. When I wrote about Phil McGrane, the Ada County chief deputy clerk who had his identity hijacked, I realized that I’d run out of excuses for not getting serious. Phil had done a lot of things right, and still had his identity and money stolen. I heard from a lot of people who were thankful Phil was so forthcoming about his experience, and who wanted to know more.
I wanted to know more, too. So I decided to find out. I started asking around, and when a colleague told me about his friend Greg Blake, I gave him a call.
Never miss a local story.
Greg is the chief information officer for the Idaho Housing and Finance Association. He advises his agency and others on cyber “hygiene.” He’s an “ethical hacker,” testing vulnerabilities in his and other systems. He doesn’t do personal computer security coaching (that would be a good business for someone, but I couldn’t find anyone who does it), but Greg did agree to sit down with me and my wife in hopes that the advice he had for us would help others.
And we needed a lot of help, even though Greg was too kind to say so.
“You would be very typical,” he told me a few days later. “I didn’t have any particular red flags.”
My takeaway? Getting secure is complicated. But not because it’s complicated. It’s because there’s a lot to do, and once you start, you realize that halfway measures are just that. You have to toughen up your email accounts, your bank accounts, your retirement accounts, your credit cards, your credit monitoring, your computer, your phone and, as Greg advises, what you post and share on social media. Diligent malefactors can find out a lot about you if they want, in all kinds of places that might not even occur to you. Like the glove box of your car (Greg had his car stolen once, and the thieves were able to get enough information from his car to go after his financial assets.)
So, yeah, there’s a lot to do and it’s basically tedious. But it’s not as tedious as having to dig out or rebuild your identify after a hack or, heaven forbid, try to recover your nest egg.
So get started. Make a list. Give yourself a week or two. Do a step or two or three a night. Pretty soon, you’ll have everything checked off. Here’s my summary of the steps Greg recommended to get started.
No 1: One email account, one computer, for your finances — and nothing else.
This is the first thing Greg did with us. He had us create a new email address that we use exclusively for taxes and finances. And he had us designate one computer, fully updated and secure, for taxes and finances. You can get a cheap basic computer, since you won’t be surfing the web, playing games or watching movies with it. If you follow this practice, the only activity on that machine and that account will be related to your finances. Any other traffic will be a red flag. Of course, once you create that new secure email account (with a strong password; see No. 3 below), you have to update each bank and bill-paying account with that new email. But that’s good, since you’re going want to review the passwords, security, alerts and other details for each one of those other accounts anyway.
Like I said: Make a list, and keep checking things off.
No 2. Two-factor authentication.
That’s a fancy way of saying a double sign-on. It means that anyone who tries to sign on as you (including you), will get a prompt to verify on a phone or other device. The Statesman already required it for my work email and our publishing system, so Greg had us download the Google Authenticator app to do the same thing for our private email accounts. Every time we sign on with our password, we have to prove via a second method that we are who we say we are. Your second method can be a text message, an email, an app, a fingerprint, a security question or a code word. If your accounts don’t have that option, consider changing vendors/banks/cards.
No 3. Three ways to make passwords stronger:
Letters, numbers, characters — at least 15. Greg recommends phrases for strong passwords that you will remember: Usetheforceluke1. Better yet, a phrase with a twist. “A good boy does fine” can become #1a#2go#3bo#4do#5fi. Or use the presidents: 1Gw2J@3Tj4Jm5Jm. You get the idea. As you create new and complicated passwords, download a password manager on your computer and your phone. It will secure and remember those complicated passwords for you. Greg likes Dashlane, Lastpass and Roboform. The average person has 27 passwords (or 25 or 19, depending on the source — a lot, anyway, for any human being to try to remember). Oh, and one more password tip: Don’t say yes when your computer offers to remember your passwords; good hackers can get at those. Let your password manager app remember them for you.
No 4. Forewarned is forearmed.
On each bank and credit card account, set up alerts for activity/fraud. Gmail already sends me alerts if I log in on an unfamiliar machine. Our bank had the option to establish alerts for transactions of certain sizes (say, $100 or more), or balance drops. Set up the most secure alert that you can tolerate. This could give you real-time notice of an active hack.
No. 5. Everything else.
(I ran out of clever mnemonic devices.) Set up your phone to require a pin or fingerprint. Lock your computer too. Don’t use public WiFi. Register for free monitoring being offered by Equifax since its hack. Consider freezing your credit if you’re not planning to need credit soon. (Yes, by all accounts this is a ridiculously annoying hassle.) Consider subscribing to a monitoring service like Lifelock or Identity Guard.
Share less personal information on social media (easier said than done). Opt out of people search engines, such as spokeo.com, intelius.com and instant checkmate. And think about your other vulnerabilities. Snail mail? Shred, shred, shred. Don’t forget that trove of data in your car, or other places where you might be leaving virtual or physical bread crumbs. Phil McGrane is sure that someone used info from an Equifax-style online breach with other details from his life when they duplicated his identity. It does happen.
What else did our family do? I couldn’t get all my questions answered online, so I went in to my bank to go over my account with an employee. I put one account entirely offline. And while reviewing my accounts, we found old phone numbers and other outdated info, so we got that cleaned up, too. At home, we made sure our virus and firewall software was updated and running. And we’re still taking baby steps, adding things that weren’t on our original list.
The truth is, none of us are ever bulletproof. You do what you can to raise your awareness and reduce your profile. My wife liked one metaphor Greg used: You want to be in the middle of the digital herd, not wounded and limping on the edge, vulnerable to predators.
So now, back to work … if only I could remember that #$@%% complicated new password.
Five ways to protect your identity and finances
1. One email, one computer, dedicated to finances
2. Two-factor sign-on for email, financial accounts
3. Strong, unique password phrases, and a password manager
4. Fraud/activity alerts on email, financial accounts
5. Lock your phone and computer. No public WiFi. Credit monitoring. Limit personal info on social media.
More ways to get safe online
How to Keep Your Personal Information Secure (Federal Trade Commission)
Two Factor Authentication Lists (twofactorauth.org)
Security Freeze vs. Fraud Alter: Deciding the best option (Consumer Reports)
Consumers Union’s guide to security freeze protection (Consumers Union)
The Best Password Managers of 2017 (PC Magazine)
World’s biggest data breaches (Information is Beautiful)