After several massive data breaches that contained lots of my personal info, and so-so attempts to protect my online self, I decided to further strengthen my digital security. Some of the things I’ve implemented, or typically do by default:
Set a fraud alert with the major credit bureaus; considering a credit freeze.
Started using a password manager (local, with multiple backups) on desktop and Android
Improved complexity of existing passwords/passphrases where needed
Created multiple email aliases to compartmentalize different types of logins (financial, commercial, medical, etc.)
Adjusted security details, notification delivery methods, and alerts in online accounts
Subscribed to a service to remove my info from data broker sites/people lookup sites
Installed an open-source authenticator app for Android
Will port my mobile number to a different carrier, one which supports use of authentication apps
Obstacles I’ve come up against:
Many sites and services don’t support more advanced means of authentication.
My financial providers use only specific commercial authentication apps, and I want FOSS.
Given how a stolen mobile phone number is like a skeleton key that unlocks every one of your accounts to hackers (thieves or spies), I’ve also considered changing my number, but that’s only good until the next breach happens.
I’m thinking about setting up a cheap VOIP/SIP number with SMS capability to use exclusively for “SMS-mandatory” authentications. The advantage, besides ultra-low expense, would be that I could easily change phone numbers in the event of a compromise, and not have to go through the trouble of getting a new SIM, or having to notify family and friends.
There are also “burner number/2nd number” mobile apps available, but at higher recurring cost (and with questionable data sharing practices).
I’m not sure if a security token device is something I want to bother with. I would probably lose it or forget to carry it at inopportune times.
Anybody have other recommendations, or personal lessons from having been hacked/hijacked?
These are companies that periodically run your addresses, phone numbers, and email addresses against a known set of “people finder” sites and send take-down requests on your behalf. Those are sites that have obtained your info from public records like house purchases, from ad companies, data aggregators like LexisNexis, etc. They even scrape social media and any other online data they can find, and publish it all for anybody to search, free or for a fee.
All without asking your permission, of course.
There are a subset of major sites that many of the other sites draw their data from to create their own sites, so it’s like a giant octopus that keeps sprouting new arms.
There are several removal services out there, some of which will actually tell you how to do it yourself. But it’s worth it to pay their reasonable subscription prices, because it’s just a nightmare to keep track of them all.
I’ve used:
DeleteMe
Removaly
Search for “online data removal service” or something similar to see others. Make sure you investigate the origins, jurisdictions, and reviews for any you consider using.
Typical Cost: $100 to $130 annually
P.S. Try looking for your own info on a few people/address/phone/neighbor lookup sites. Prepare to be shocked.
Oh yeah, it works, but it’s like whack-a-mole due to the proliferation of this kind of site. Some sites remove your data immediately, some within a few days or weeks. It’s not necessarily permanent, but it helps a lot, as many of the smaller operations get their data from the bigger, well-known sites. Once you’re removed from the big ones, the smaller ones should dry up, too.
As I said, there are DIY guides and lists of sites with contact info, if you think you have the time and drive to devote to the process.
BTW, there’s a new removal service that only costs about $20/year (EasyOptOuts), but I don’t know whether they’re good or not.
It’s my impression that this problem isn’t as prevalent in other countries as it is in the U.S.
For instance, if one of my credit card issuers has a breach, hackers might learn one of my email addresses and a couple of other bits of personal data, but they might not be able to use it to break into my bank account or medical records, which are set up with different email addresses. (And different, complex passwords, of course.)
I also would have fewer accounts to rescue after a breach or hijack, with the accounts compartmentalized in this way.
Posting to add that I am a satisfied customer of DeleteMe. They also mail out a monthly newsletter with new and horrifying information. Additionally, you can enter a significant other’s info as well with your subscription. Well worth my time and money.
MVNOs aren’t mentioned in the article (because doesn’t just everybody use one of the major providers and have an iPhone or Samsung? ), but I suspect they all have their own privacy policies. Here is Ting’s, as an example. (Some of it just applies to their website policies.)
I just realized that my PayPal account was enabled to share marketing data with PayPal’s “marketing partners.” Which are none other than Facebook and Google.
I can’t believe I hadn’t disabled that before. Fortunately I’ve never used PayPal much. But still, they have my PII.
It sounds like you are already on the right track. Enabling the strongest 2FA options your various accounts offer (integration with authentication app, SMS 2FA, or hardware token 2FA), plus unique per-account passwords stored in a password manager, is probably your best choice. For those sites that only have SMS 2FA, it’s still better than nothing, and using a service like jmp.chat would integrate well with chatty’s XMPP support so you can receive any incoming SMS-based challenges and one would think that the traditional attacks for SIM jacking wouldn’t have the same effect on a service like jmp.chat.
I’d still recommend using a supported hardware security token (ones that just support U2F/FIDO2 aren’t that expensive) for really important accounts over SMS, but if you don’t want to bother with it, SMS is better than nothing.
Thanks, Kyle. I’ve come to realize that a mobile phone account is probably the most critical one to protect, as it’s the most likely point of failure. I’ve just ported to a carrier that has effective 2FA options, so at least that’s taken care of now.
My bank requires a “Symantec VIP Access” app for those who want to use an app. I’d rather not install that. Fortunately, I can also authenticate by a code sent to my email address.
I’m also removing my mobile number from some accounts where I don’t see a need for it to be listed. I would rather receive an automated call to my home number (which is VOIP and can ring my mobile at the same time if I want).
A real life advice from my experience is to avoid giving your personal address whenever possible. Use a PO Box, delivery to shops or anything similar that works for you.
My experience btw was to be very close to get my address leaked in the ledger hack last year. That was especially bad because all the people in that list had purchased bitcoin hardware wallets, so you can imagine how something like that can affect your sleep.