According to the Identity Theft Resource Center (ITRC), there were 1,093 data breaches in 2016, a record high. Social security numbers were exposed in 52 per cent of the breaches and credit or debit card information in 13.2 per cent. However, this does not mean that breaches where financial information or social security numbers were not exposed are any less serious.
The ITRC states that while data breaches only exposing usernames, email addresses and passwords were included in the total count of breaches they do not know how many people were affected. Typically if a company’s systems are breached and financial information is not lost they are not required under data breach notification laws to disclose the number of accounts involved in the breach.
Hackers and cyber criminals are becoming more savvy and have more tools at their disposal than ever before to enable their crimes. Companies cannot be relied on to always keep customer information safe because mistakes happen. The only way to improve the security of your digital life is to take matters into your own hands.
Most Internet users are well aware that they need to be hyper-vigilant to keep their passwords and personal information protected. They have heard the recommendations that they need to use a password not related to their name, address or pet’s name and that they should include random symbols, numbers and capital letters. But, the reality is the usernames they have created for email accounts, social media and other online services could be delivering all their private details into the hands of cyber criminals – no password needed.
While it might seem harmless to include a first name and the numbers from your street address in a username, cyber criminals can harvest those details to search for other private information that you may not know is publicly available on the Internet.
Cyber criminals use a technique called Doxing, essentially combing the web for snippets of information about a person, to build a full profile they can use to execute crimes like identity theft, scams or other targeted attacks. People do not realise that if they do something as benign as posting a comment on a public page with a username like CrazyShaunOrlando those two pieces of information are enough detail for a criminal to exploit. Within minutes they can find your home address, how much you purchased your home for, what high school you attended, where your kids go to school, the list goes on.
Quit recycling usernames
In order to create a more airtight online identity, the first thing to do is to stop recycling one username across accounts. Just like recycling a password is a bad idea you should avoid using the same username to log into different online accounts as well. Having one common username across accounts just makes it easier for criminals to search for and find details about your life.
Portions of, nicknames and full names should also be avoided when creating a username or email address. Business professionals and students often use a variation of their full name as an email address, on social media and other online forums. While people might be able to easily search for and follow or friend you, you are also making it easier for criminals to do the same.
In addition to keeping your name out of logins, you also want to leave out cities and states. Whether it is the city you reside in now or where you were born, including a meaningful location in your username is never a good idea. Not only are location details one more tool criminals can use to narrow their search for your personal details, cities related to your life are also common password security questions.
Numbers are another risky detail to incorporate into your username, if they are not totally random. While a string of four to eight numbers might seem unobvious a criminal will be able to use a partial birthday or street address to verify if the information they are accumulating is all related or tied to the same person.
While names, addresses and important dates are important details to avoid including in a username the absolute worse mistake you can make is to double up and use an email address as a log in. Linking a username with an email address can simplify a criminal’s search for your personal information. Using trial and error a criminal can add common email providers to your username, run a search and pull up your social media accounts and any other sites where you have used that email address to create a profile. Some email providers including Gmail, Outlook and Yahoo allow users to alter their email address into infinite number of disposable addresses. For example if your email address is firstname.lastname@example.org and you want to sign up for a new deal website you can alter your email address just for that site by adding an identifier to it such as shauntips+FreeRunningStuff@gmail.com. This keeps your actual email address private and can help stop criminals from being able to track your online history simply by searching for one of your email addresses.
Putting in the necessary effort
Creating a new username and password for every single account you use in your lifetime online and on mobile devices can seem overwhelming. But, it is what you need to do if you are really serious about keeping your information safe and your privacy intact. To help manage usernames and passwords you can use a password keeper. Look for one that explicitly states it uses AES256 bit encryption or stronger to protect your content. And,
if you can use the password keeper via a web browser, only use it for unimportant sites – not for your email, social media, banking or commerce. If you can login with a username/password and view all of your passwords so could anyone else.
If you know that your information has been exposed in a breach at some point in time, to be safe the smart thing to do is to change your email address or at least your account log in information. Additionally, everyone should enable two-factor authentication on their accounts and devices. In the event that someone does gain access to your passwords they need a second code to get in if you have two-factor authentication enabled. Guidelines for setting up two-factor authentication can be found at http://www.google.com/landing/2step/. Typically a code will be sent to you via text message and you will be required to enter that code before you are able to access your accounts on a new device. If you receive a code notice without trying to sign into one of your accounts you know that a hacker is likely trying to get in and can change your passwords as an added precaution.
Shaun Murphy, CEO, SNDR
Image Credit: Den Rise/Shutterstock