Protecting Your Identity Online

So, quick question: have you done anything to protect your identity after the Equifax data breach? If you haven’t heard, or would prefer not to re-read the details, here’s a funny take by Stephen Colbert on the whole thing:

The breach, and the circus parade of technical, legal and ethical snafus by Equifax that followed, are a reminder that we live in an unsafe digital world.

Whether you’re an individual, corporation, or government, your state of cybersecurity in 2017 is pretty bad:

• German bank accounts were hacked via 2-factor SMS authentication, using a vulnerability in cellular networks
• Election results have been influenced or directly tampered with in multiple countries
• Adobe unwittingly revealed its private PGP key online
• Deloitte was hacked and was unaware of it for over 6 months
• The SEC was hacked, and the information was potentially used to make insider trades
• A white-hat hacker (i.e. a good guy) found hundreds of companies that are vulnerable via their helpdesk systems
• The US government tried to force Twitter to identify people who criticized it
• People on both sides of the political spectrum have been doxxed, “outed” or fired because some strangers didn’t like them on the internet. Note: while I have no sympathy for some of the people being doxxed, it’s important to remember that doxxing is a double-edged weapon most frequently, most maliciously used against innocents.

In most of these cases, the hackers used well-known vulnerabilities, and the hacks went unnoticed for several months.

Some are suggesting completely overhauling the current systems, for instance:

• Using Blockchain for identity, e.g. MIT’s Core Identity project
• Getting rid of private data brokers like Equifax, replacing them with a centralized governmental system

But waiting for Blockchain to solve this issue is a bit like smoking 3 packs a day hoping “medical science will find a cure by the time I’m in trouble.” Your identity is at risk today. It has been for a while.

Which means it’s up to you to ensure the safety of your digital identity, not the government or the corporations that own your data. And that can be a scary thought.

So I decided to find out how vulnerable my information is. You can too.

For a start, please try this exercise from the book The Smart Girl’s Guide to Privacy (screenshot taken from Amazon’s “look inside” pages, Chapter 1):

I was shocked (shocked, I say!) to see how much of my information is online and easily available. For the low, low price of $0.95, websites like Spokeo, USPhoneBook and PeopleFinders will sell to anyone:

• my phone number(s)
• my age and birthdate
• my spouse’s identity
• my addresses (current and past)
• which cell phone carrier I use

And that’s just what is available for free on “your” profile. Their purchase page claims that they have even more information about you - information that opens you up to identity theft pretty easily:

So, let’s take some simple preventative actions:

• Freeze your credit. Yes, it sucks, you’re paying into a broken system - but just do it for your own sake.
• Add 2-factor authentication to all your online accounts - financial, social media, etc.
• Review your public profiles on Facebook, LinkedIn, Twitter, Instagram, etc. and remove any public information you don’t want strangers to have.
• Use a VPN client like PIA or Encrypt.me on your laptops and mobile devices. This is especially important if you’re frequently using unsecured Wi-Fi at airports, coffee shops or hotels. This will protect your data from sniffers.
• Use messaging apps that have end-to-end encryption like Signal and WhatsApp
• Use browsers built for security like Epic, Brave or Tor
• Important: Opt out from as many online data brokers as you can. This one will be an ongoing effort - here’s a great guide on getting started. Note: yes, they have an opt-out form, but do you really trust a website that sells your personal info without permission to honor your opt-out request? This one gives me the chills.

More importantly, let’s start educating ourselves on security and online attack vectors:

• Read Violet Blue’s The Smart Girl’s Guide to Privacy (Note: hat-tip to Coraline Ada Ehmke for referencing this book on a Ruby Rogues episode.)
• Follow people in the cybersecurity community like Troy Hunt and Bruce Schneier
• Read up on social engineering and how to prevent getting hacked
• If you are a developer, understand how to build security in your DNA… start by following the work of people on the Signal and Brave teams among others. This blog post is a great example of all the security considerations the Signal team goes through for a single feature.
• Know your legal rights and obligations about what to do when your identity is stolen. That knowledge might be invaluable:

Please share additional tips you have, and share this information with anyone who may find this useful. And remember, stay safe online!

---

Additional links:

• Doxxing defense: Remove your personal info from data brokers
• The paranoid’s survival guide
  • Part 1: How to protect your personal data
  • Part 2: Protect your privacy on social, mobile and more
  • Part 3: Opting out, and how to protect your personal data offline
• Identity theft, Credit reports and You
• Opening Pandora’s Dox: The Unintended Consequences of an Internet That Never Forgets
• How to Lock Down Your Money After the Equifax Breach