Archive for the ‘Security Breach’ Category

Credit freeze vs Credit lock – which is best?

Posted: October 4, 2017 by IntentionalPrivacy in Equifax, EquiMess, Security Breach, Vulnerabilities
Tags: , , , , , ,

Equifax and the other credit bureaus are trying to convince consumers to put “credit locks” on their credit files instead of credit freezes. Credit locks are – I think – a really bad, bad idea. Why?

  1. Why would you trust anything a company tells you that did not encrypt a database with 145 MILLION records in it? Former Equifax CEO Smith testified yesterday at the House of Representatives that Equifax has a poor record of encrypting data. To read the latest about the EquiMess, click on Wired‘s “6 Fresh Horrors From the Equifax CEO’s Congressional Hearing.” Talk about dancing on the head of a pin!
  2. The credit bureaus claim a lock is “free” and simple to use through an app on your phone … the problem is that nothing is free, and again, why would anyone trust them? They’re selling your information somehow to pay for that lock.
  3. What’s the difference between a lock and a freeze? Well, nobody seems to know. While credit freezes have a cost to set up and remove (which varies from state to state), they’re regulated by state and federal law. When you sign up for a freeze, you do not have to agree to arbitrary credit bureau terms and conditions (such as giving up your right to sue or participate in class-action law suits).

More on credit freezes vs credit locks: “Myths vs. facts: Sorting out confusion surrounding Equifax breach, credit freezes.”

Equifax Happened: What Are We Going to Do About It?

Posted: October 3, 2017 by IntentionalPrivacy in Financial vulnerabilities, Security Breach
Tags: , ,

I have been doing a lot of thinking about Equifax. You can point fingers and say … well, you can say all kinds of things. Equifax should have patched faster, they should have notified faster, they should have been more organized about their response, they should have spent more money on security … While every one of those statements are true, they do not resolve the problem of breach response. They will not prevent future breaches. They do not make us safer.

What is  going to make us safer?

What have we learned from all these breaches? What will keep our information safe going forward? That is what really matters. What happened in the past only matters if we learned something from it (unless you are an attorney running a class-action lawsuit or, God forbid, your identity was stolen).

Regulations

Should the US implement regulations like the European Union’s General Data Protection Regulation (GDPR)? Will more regulation make us safer?

There’s no doubt we need better regulations and oversight, especially on data brokers. There are more than 2500 data brokers in this country; your information is their product. For the most part, you cannot opt out and you cannot control what data brokers do with it. And if your file contains errors, chances are you will not be able to correct those errors. For an interesting overview of data brokers, read Privacy Rights Clearinghouse’s article “Data Brokers and ‘People Search’ Sites.”

Won’t automation or lots of expensive tools keep us safer?

Part of the problem is that big companies in particular want to throw technological solutions at data security. Maybe technological solutions make the board feel safer. Maybe they cannot find personnel. Maybe it is because people are expensive.

Layers of security

When an organization gets breached because they did not patch or no one was paying attention to alerts, management may be surprised because they thought spending money on expensive tools would save them from breaches.  The vendors say it was not their fault because the tools were not correctly implemented. The staff says they did not get training or they were testing it or it does not work the way it is supposed to or there were too many extraneous alerts.

Organizations need tools, but their focus should be on the basics. Organizations should know how their data flows: how it comes in, where it goes internally, and when and where it leaves. Private personal information (PPI) should be encrypted whether it is moving or at rest. Organizations should know what and where their assets are. They should understand that employees are going to make mistakes and plan for them. Back up, disaster recovery, and redundant systems are necessary. Flat networks are a disaster waiting to happen: put things in security zones and implement authorization and authentication practices. Enact user training. Be careful who has administrative privileges. Practice safe passwords. Implement policies and procedures and physical security.

Security people know these layers; management should know and understand them also.

Equifax breach: UPDATE

Posted: September 9, 2017 by IntentionalPrivacy in Financial vulnerabilities, Identity theft, Privacy, Security Breach, Vulnerabilities
Tags: , , , , , , ,

The newest large breach, potentially affecting 143 million people in the US, was announced Thursday by Equifax at https://investor.equifax.com/news-and-events/news/2017/09-07-2017-213000628 . It also affected a small number of consumers in Great Britain and Canada. According to the Equifax PR statement, “Criminals exploited a U.S. website application vulnerability to gain access to certain files.”

There’s been at least one potential class-action suit already filed. The New York State Attorney General, Eric T. Schneiderman, has also opened an investigation.

Based on US Senator Al Franken’s Facebook post on Equifax, it might be a good idea to wait to sign up for Equifax credit monitoring until Equifax clarifies that you are not trading your rights to sue them or join a class-action suit in return for accepting their credit monitoring service. However, you should still visit the Equifax site (http://www.equifaxsecurity2017.com/) to find out if you are one of the affected parties. If your information was not affected (although I would not trust that completely), the site will continue on to give you the date when you will be allowed to sign up for credit monitoring if you should decide to do so. Make sure you note the date, because you will receive no other notice.

Since I cannot sign up for the TrustedID service yet, I have not personally read the agreements that Equifax has put in place.

Furthermore, credit monitoring usually just alerts you to an event that has already happened. It is not always accurate or even timely. Although good to know that something has happened, taking preventive action is better.

What should you do?

Act as if your information was stolen and move to block access to your credit and financial accounts. Yes, it’s painful, but far less painful, expensive, and time-consuming than dealing with identity theft. We need better oversight of credit bureaus, but in the meantime protect yourself. Your personal information is important for credit and insurance availability and costs, getting a job, and even renting an apartment or buying a home.

Brian Krebs has an article about credit freezes and credit monitoring at How I Learned to Stop Worrying and Embrace the Security Freeze. The FTC article on credit freezes is good, but Kreb’s article is more thorough and he explains about his personal experience with credit monitoring services. Here are the actions he recommends:

Update: Unfortunately, the pin that Equifax automatically assigns starts with the date you call you to start the credit freeze (i.e, 090917xxxx). The automatic pin is not random. To change it, you have to call 888-298-0045; the line is only available Monday – Friday 9 am to 5 pm (and the message doesn’t even tell you which time zone). You cannot change the pin on their website.

While Fraud Alerts are free, they have to be updated again every 90 days.

NPR.org is reporting that three Equifax executives sold small amounts of stock shortly after the breach was discovered. You can look at the SEC filings here; open the Beneficial filings to see what the stock sales were. Even though all 3 only sold a small portion of their holdings, it is still a lot of money – about $1.8 million. I find it hard to believe that the CFO was not alerted to a breach of the company. The stock price was $145.09 on July  28, 2017, before the breach (discovered on July 29, 2017); yesterday the stock closed at $123.23.

 

Equifax hack just announced may have exposed 143 million consumers’ private information.

Posted: September 7, 2017 by IntentionalPrivacy in Financial vulnerabilities, Identity theft, Privacy, Security Breach
Tags: , , ,

Today Equifax announced that a breach may have exposed 143 million consumers’ private information. Equifax has created a special website at https://www.equifaxsecurity2017.com/enroll/ so you can find out if you are affected (at least as far as they know right now) by the breach. They are also providing credit monitoring.

What should you do?

  1. Sign up for the complimentary identity theft protection and credit file monitoring product, called TrustedID Premier.
  2. Put a freeze on your credit at each of the three credit bureaus. The Federal Trade Commission has an article at https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs that explains the process of implementation and how to temporarily remove it when you apply for new credit.
  3. If you were affected by the breach, the Federal Trade Commission has a site that explains exactly what to do to keep your information safe. https://www.identitytheft.gov/

Medical Records Flapping in the Breeze!

Posted: May 11, 2017 by IntentionalPrivacy in HIPAA - HITECH, Identity theft, Privacy, Private Health Information (PHI), Security Breach, Vulnerabilities
Tags: , , ,

Medical record theft is on the rise, and according to  Reuters ( http://www.reuters.com/article/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924 ), a stolen medical record is worth ten times what a stolen credit card number on the black market. The reason medical records are worth so much more, is because they are used to steal benefits and commit identity theft and tax fraud.

How easy is it to steal medical records?

This morning, I read Brian Kreb’s report on True Health Diagnostics health portal, which allowed other patients’ medical test results to be read by changing one digit on the PDF link. The company—based in Frisco, Texas—immediately took the portal down and spent the weekend fixing it. https://krebsonsecurity.com/2017/05/website-flaw-let-true-health-diagnostics-users-view-all-medical-records/

While I think it is great they fixed the problem so rapidly, I am disgusted that our medical information is so often flapping in the breeze. Health professionals are notoriously lax about protecting their patients’ medical information. A security professional that I know defended medical people by saying they do not understand HIPAA/HITECH. Yes, I know they do not necessarily understand the technical details. But is ignorance an excuse? I do not think so. They have IT people to support those computers and medical professionals are supposed to attend HIPAA training on a regular basis.

For instance, upon reading the FAQs at http://www.holisticheal.com/faq-dna , I noticed that after a patient completes their tests (recommended by my doctor), this practitioner sent results in email. It is not a simple test like cholesterol; it contains information about someone’s DNA.

After I emailed them and told them I would not consider using their service because email is not secure unless encrypted and in my opinion this practice—sending medical results in unencrypted email—is contrary to HIPAA/HITECH, they changed their policy. While they now send the results for US patients on a computer disk through the mail, they still send international clients their results through email.

I have frequently caught my own medical professionals leaving their patient portals open when I am alone in the exam room or even away having tests. During one notable session, without touching the computer, I could see a list of all the patients being seen that day on the left, and the doctor’s schedule across the top (including 3 cancellations). Another medical professional texted me part of my treatment plan. (I thought we were limiting our text conversation to time, date, and location. Otherwise I never would have agreed to text. I had never even met this person!) Another provider grouped three receptionists with computers (no privacy screens) in a circle with windows on two sides. I could read two of the screens when signing in and the third when leaving and I saw them leave their screens open when they walked away from their computers so that the other receptionists can use those computers.

Granted, these incidents may not be breaches, but I think they are violations of HIPAA/HITECH and they could lead to breaches. What are the chances they are using appropriate access control, backing up their systems, encrypting their backups, thinking about third-party access? Are they vulnerable to phishing, crypto ransomware, hackers, employee malfeasance, someone’s child playing with the phone?

Yes, I get that people make mistakes. The problem is they have the ability to make mistakes! Set up fail safes. Require each employee’s phone to be physically encrypted and give them a way to send encrypted emails or texts or do not allow them to text or email patients. Make screens lock after five minutes or sooner. Give them training. Spot check what they’re doing.

I always discuss these issues when I notice them with the practice HIPAA Privacy Officer (and sometimes change medical providers if egregious). Does it help? Maybe. But it always makes me wonder what I have not seen.

Pay attention! Protecting your data helps protect everybody’s data.

Hacker Tips to Help Keep Your Debit and Credit Cards Safe

Posted: October 19, 2016 by IntentionalPrivacy in Financial vulnerabilities, Historical and future use of technology, Identity theft, safe use of credit and debit cards, Security Breach
Tags: , , , , , , , ,

The number one rule for safely using a debit card: Don’t! But, if you have to use a debit card, here are some suggestions from two of Austin’s leading computer security experts.

Michael Gough and Brian Boettcher are co-creators of LOG-MD, a sophisticated analytical tool used by computer security professionals. I recently had a conversation with them about how to use credit cards and debit cards more safely.

They said: Limit debit card use to only one local grocery store chain, especially if it has gas stations and stays open 24 hours a day. That way you can get cash without using the card in an outside ATM. Of course, the risk of being robbed is also much higher at an ATM. If you always use the same grocery store, then if the number is stolen, you know where it happened.

They said: Do not ever use a debit card at a self-service checkout, an ATM, or a gas pump. It is almost impossible to tell if the card reader has been compromised.

(Brian Krebs, who writes the blog KrebsOnSecurity, talks about card skimmers in this series of articles. Krebs updates these articles on a regular basis and they are well worth reading. In fact, as I have mentioned before, his column is a great place to find out about security issues.)

They said: You may also be able to buy store gift cards with your debit card to use at their gas pumps without having to pay a fee to use them the way you do with MasterCard or Visa cards. And the cards may even be reloadable. The one drawback? If the card is lost or stolen, the money on it is not replaced the way it would be if you used a credit card.

They said: Do not use a debit card at a restaurant. You have no idea if the person is using a hand-held skimmer on your card. Someone may have placed a skimmer on the restaurant’s card terminal.

 (Restaurants are weak in security because the staff holds your cards out of your sight and out of your control. The authors of this blog each had fraudulent charges placed on their cards after two visits to the same restaurant in the same week. We usually take turns paying. We had different servers each night. We think that they had a little ring going.)

They said: Debit cards are less secure than credit cards because debit cards are directly hooked to a bank account or credit union account. If a debit card gets compromised, your account can be drained. It may take some time—even months—to get the money replaced in your account. And the money may not be replaced at all since it is not insured as it is with a credit card.

They said: Most banks and credit unions are helpful about getting a new debit card, but if a credit card gets compromised, usually a new card can be received in 2 or 3 days, maybe even faster if you can pick it up at your financial institution.

Here are their recommendations for safer credit-card use:

They said: Get a second card with a low limit. This card should be mainly used at less safe locations: public kiosk use (think train tickets or parking) and online shopping, as well as automatic payments. If you have to use self-service checkouts, use the second card. Avoiding self-service checkouts is the best strategy.

They said: That second card can be a handy back-up, in case your main credit card is lost or stolen.

They said: Look over your statements on a regular basis for transactions that you did not make.

They said: Patronize companies that use chip and signature (in the US) card terminals, which in most cases was supposed to be in place in the US by October 2015. Europe uses chip and pin. If a company still has not upgraded from magnetic stripe terminals, tell them why you do not want to shop there. (Or only use cash there.) Gas pump card terminals are required by major credit card brands to be updated to use chip and signature (in the US) by October 2017.

They said: Keep a list of automatic payments, and when they renew. Cancel automatic payments as soon as possible when you switch to another card.

One problem with automatic payments is that they may move to a new card even if you did not authorize it.

They said: Some cards (American Express is one example) will allow you to set a daily limit on spending. They usually alert you as soon as possible if spending goes over that limit.

They said: Replace your cards at least every two years.

They said: Put a credit freeze on your credit. The FTC explains the pros and cons of credit freezes here. There may be a small charge for freezing and unfreezing your credit file, but it is cheaper than credit monitoring, which will not tell you about a breach until after it has already happened.

Michael said: Using credit monitoring is like going to a dentist who only monitors your teeth, but does not fix any cavities found.

They said: Get a copy of your credit report from each of the three credit bureaus yearly. You can cycle them so you get one every four months.

They said: As soon as you hear about a mass data breach that could involve your accounts, call your bank or credit union and request a new card. Do not wait for a notification.

They said: Keep records of each card, the card numbers, the customer service phone numbers and addresses. (It is pretty easy these days to make blow-up copies of the fronts and backs of your cards.)

Michael Gough has worked in the IT and Information Security field for over 18 years. He has a wide variety of experience that includes positions as a security analyst for the State of Texas and the financial and health-care sectors, and security consulting with Hewlett Packard. Michael currently works in the health-care sector as a Blue Team Defender, incident responder, and malware fighter.

Michael has created or co-created several tools used in the security industry, such as LOG-MD, which is a logging tool, and the “Malware Management Framework,” which is used to discover and manage malware. In 2012, Michael discovered a type of malware called Winnti that continues to plague gaming and pharmaceutical companies.

 Brian Boettcher, co-creator of LOG-MD and co-host of Brakeing Down Security, has worked in the IT and Information Security fields for a number of years. Brian currently works as a senior security engineer and incident responder. He is a member of several security groups and presents regularly at security functions.Do not ever use a debit card at a self-service checkout, an ATM, or a gas pump. It is almost impossible to tell if the card reader has been compromised.

Samsung Galaxy phones, LastPass, and purging online databases

Posted: June 17, 2015 by IntentionalPrivacy in Cell phone, Password need-to-knows, Security Breach, Tips
Tags: , , , , , , ,

As I do almost every day, I was looking through security news this morning. An article by Graham Cluley about a security issue—CERT CVE-2015-2865 —with the SwiftKey keyboard on Samsung Galaxy phones caught my eye. The security issue with the keyboard is because it updates itself automatically over an unencrypted HTTP connection instead of over HTTPS and does not verify the downloaded update. It cannot be uninstalled or disabled or replaced with a safer version from the Google Play store. Even if it is not the default keyboard on your phone, successful exploitation of this issue could allow a remote attacker to access your camera, microphone, GPS, install malware, or spy on you.

Samsung provided a firmware patch early this year to affected cell phone service providers.

What to do: Check with your cell phone service provider to see if the patch has been applied to your phone. I talked to Verizon this morning, and my phone does have the patch. Do not attach your phone an insecure Wi-Fi connection until you are sure you have the patch—which is not a good idea anyway.

~

An interesting article in Atlantic Monthly discusses purging data in online government and corporate (think insurance or Google) databases when it is two years old, since they cannot keep these online databases secure. I can see their point, but some of that information may actually be useful or even needed after two years. For instance, I would prefer that background checks were kept for longer than two years, although I would certainly like the information they contain to be secured.

Maybe archiving is a better idea instead of purging. It is interesting option, and it certainly deserves more thought.

~

Lastly, LastPass: I highly recommend password managers. I tried LastPass and it was not for me. I do not like the idea of storing my sensitive information in the cloud (for “cloud” think “someone else’s computer”), but it is very convenient. Most of the time, you achieve convenience by giving up some part of security.

LastPass announced a breach on Monday –not their first. They said that “LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.”

For mitigation: They have told their user community that they will require verification when a user logs in from a new device or IP address. In addition,

  1. You should change your master password, particularly if you have a weak password. If you used your master password on other sites, you should change those passwords as well.
  2. To make a strong password, make it long and strong. It should be at least 15 characters—longer is better—contain upper- and lowercase letters, digits, and symbols. It should not contain family, pet, or friend names, hobby or sports references,  birthdates, wedding anniversaries, or topics you blog about. Passphrases are a good idea, and you can make them even more secure by taking the first letter of each word of a long phrase that you will remember. For example:

    I love the Wizard of Oz! It was my favorite movie when I was a child.

    becomes

    IltWoO! IwmfmwIwac$

    Everywhere a letter is used a second time, substitute a numeral or symbol, and it will be difficult to crack:

    IltWo0! 1>mf3wi<@c$

  3. When you create a LastPass master password, it will ask you to create a reminder. Let’s say you took your childhood dog’s name, added the number “42,” and the color “blue” because he had a blue collar to make your new master password: osC@R-forty2-Blew! If your reminder is “dog 42 blue,” your password could be much easier to crack. Maybe you even talked about Oscar in a Facebook post. So again, do not use a pet’s name in your password. Then put something in for the reminder that has no relation to your password: “Blank” or “Poughkeepsie” for instance.
  4. Keep your master password someplace safe. Do not leave a copy in clear text on your phone or your computer or taped to your monitor. Put it in a locked drawer or better—your safe deposit box.
  5. Back up your password database periodically to a device you store offline, and printing the list and storing both the printout and the backup in a sealed envelope in your safe deposit box is a good idea as well.
  6. Use two-factor authentication. If you don’t know anything about it, this Google account article will explain it.

WhiteHat Aviator rides into town …

Posted: February 4, 2015 by IntentionalPrivacy in Browser Vulnerabilities, First Steps, Privacy, Security Breach, Vulnerabilities
Tags: , , , , , , , , , , ,

I have recently started using the WhiteHat Aviator browser, which uses the anonymous search engine Disconnect. It is available for Windows and Mac here. It works pretty well (although it is sometimes slow). When I use it for sites like Gmail where I use two-factor authentication, I do have to enter both the second factor and the password every time I load the website. It will not save the code like Firefox can for thirty days.

I am planning on installing Disconnect on my phone next. If that works out, I will try the premium version, which includes encrypted Internet, safe browsing, and location control.

Another anonymous search engine is DuckDuckGo.

I also use Firefox with extensions NoScript, Ghostery, Adblock Plus, and Lightbeam. Lightbeam is particularly fascinating to look at; it shows all the sites that track me, even after all those add-ons. NoScript can be painful to use because you have to enable every single site.

After the last set of Adobe Flash 0days (two in a week!), I uninstalled Adobe Flash and Air. After all, if I really need Flash, I can always use Google Chrome, where Flash is built in.

I rarely use Internet Explorer any more.

And while you are updating your browser, make sure your Java version is current.

Crime in the Workplace

Posted: January 20, 2015 by uszik11 in Security Breach, Vulnerabilities
Tags:

Your need to protect yourself from your co-workers is an unspoken truth. In criminology, we say “crime knows no neighborhood.”  In other words, crime is everywhere, not just in one bad place. People are people everywhere.   At work, we steal inventory and information from our employers.  We steal money and other tangibles from our colleagues.  Of course, I do not do those. Of course, you do not, either.  But other people do.  Here in America, about 20% of us are habitual perpetrators.

If you work in a small shop, you probably are among people you know well enough.  Nonetheless, your company is still in a shared space of some kind, a building, a strip mall, a street. Everyone there is in your world. You cannot know them all.

If you are in a large enterprise, the statistical facts are warnings.  If you have 1000 people in your building, then you meet 200 perpetrators every day.  Background checks only reveal the habitual, compulsive, or genetic predators who have been caught.  But many aggressors are opportunistic and competent. Routine offenders get away with harming others because no one speaks up.  And it is not easy to confront a bully or report a thief.  So, the harms and crimes continue.

Generally, security falls under the control of the facilities manager.  Rarely does an organization have a chief security officer at the same level as the chief financial officer or chief information officer. Facilities managers are concerned only with keeping costs down. Facilities managers seldom have professional training in security. As a result, most buildings have too few guards, posted in the wrong places, at the wrong times, assigned to futile activities.  Security is reactive, not proactive.

Badging and other controls for identity and access tend to be minimal and ineffective. You have no idea who is in your building with you.  Vagrants know all the ways to get in.  Professional thieves have no problem getting through the front door.

Professional thieves work large office buildings with public traffic. They look just like everyone else in our casual dress society.  They walk the halls peeking into offices, and trying doors.  Laptops are an easy grab.

Engineers and programmers are a special problem.  They enjoy getting around locks; and they are good at it.  The statistics apply to them as well. People who make a lot of money steal and bully just like poor people. Crime knows no neighborhood.  Even the 80% of them who are nice, still leave us vulnerable when they gimmick, jimmy, or shim a lock.  They have no control over who the next person will be to come through that door.

Protecting yourself at work begins with a few simple rules.  Lock your desk and your computer when you leave the area.  Always take your purse or wallet with you.  Never leave your laptop, phone, or pad unattended in the cafeteria or restroom.

Generally, if you have a problem with someone, you have six choices.

  1. You can confront them.
  2. You can go to your manager.
  3. You can take it to human resources.
  4. You can report it to security.
  5. You can call the police.
  6. You can ignore them.

The bottom line is that it is better to prevent a problem than to fix one.

 

2014 – Once more into the breaches!

Posted: January 1, 2015 by IntentionalPrivacy in First Steps, Personal safety, Security Breach
Tags: , , , ,

Let’s look back at 2014 to review events that could impact our information privacy. Some substantial vulnerabilities occurred this year including the Heartbleed bug, Shellshock, and POODLE, along with the usual Microsoft, Java, browser, and Adobe Flash and Reader problems. There have been some notable payment system breeches: Sony, Kmart, Jimmy Johns, Home Depot, Apple, Dairy Queen, Community Health Systems to name a few … even some Goodwill payment systems got hacked.

What can you do to protect yourself? Here are a couple things to do:

  • Protect your information!

Don’t give it out unless it’s absolutely necessary. If your doctor—like mine did—asks you to sign a release so they can use your deidentified data in a study, ask them what information they are sending and who they are sending it to: Does it include your initials, your first name, your zip code, your street, your age and gender, your diagnosis, your treatment? If they frown at you and say it’s deidentified, ask them what that means to them.

According to HIPAA, there are 2 main methods to de-identify patient data, the “expert determination” method and the “safe harbor” method. The safe harbor method is usually safer because it removes 18 specific identifiers from the research data, such as name, age, dates must be year only, telephone numbers, address, full-face pictures, and account numbers. The expert method depends on an “expert” to determine what’s safe to disclose.

For instance, why do you care if someone shares your birth date? The birthday paradox is a probability theory that explains if you’re in a room with 23 other people, the chances that at least 2 people in the room will share a birthday is 50%, and in a group of 70 people, the probability that at least 2 of them will share a birthday reaches 99.9%. However, the probability that 2 people will share the same birth date is considerably smaller.

A recent article in American Medical News explained how Latanya Sweeney, PhD, a Harvard University researcher, was able to attach 241 identities to the deidentified medical information of a database of 1,130 research patients, using birth date, gender, and zip code combined with public records, such as US Census records or voter registration. That’s 22%! Yikes!

To see how identifiable you are by using those parameters, visit the Data Privacy Lab.

  • Make your important passwords unique for each account, change them often—every six months or sooner, especially if the web site is hacked—and implement two-factor authentication on sites that allow it, especially sites like email, banking, or e-commerce.

What is two-factor authentication? Two-factor authentication means that instead of using just a password to access your account, you add an additional method of verifying your identity.

Google Authenticator is a way to add a second factor; it’s easy to use and it sends a code via a text message to your device. You can set it up so that you only have to input a code if a new device tries to use the account or your password changes. In case you don’t have an Internet connection or cell phone service, you can download a set of 10 codes for backup authentication. Make sure you keep these codes safe! I store mine right in KeePass.

  • Back up your personal information on all your devices—documents, photos, music, videos.
  • Lock your devices: Use PINs, passwords, puzzles, or biometrics.
  • Install software like Find My Phone (Windows, Android, or iPhone) or Prey; if your device is lost or stolen, send it a lock and erase it. Be safe, call the police. Do not try to recover it yourself.
  • Don’t save password information in your browser! Here’s an article on how to disable saving passwords in IE, Safari, and Firefox browsers, and Chrome.

Can’t remember all those passwords? Neither can I! You can use a password-protected Excel 2007 or later spreadsheet (do not save in compatibility mode), download a password manager like KeePass, or use a cloud-based password manager like LastPass.

Do not lose the master password! If you might forget, put it someplace safe like your safe-deposit box.

I have used all three options, and I prefer KeePass, although Excel is in some ways more convenient because you can decide on the fields you use. The data is stored on your device (unless you load it in the cloud yourself). I use KeePass’s professional and portable versions, and KeePass2Android. Try to only update the KeePass database on one device and copy it to your other devices so you don’t get confused as to which device contains the most up-to-date copy of the database. I date the database when I add a new account or change a password (BlahXX-XX-XXXX), so I know to move it to my other devices.

It is very important to back up this database and store a copy that you update regularly —as well as a printed copy—in your safe-deposit box.

LastPass is convenient, but I don’t like the idea of not knowing where my data is stored. Also, if the service is down—as happened last August for over 12 hours—can you access your accounts? According to their documentation, you should be able to. However, it is always best to keep a non-cloud-based back up for cloud-based services.

  • Keep your operating system and applications up to date. When an operating system is no longer supported, it is time to either get the device off the Internet or—if the option is available—upgrade to a new operating system or download and install an open-source operating system. If none of those options work, wipe the device and recycle it here or at one of the Goodwill locations that partners with the Dell Reconnect program.

Spring clean your installed apps: if you don’t use it, uninstall it. Fewer apps will free up resources like memory and drive space, and your device might even run faster.

One application to consider installing on a Windows machine is Secunia’s Personal Software Inspector. It makes sure that all your updates and patches are current. I test a lot of software and some apps don’t always have automatic updates; this app is wonderful!

Everyone here at IntentionalPrivacy.com wishes you a prosperous, happy, healthy, and safe 2015! We’re happy you read us.

Older Entries