It seems that every few days we hear about another cyber-hacking case. Last week, reports of a Russian cybercrime group amassing 1.2 billion usernames and passwords ran above the fold in The New York Times. The news was pretty unnerving but it has since lost considerable steam as other news outlets noted that many of these credentials were actually counted in other big security breaches. Also, the fact that the source of the information, a company named Hold Security, was charging $120 a pop to tell companies whether their information was breached made the whole thing suspect.
So does that mean you have little to worry about? Not exactly.
Here’s what happened this week in my little universe. My reporting assistant, Kelly Hultgren, discovered that for the past three months her bank account had been debited every month to buy Experian credit monitoring services – ironic, I know – for someone who was clearly not her.
In other words, breaches are happening all around you. So here’s the remaining – crucial – question: What will it take for you to start doing the bare minimum? You can’t protect yourself completely. But you can make yourself much safer by doing these four things:
Change your username and passwords.
Some 25% of U.S. Internet users who use accounts or sites requiring a password have no more than three sets of credentials, according to an April survey from Harris Poll commissioned by LifeLock. That’s troubling because 56% of Americans use more than 10 sites and accounts. (Full disclosure: I partner with LifeLock on educational initiatives.) To make your life easier, it’s OK to use what security experts call a “throwaway” password on forums and blogs. But when it comes to your social networks, banks, brokerage firms and any place else you transact, you need to do better.
Passwords must be distinct and at least eight characters, including letters (caps and lower case), numbers and symbols – not forming a word found in the dictionary. A password manager ala Dashlane.com is very helpful. Or use this trick: Come up with a sentence that you can remember. Take the first letter of each word. Substitute symbols and numbers for some letters. Then attach the first letter of the website you’re on to the beginning (capital), and the last to the end (lower case). So, when you’re visiting Citibank, the sentence: My brother Oliver ate a big, grey seal becomes CMB0AABG$i.
Review your bank statements.
This is the lesson of Kelly’s experience, but she’s far from alone. In 2012, the Department of Justice reported that existing account fraud was the most common type of I.D. theft – impacting 15.3 million people, half through their bank accounts. It also noted that bank account I.D. theft victims are twice as likely to report severe emotional distress as credit card I.D. theft victims. “With online banking becoming so ubiquitous, people view their statements online and engage in more and more transactions online, which all has inherent risk,” says Eva Casey Velasquez, president of Identity Theft Resource Center. Velasquez says use the increased interaction to your advantage by logging in (and reviewing) everyday or every other day, which offsets the risk you’re taking with having more accounts and more passwords.
And when you do review your statements, be it online or on paper, don’t just look at the big numbers, adds Bill Hardekopf, chief executive of LowCards.com. “You need to look at every single transaction. A lot of thieves will run a small transaction first to test drive your information. If it’s valid, then they’ll go further.” This was the case for my assistant, whose fraudulent charges were all less than $20. In fact, she waited a couple of days (after seeing the charges) to act. Her logic: If it’s Experian, it must be fine. You have to scrutinize everything, Hardekopf says. “If you see something from Experian, sure it looks more legitimate than Joe’s Garage and Liquor, but you have to ask yourself, did I sign up for this, when and where?”
Review your credit card statements and credit reports.
The same goes for your credit card statements. Roughly 25% of people have been a victims of credit card fraud – yet people review their credit card statements less than they do their bank accounts. According to a Harris Interactive study conducted for Experian's ProtectMyID, nearly one in five own up to never checking them at all. Likewise, according to the U.S. Federal Trade Commission, one-third of consumers have never pulled their reports. These are crimes where the best defense is a good offense. If your personal information is wrong in your report -- or you see lines of credit you don’t recognize -- raise the red flag. (You can get three free credit reports a year from annualcreditreport.com and a free TransUnion report once a week from creditkarma.com. )
Sign up for every possible notification.
Chances are you’re eligible for alert options for your cards (and possibly your credit reports). But you’ll likely have to look for them and opt into them yourself. You can elect to receive an email if your card is charged without the physical card being present, as Velasquez does, or even one every time your card is charged. “At this point, it’s on the consumer,” she says. “We need to get consumers to shift their thinking from annoyance -- this is clogging my inbox -- to no, this is important and it protects me.”
Shred your financial documents.
Are you guilty of throwing out your financial documents without thinking twice? Fifteen percent of U.S. adults do, according to Harris Interactive, and one-third store sensitive documents (e.g., bank statements, Social Security card, medical bills) in non-secure locations. Bad move. Dumpster diving is not a thing of the past.
Finally, it may put your mind at ease to know the difference between a data breach and I.D. theft. In one-third of cases, if your data is breached (aka stolen) you will be a victim of some kind of I.D. theft, according to Javelin Strategies. It can be a small theft – where someone uses your credit card – or a big one – where someone pretending to be you applies for a job or a loan. The latter is tough to unwind and the reason to take all of these precautions in the first place.