How to Be Safe Online

Make Hackers’ Jobs Harder

Scatter the pieces of your personal data so bad actors can’t assemble the puzzle.

Personal information should be like puzzle pieces scattered on a table: visible to all but difficult to fit together without additional information.

Photo illustration by Slate. Photos by Thinkstock.

It is nearly impossible to participate in modern society without entrusting your most sensitive personal information to countless Internet-based systems. At the same time, even the most well-resourced organizations are being hammered by sophisticated digital attacks, making it difficult to trust that any of these systems will keep our information safe. So the question debated at the highest levels of government, and by dozens of industries, thousands of companies, and millions of consumers, is: How can you keep your personal information secure while continuing to participate in a society powered by the extensive sharing of personal information?

However, that’s probably not the question we should be asking. Personal cybersecurity discussions are generally based on the idea that personal data are secrets to be guarded. This understanding is fundamentally inadequate in a world in which personal information is treated like currency—by everyone who voluntarily broadcasts his or her likes and check-ins to the world to build a loyal following, and by the criminals who collect and convert that information back into monetary value by stealing their targets’ identities.

To address the challenges posed by the always-on sharing economy, we need to shift the way we think about personal security. Of course, we should all do what we can to keep our most sensitive information private. But we should supplement those traditional practices with new behaviors and systems that make it difficult to actually do anything with exposed information, barring some other kind of authorization. Pieces of personal information should by themselves not be allowed to unlock anything. Instead, they should act like puzzle pieces lying on a table: visible to everyone, but very difficult to fit together without additional information.

There can be little doubt that our traditional approaches to online security are proving to be woefully insufficient at combating today’s digital threats. For one thing, much of the advice consumers have been given for improving their online security—including choosing long and unique passwords for each site, keeping local software up to date, and using antivirus software—focuses on keeping individual PCs safe from direct attacks. While such safeguards are crucial components of making the Internet as a whole safer, they unfortunately don’t do much to help individual users protect the data they have surrendered to remote databases. Yet malicious hackers have little incentive to target individual PCs when they can instead attack databases in which millions of consumers’ personal records are collected. And judging by the recent procession of high-profile breaches—involving Target, Home Depot, Sony, and Anthem, among others—many of these databases are far more vulnerable to attack than they should be.

At the same time, security researchers have been uncovering a steady stream of grave technical vulnerabilities in the software systems used by the majority of digital service providers—vulnerabilities so severe that they were given evocative names like Heartbleed, Shellshock, Ghost, and Freak. In the long run, it is highly beneficial that these vulnerabilities are being discovered and fixed. But their prevalence also makes clear just how risky using the Internet can be, especially for handling sensitive information. Additionally, even once a fix has been released for any given vulnerability, it can take quite a while for that patch to be applied to every affected system. That gives even the least-skilled bad actors (“script kiddies”) a window of opportunity to wreak havoc.

Given how scary the Internet has become, it seems only natural to wonder whether the only way to maintain any degree of personal security in this day is to go offline entirely. But going off the grid has become effectively impossible. Even someone who goes to the extraordinary lengths required to maintain a paper-only existence has his information inducted into databases every time he hands a form to a clerk—who promptly transcribes the sheet into a digital record.

So what, then, can people to do safeguard their online accounts, reputations, and identities? As Slate’s David Auerbach put in his excellent overview of one of the latest megabreaches: “For starters, assume you’ve already been hacked.” Auerbach directs this advice at bank administrators, but the same logic is equally applicable to individual Internet users as well: We need to figure out how to reclaim and maintain some degree of security within systems that are significantly, if not completely, compromised. We should begin to operate under the presumption that our personal information is already in the wrong hands and figure out how to proceed from there.

Instead of focusing all of our attention on the Sisyphean task of trying to keep our personal data secret, we can achieve equal or better levels of personal security by diverting some of our energy to making it harder to actually misuse our personal information, regardless of who has access to it.

This approach to personal security, while still generally viewed as “advanced,” is neither new nor particularly difficult to adopt. In fact, there are several quick and easy ways for individuals to enact exactly these kinds of safeguards right now.

Dual-factor authentication
The principle behind dual-factor authentication is that passwords can be compromised far too easily to allow them to serve as authorization mechanisms by themselves. Sites and services equipped with dual-factor authentication capabilities require users to supply multiple types of information to confirm who they are—generally some combination of “something you know, have, or are.” Many such sites encourage you to register a phone number (something you have), and in the event that the site detects you trying to log in from a new device or network address (that is, your location, something you are, has changed), it will text that number a one-time code that you must enter to gain access to the site. Because dual-factor authentication combines multiple modes of identification, enabling it makes it nearly impossible even for someone who has your full life history to break into your account.

If you lose access to your usual phone number (for instance, if you are traveling abroad), dual-factor authentication will be just as effective at keeping you out of your account as a hypothetical attacker. However, sites that support dual-factor authentication almost always offer you the option of downloading a set of “emergency codes” that will let you into your account even when you cannot complete your standard dual-factor authentication routine.

Support for dual-factor authentication is growing rapidly, and some sites employ basic forms of it by default. But dual-factor authentication is still generally seen as an advanced feature, and many sites leave it off by default. Find out which sites you use on a regular basis support dual-factor authentication and turn it on—and print out a set of backup codes, so you have them when you need them.

Establish a credit freeze
A credit freeze applies the principles of dual-factor authentication to credit bureaus, disallowing almost all access to your profile at each agency, until you explicitly revoke the freeze with a phone call. Because the first step of opening a new credit account is almost always a credit check, by instituting a credit freeze you immediately protect yourself from many of the worst consequences of ID theft. Your hypothetical attacker may have your Social Security number, past two home addresses, and mother’s maiden name, but as long as the freeze is in place, that information cannot be used to open fraudulent accounts in your name.

Admittedly, the process of setting up a credit freeze is somewhat cumbersome and requires you to file three separate requests and pay three $10 fees, one to each of the credit bureaus. That’s why the only people who usually bother to do it are those who have already suffered identity theft. But given that opening a new credit card often requires nothing but the very same information that’s stored in those corporate databases that keep on being breached, the hassle is probably well worth it, even for people who haven’t—yet—been compromised.

Make local copies of all important account statements—and check them every month
There is a limited amount that you can do in the event that a sophisticated hacker breaks into your bank’s internal systems and starts moving money around, as happened recently to JPMorgan Chase and a slew of other banks around the world. But what you can do is to maintain your own copies of statements for all of your important accounts by downloading them to your local PC and quickly skim them for unexpected surprises. If something strange does suddenly appear, you will have a paper trail to back up your complaints.

Consider how your accounts are linked, and use bogus information for security questions
As various prominent people have learned hard way, password recovery mechanisms can introduce extreme vulnerabilities into an otherwise secure account. They may allow an attacker to gain access by first compromising a less-secure “recovery email” account—or even by simply supplying a few pieces of publicly available personal information about the account holder. Farhad Manjoo explains in great detail the importance of making sure that the designated “recovery” email address for all of your important logins points to a maximally secure email account that you use only for that purpose. But you should also make sure that the answers to your security questions are incredibly obscure, or better yet outright (but memorable) lies. The best way to make private information useless to an attacker is to refuse, wherever possible, to allow that information to be used to validate your identity. And that brings us to …

Keep important secrets … secret
While the old school of thought in information security may no longer be quite up to the task of combating the threats of today’s Internet, some of those venerable ideas still have considerable merit. In particular: The only way to keep something of the highest importance safe is to never disclose it. While it is almost certainly impossible to keep your Social Security number out of vulnerable databases, it is at least worth putting up a fight when someone who has no legitimate need for it asks you to divulge it, online or off. Unfortunately, Social Security numbers are sufficiently powerful identifiers that there is probably no way to render them completely useless to an attacker, at least not until corporate and government policy evolves to make such static numerical identifiers only one of several puzzle pieces required to conclusively confirm identity.

Embracing insecurity may seem like a terrifying prospect. But once we have come to terms with our collective vulnerability, we can begin to devise strategies to shield ourselves against the next (inevitable) wave of digital attacks—and perhaps finally break the historical pattern of everyone being caught by surprise by each new breach and having to resort to resetting thousands of passwords, closing accounts, and the other costly forms of damage control that have historically followed major breaches. Although much remains to be done, there are plenty of options for making our personal information harder to exploit that are readily available right now—and few reasons not to use them.