Equifax Data Breach: Protect Yourself and Your Family

https://en.wikipedia.org/wiki/File:Equifax.svg#filelinks

Many of you have no doubt read about the Equifax data breach multiple times already. While we are all affected by breach fatigue to one extent or another, this breach should catch our attention. Why is this one noteworthy?

  1. Data Categories: Included in the exposed data were Social Security numbers and, in some instances, driver’s license numbers.
  2. Size: 143 Million U.S. consumers had their data exposed. That means if you are a U.S. consumer, you have about a 50% chance of being affected by this breach, when taking into account that there were only about 324 million people living in the U.S. last year, and only a subset of those are likely categorized as “consumers.”
  3. Captive Audience: You can’t opt out of Equifax and there is no reasonable way to avoid being an Equifax “customer” in the future.

The FTC has an excellent article with instructions on what we should do to protect ourselves and our families, as does my colleague Brian Epstein from the Institute for Advanced Study with the article What I’m doing about the Equifax Breach. My concise version is as follows:

Assume that your Social Security number, including the Social Security number of your children has been stolen already, perhaps multiple times. Don’t give up trying to protect it, but with that reality in view, make efforts to detect and prevent unauthorized use of your personal information. Here are three tangible steps you can take:

  1. Enroll yourself and your family in the free credit monitoring offered by Equifax, or pay for a third-party offering which provides financial support if you are a victim of identify theft.
  2. Put a credit freeze in place for your minor children, and consider doing so for yourself and other adult family members as well.
  3. Look for bank accounts and credit cards that offer $0 liability for instances of fraud.

No breach news is good news, but let’s try not to lose sight of how we are affected when there is a major headline like this one.

Thanks for reading and don’t forget to subscribe.

 

 

Catchy Headlines and the Pokemon Go non-Controversy

IMG_5472Imagine my surprise when reading headline after headline last night that proclaimed from the rooftops, “Pokemon Go App Can Read Your Emails!” and similar.

Users who were downloading this Apple iOS game were surprised to learn that the permissions it requested to Gmail when logging in included full access to their account, yet it was still downloaded FIVE MILLION times.

I was ready to get on my soapbox about paying attention to the permissions of every app you install, not letting your children install apps unattended, and the need for app developers to get it together, when I read this…

Pokemon Go was Never Able to Read Your Emails 

Soooooooooooo, as it turns out, the message users received was not accurate. In this case, although it did claim to have “full account access,” this term did not actually mean FULL account access. So is there any lesson to be learned or is this a pointless blog post?

Yes, and maybe. We should always be wary of any app that requests “full account access” or full access to anything regardless of what it means! So my soapbox lessons still apply. More specifically, pay attention to the permissions of every app you install, don’t let your children (30 and under) install apps unattended and app makers need to get it together! I digress.

Another important thing to check from time to time is what currently has access to your account. If you are a Gmail user, you can go to “My Account–>Connected apps & sites.” You may be surprised to see what is listed there. Remove the items you no longer use.

connectedapps

In a similar vein, have you checked who is authorized to charge you via Paypal lately? It accumulates over the years. Check the list by clicking on the “Settings Gear –> Payments –> Preaproved Payments.” I am always surprised to find vendors listed that I approved for a single purchase in that list, and subscriptions that I cancelled many years ago. Clean it up before someone cleans out your bank account.

paypal

OH! And if you’re not a vendor, don’t do this voluntarily…

paypal2

In summary, from Pokemon to Paypal, be careful out there. Have a good day!

Thanks for reading and don’t forget to subscribe.

Big Data: Somebody’s Watching You…

It seems as if privacy advocates are starting to get some momentum lately.  There are countless headlines regarding privacy and the missing ability to opt-out of big data collection efforts.  CNN covered this issue in an episode of Inside Man recently.

One marketing company, Acxiom, has decided to publish a website that allows you to review a summary of the data they have collected about you.  That is so nice of Big Data, isn’t it?  I thought so.  However, there are a few caveats worth mentioning.

I went through the process and I couldn’t help but find it questionable.  In order to review the personal data about me they have accumulated, I had to provide a ton of personal information.  You know…to “verify” that the data I am requesting is actually mine.  I think that process makes a lot of sense, Big Data, if you weren’t already selling it to strangers.  Call me a skeptic if you wish, but it kind of makes me question whether or not there are ulterior motives, in addition to your never ending desire to be nice to me.  Am I just giving more personal information to a company who wants my personal information?  What are you up to, Big Data?

I must say that the website is aesthetically pleasing and the report output is definitely interesting.  It does give you some insight into the information marketers have and want about you.  The data about me was inaccurate in some cases.  Don’t worry, though!  Big Data gives you an opportunity to correct information that is not accurate so marketers can better target you.  Thanks?

This website also allows you to opt-out…if you provide all variations of your name, email addresses, phone numbers and mailing addresses.  Uhhhhh….don’t you know that information already, Big Data?

Last, but not least, the data presented is done so at a very high level.  I’m sorry, but there is just no chance that this is all the information a big data company has collected about me.  It is just impossible.  Either this company is a weak one, or they are giving you just the information they feel you need to review.  I’m not so sure you are being forthcoming with me, Big Data.

It is still an interesting exercise.  Check it out if you dare!

Thanks for reading and don’t forget to subscribe!

 

PSA regarding TMI

The day I passed my driver’s test, my father sat me down to chat.  He lovingly reminded me that if driven responsibly, a car would prove to be a valuable tool.  If driven recklessly, it could instantly transform in to a 3000 pound bullet.

Is this post really about driving your car safely?  No.  However, the concept applies to using the internet responsibly.  Social networking is a valuable tool and a big part of our daily lives, both socially and professionally.  However, posting without discretion can put ourselves and others in danger from Internet hooligans.  Check out the below infographic for some loving reminders.How-Too-Much-Information-Shared-Through-Social-Media-Can-Really-Hurt-You-InfographicThank you for tuning in to this public service announcement (PSA) regarding too much information (TMI).

So, what do you do to stay safe while using a particular social networking site?  Post a comment below.

Thanks for reading and don’t forget to subscribe!

Extra! Extra! Privacy for sale!

Data Privacy Month

Privacy is a keyword that has sold a lot of newspapers lately.  Why is that?  For starters, absolute privacy is more elusive than Peyton Manning trying to win a 2nd Super Bowl.  24-21 Seahawks, but I digress.

When discussing online and data privacy, responses can be generally summarized in to one of three statements:

“I don’t have anything to hide, anyway.”

or

“I don’t have any data anybody wants.”

or

“The ‘Internets’ and NSA can read our minds!  Break out the aluminum foil.”

There is some truth to all of those statements.  However, let me respond one by one…

“I don’t have anything to hide, anyway.”

Hopefully, that is true!  I would put myself in that category.  However, not having anything to hide is not the same as, “please document all of my likes, dislikes, medical conditions and internet searches.”  The power of big data is amazing.  It’s hard to imagine what a single search provider can deduce from your search history.  Add your social media activity and GPS coordinates from smartphone snapped photos to the mix and it would be a mundane task to predict where you are going to have lunch…next Wednesday….before you even know.  So, what’s the harm in that?  Well, like anything else there is no harm if that information is not abused.  However, the idea of so much personal information logged on a server somewhere in cyberspace can make anyone a little bit uncomfortable when you start to give it some thought.  After all, these companies exist to make money and your information is the product they are selling.  If someone was following you, your children and your “friends” around with a pen and pad, from a safe distance of course, jotting down your schedule and any other details they could gather in plain sight, would you be OK with that? Unlikely.

Be aware of the fact that when you are logged into a social media account or search engine, your web traffic and internet searches are likely being logged and analyzed.  If you have a problem with that, remember to log out of all websites you logged into and clear your temp files before browsing the web.  Some individuals keep a separate browser for random searches and web traffic and another browser for logging into social media websites and the like.

“I don’t have anything anybody is interested in stealing.”

Actually, you do.  You have credit cards, a social security number and credentials to campus or corporate resources.  You may have access to intellectual property or research data.  You definitely have access to a computer.  Many of today’s attackers are more interested in computing power as much as anything else.  If they can turn your computer into a zombie and make it part of their apocalyptic cyber army, they are more powerful and more effective in getting what it is they’re ultimately after.  There have been countless cases of a computer sitting under the desk of a receptionist in an inconsequential office taking part in a cyber attack against a high value target.  So don’t subscribe to this faulty reasoning.  It’s just not true.

“The ‘Internets’ and NSA can read our minds!  Break out the aluminum foil.”

Well, this is not true as it stands today, but there is no telling what next week will bring.  Here’s the bottom line.  The climate of information security has changed from ‘trust but verify’ to ‘don’t trust and verify’.  Everything worth protecting needs to be protected.  What do I mean by that obscenely obvious statement?  Assuming something is safe or relying on security by obscurity is not going to cut it anymore.  Any data hitting the wire or the air via WiFi should be viewed as fair game for invited or uninvited onlookers to see.  Encryption for data at rest and data in transit is not an option; it’s a requirement.  Every website, product or software package you are investigating should support encryption.  Accept no less and assume your local network is already breached in some way.  It’s not paranoia.  It’s reality more often than anyone would like to admit.

Watch this short video for some important reminders.  It’s an oldie but goodie if you haven’t seen it before.