Sony’s recent data breach got all the headlines, but such attacks aren’t rare. Here’s how to protect yourself and your data from them.
IN 2011 ALONE, tens of millions of users have had personal information exposed or put at risk in some way by data breaches at Epsilon, RSA Security, the state of Texas, Ashampoo, and Sony’s PlayStation Network, among others.
In the Texas Comptroller’s Office breach, a configuration error on a publicly accessible database left sensitive details open to the Web. In the RSA Security case, an attacker gained access to the internal network via a simple phishing attack that exploited a zero-day bug in Adobe Flash.
The impact of a data breach depends on what information is compromised and what the attackers do with the data they steal. If a breach is limited to exposing e-mail addresses, as was the case with the Epsilon data breach, the main concern it raises is the possibility of targeted phishing attacks.
If a breach exposes personal details such as names, addresses, dates of birth, Social Security numbers, and driver’s license numbers, identity theft becomes a serious concern.
The worst case involves the loss of actual bank account or credit card numbers. The attacker can use your credit card information to buy things or—with additional information such as your account password—drain your bank account.
Protect Personal Information
To safeguard your information, begin by assuming that your data will be stolen at some point. This mind-set will encourage you to be careful about which businesses you trust.
Many Websites require you to provide some information in order to use them. Some allow only registered users to access certain content; others require you to sign up and log in before you can contribute or comment. But that doesn’t mean that you have to provide correct information.
First, don’t share your primary e-mail address thoughtlessly. Instead, set up a dummy Webmail address to use for the express purpose of signing up for Websites.
Second, don’t supply real information if you can avoid doing so. One option is to invent a fake persona for signing up on Websites. You can use your real name, or something close to it, but enter a fake mailing address and phone number, and use the dummy Webmail address I mentioned earlier.
One big mistake people make is to use the same username and password at multiple sites. Yes, remembering 50 different usernames and passwords is a daunting task, so I recommend employing a different username and password only on sites that you rely on or that grant access to sensitive information such as your bank account or credit card information.
For minor sites that you sign up for once and may never visit again, it’s okay to use one username and password across all of them. That way, you can follow the recommended security practice while minimizing the number of username and password combinations you need to remember. See also “Build Better Passwords and Stay Sane,” on page 38.
Resist Phishing Attacks
If you get an e-mail that has spelling errors or poor grammar, delete it. Legitimate companies sometimes mangle spelling and grammar, but a poorly worded, badly spelled message is often a tell-tale sign of a phishing attack.
On the other hand, a phishing e-mail with good production values can look and sound very convincing. But even so, avoiding phishing attacks isn’t difficult. The crucial rule is this: Never supply your username, password, account number, or other sensitive information via e-mail. No legitimate company should ever ask you to do so; and if one does, it doesn’t deserve your business.
Another important rule: Never click a link in an e-mail message. Phishing attacks often contain links that lead to spoofed but seemingly legitimate Websites. The message may ask you to correct your personal information or to create a new password, but the goal is simply to gather your information.
Consider not giving any site access to your bank account information. Get a disposable credit card, or a credit card with a restricted $250 limit that you use specifically for Web purchases.
Some banks also offer virtual credit cards resembling one-time alias card numbers that you can use to make online purchases, but that have no real-world value if intercepted or stolen.
Early detection is the key to survival. Scrutinize your bank and credit card statements so that you can identify suspicious activity and address it as quickly as possible. Doing so will help minimize the resulting damage.