Ebay suffering the biggest hack of all time led to the exposure of lots of personal data including postal addresses, dates of birth and phone numbers for millions of people around the world.
While the company insists no financial information was stolen, private personal data still holds a lot of value.
But what options do users have when a site demands personal information as a condition of use, with no way of determining how secure that data will be?
“We have to take care of our data, but in many circumstances if we want to use a service we have no choice but to surrender data, stuff that is very difficult to change,” Rik Ferguson, global vice president of security research at security software firm Trend Micro, told the Guardian in the wake of the hack.
“It’s all very well telling everyone to go out and change their passwords, but you can’t go and change your postal address, telephone number, name and date of birth.”
Shopping services need your postal address to deliver goods, for instance, media services need your date of birth to verify age, and a taxi firm will need your phone number to alert you when its car arrives outside your door.
“All organisations that are hold any sort of private or financial information should absolutely be encrypting that data at all times – there is no excuse for not doing so,” says Ferguson.
Unfortunately, eBay’s hack has proved that not all companies are as good at protecting your personal data as they should be.
“All data that is shared should be done so in the knowledge that it absolutely is at risk from targeted attack. All of that data has financial value to the attacker, and they will continue to go after it.”
Just the bare minimum, ma’am
The safest way to protect yourself is simply to not give out any personal information. When that isn’t possible, provide the absolute bare minimum. After all, why does an internet company need to know where you live or have your phone number?
Avoid giving any over any more information than is absolutely necessary and required for the service to work. And if that is more information than you are prepared to give, perhaps the service isn’t worth the risk. Your information is valuable to the company you are giving it to, just as much as it is to the hackers that may gain access to it, and therefore they often ask for much more information than they really should.
Don’t give your credit card details to every shop
Credit card details are one of the most valuable pieces of information you own and therefore one of the primary targets for any criminal hacker. Consider using other secure forms of payment that do not require you to hand over your credit card details.
“PayPal represents a great example of giving data to a secure third-party so that you don’t have to give your credit card details to everyone you buy from, but of course that makes it single potential weak point in the chain,” explains Ferguson. (PayPal is owned by eBay, but was not affected by the hack on the auction site, and has its details encrypted, it says.)
Many other services, including Google Wallet and Visa’s V.me, are available to shield your payment information from online stores, but it is very important that you secure those accounts as much as possible with very strong passwords and, where available, two-factor authentication (where another tool like a number generator is used to protect your login).
Tweak your postal address
While giving out your post address for services is often unavoidable, there are some things you can do to protect yourself.
When a service that is not going to send you parcels asks for your address you can leave out one crucial factor. For instance, if you happen to live in a flat you can leave off the flat number of your address, simply listing the building number.
Also, if a company is using your address or postcode to simply verify the country or two you live in, as is often the case with online streaming services, consider giving them another postcode of the next street over or one in a surrounding area.
Use an alternate phone number
Quite a lot of services require a phone number to verify your identity. The companies use the potential security of the mobile phone operator’s registration process to strengthen your proposition that you are who you say you are. But giving up your real phone number could lead to a deluge of spam calls or phishing attacks should it be stolen.
Some services can essentially be fobbed off with a fake phone number, but others may actually use that number. So instead of giving them your primary phone number, considering giving them a secondary phone number.
One idea is to register another pay as you go account mobile phone number – simply getting a SIM from a mobile phone provider is often free and easy via the web or operator stores – and put that in an old phone for when you need to receive a call.
Once you have a secondary number registered, you could also set up call forwarding so that the number simply forwards to your real, primary phone number. That way you can continue receiving verification phone calls and queries as if you had given out your primary phone number, but can safely ditch the secondary number if it is stolen in a hacking attack – without having to tell all your family and friends about a new phone number.
Don’t give your full name
Your name is almost always the bare minimum of information required to set up and use internet services. That makes it the most readily available piece of personal information on the internet.
Consider giving certain sites and services a fake name, a nickname or perhaps a jumble of your real name, swapping your first and last names. Never give your full name with middle names if at all possible. That way hackers don’t get your actual real name and another piece of information that could lead to identity theft.
Fudge your date of birth
Lots of sites and services require your date of birth, often to verify age. But there’s no reason you have to give them your real date of birth. It is one of the most used pieces of private information for verifying your identity to banks and other crucial financial services – so should be protected.
Consider giving less crucial services a fake birthday. It doesn’t even need to be that different, but a month or a day change, or even a single digit year change should be enough to prevent it being used to gain access to your bank account, for instance.
Remember to make it a memorable one in case you’re asked for it as a security check, and for extra memorability, use the same fake birthday on every site. (Unix fans might like 1 January 1970, for example.)
Use multiple email addresses
An email address is often far more important than it is given credit for. Most services allow users to reset a password or regain access to locked accounts by using an email address for verification.
But once a hacker has access to your email account, they potentially have access to any other service that uses that email account to retrieve lost login credentials. And it’s quite likely there will be a confirmation email buried somewhere in your inbox from that service – so all the hacker has to do is search for that service (Amazon? eBay? iTunes?) in your email, then go there and demand a password reset – which will land in the inbox they control.
“You can try and operate multiple email accounts,” suggests Ferguson. “Some email services allow you to create disposable email addresses that are relatively easy to manage.”
He explains: “You could have an address that is bespoke to eBay, for instance with something like eBay.yourname@emailprovider.co.uk or paypal.yourname etc, so if that account is compromised you can just throw it away and create a new one.”
Another option is to create several layers of email addresses, using one for low security accounts, one for medium and another exclusively for banking or other crucial financial services.
Fake those security questions
Many sites and services require “secret” answers to questions like “who was your first teacher?” or “what is your mother’s maiden name?” There is nothing inherently wrong with the idea of secret questions to verify your identity as long as they actually stay secret.
Wherever possible, pick and choose to write your own secret question, and give an answer that is unique to each service. This can be hard to do if you do it at random. Try using something about the site to fill it in. So if you’re on “Randomsite.com” and it asks you what the name of your first pet was, why not say Randomsite? Or Etismodnar? Or Rando, or Etism. The important thing is to be consistent. (You might even consider going back to sites where you have already filled this in and changing them to match your pattern.)
The advantage of this method is that if the sites are doing the right thing, and encrypting your answers (and then encrypting future responses, and comparing the saved and latest responses to see if the results match), then even if hackers do grab the information and decrypt it, it will make little sense. Most hackers try the results they get from any password or other hack on multiple sites – that’s why it’s dangerous to use the same email/password combination on multiple sites.
Faking information can be particularly important when it comes to easy-to-find information like your mother’s maiden name or your father’s middle name (both of which could be available on the electoral register, for instance).
Use a secure password managers
The problem comes when trying to remember all this fake or varied information, but there are storage solutions that offer to securely store passwords and other important information.
“Look at password management software,” suggests Ferguson. “There are a load of options out there and it does mean that you can at least confine risks to individual accounts with unique passwords when they are breached.”
Password managers like LastPass or 1Password offer to store more than just passwords. Individual logins for internet accounts can have other information such as your fake secret passwords, date of birth or postcode attached to them. That way it is simply a case of looking up the information when you need it.
Most of the good password manager services also provide multiple ways to access the information, via a mobile app, website or offline for instance, as well as multiple layers of security, including two-factor authentication.
It is extremely important to ensure that your password manager account is as protected as possible with a bullet-proof password, which should be as long and complex you are capable of remembering.
It also creates a layer of inconvenience when you want to login to each service that one login and password for everything eliminates, but it will all be worth it when one of your accounts like eBay is broken into.
As Ferguson says, “effective security is no longer about designing architecture with the aim of keeping the attacker out permanently, that’s a pipe dream. If they want to get in, they will get in.”
These days it is inevitable that one or more services you use will get hacked at some stage or another, and so preparing yourself for that attack could mean the difference between a simple password change and having to cancel cards and change passwords everywhere.
• What to do if your email gets hacked and how to stop it happening again