When someone starts talking about digital security, a lot of us think “why would anyone want to hack my devices? I’m not an important person, I don’t have anything important on there.”
But as I remind readers in Keep Calm and Log On, your digital valuables are important to you. They’re how you manage your finances, job, benefits, and other crucial parts of your life. Sure, having someone hack your accounts isn’t guaranteed to bring down your company or your country*… but it can sure as heck make your life a nightmare for some time.
Let’s focus for a second on identity theft, and how you can prevent it.
Do a search for each of your email addresses on Have I Been Pwned. That will let you know whether you were affected by breaches. Then use that site’s password search to see if your password has been leaked, as well.
If Have I Been Pwned says your email address was breached, it’s time to change the password for the account where the breach happened. If it says your password was breached, it’s time to change that password everywhere you use it.
How? First off, do not ever re-use a password you use elsewhere. I can’t stress that enough. Finding your password in a list of re-used passwords is the #1 way people get access to your accounts.
For advice on generating and storing a good password, pick up a copy of Keep Calm and Log On, or check out this article and quiz on password security I wrote for Tactical Tech.
Next, set yourself up with an encrypted password manager or good-old-paper password book. 1Password and LastPass are both good encrypted password managers. I’m also fond of Remembear, which is simple but includes tutorials to help you take better care of your passwords. Note that your browser’s built-in password manager is not safe enough—they are not usually encrypted.
A lot of us download bank statements, legal papers, or medical records and then leave them in the downloads folder, forgetting they’re there. Guess where criminals often look first when they’re poking around your device?
So: first step is moving those documents to a safer place, at the bare minimum out of “downloads” and into another folder. Here’s how to find your downloads folder on Windows (including older versions), Mac, Android, and iPhone, as well as managing downloads from Firefox, Chrome, Safari, and Internet Explorer.
You should completely delete extra-sensitive documents that could be used to steal your identity: documents that include photos or scans of your identity cards, your Social Security number, your financial account or credit card numbers, etc. This means not just moving them to the trash, but emptying the trash.
If you absolutely need to keep a digital copy of these files, 1Password and LastPass offer ways to securely store documents and financial credentials. If you’re a little more tech-savvy, you could try storing these documents in an encrypted volume on your device using VeraCrypt. Or if that sounds too hard, consider getting an external USB drive you’ll only use for your sensitive documents, storing it in a locked drawer or safe, and deleting those documents from your other devices.
Your downloads folder is only a small fraction of the places where your documents could go and not be safe. Many of us share critical information like our Social Security numbers or other IDs, titles and deeds, or financial and medical records, using email or text messages. This leaves those critical tools for identity theft in more places than they should be: other people’s accounts and devices, as well as your own. We all need to find safer ways of sharing documents—and this goes for the offices asking us to share these documents, as well as us as individuals. (I’m looking at you, schools, real estate firms, and legal offices—I see a tremendous number of you sharing these documents insecurely via email.) Take a look at these tips for sharing documents more securely.
Follow this site’s advice about cleaning up old accounts. Specifically, you’ll want to make use of justdelete.me to get rid of old accounts you’re not using anymore. Sometimes old information can be used to get access to other accounts, or old accounts can be used to impersonate you. Crash Override also suggests doing a web search for your old user names, and seeing if those lead you to other accounts you may have forgotten.
If you are seeing the signs your identity has been stolen—getting bills for things you didn’t charge, new accounts taken out in your name, collections calls, etc—you will want to take further action. For US citizens, report the identity theft to the Federal Trade Commission, which will also help you set up a recovery plan. The FTC has information in English and Spanish on identity theft that affects specific communities, like military families and children.
* I’m putting a footnote here because unfortunately, there is a chance that if your device gets hacked, it could be used to cause serious damage to your company or country. Your device can be harnessed to attack other people’s devices and valuables—like your family, your boss, the head of your company, your city or state representatives, or a military base you’re affiliated with.
This excellent (though terrifying!) graphic from security researcher Brian Krebs shows many of the ways your computer could be used against other people by bad guys if they get access to it. Next time you think “nobody’s going to attack my devices,” think about what it would feel like if your computer was misused for all of these dirty deeds. Not a great feeling, is it?