On September 7th of this month, the New York Times reported that hackers had gained access to Equifax’s data containing, among other information, the Social Security numbers and driver’s license numbers of potentially 143 million Americans. In addition that report stated that, “Equifax also houses much of the data that is supposed to be a backstop against security breaches. The agency offers a service that provides companies with the questions and answers needed for their account recovery, in the event customers lose access to their accounts.” “If that information is breached, you’ve lost that backstop, said Patrick Harding, the chief technology officer at Ping Identity, a Denver-based identity management company.” See https://nyti.ms/2xSMUL6
Which brings me back to a piece I wrote two and a half years ago entitled “Securing Your Data.” See http://www.chicagotrademarkattorney.net/securing-your-data/ It may be a good time to revisit that blog post. That post referred to a post I had written on August 6, 2014 reporting another story in the New York Times that “hundreds of millions of email addresses and other types of personal identification were found in the hands of Russian hackers.” The writer of that story wrote, “assume that your personal information is stolen, and recommended that you change your password for sites that contain sensitive information like financial or credit card data.”
So, three years later, with the Equifax hack, what have we learned about cybersecurity? ASSUME THAT YOUR PERSONAL INFORMATION IS STOLEN!” And, what did the last Presidential election teach us, “the Russians are good hackers!” Obviously, we could have figured that out reading the Times two years before. So, should we throw up our hands and just assume that all is lost and wait to lose our identity as well?
Well, all is not lost. As we have learned from the F.B.I. in their investigation of the San Bernardino mass shooting case, encrypt your data on your cell phone. Make sure that you don’t exchange sensitive data on a public wi-fi system and make sure that your home and business systems utilize an encryption key. If you store data in the cloud, Edward Snowden has recommended that you use Spider Oak, an online backup and file hosting service that uses encrypted cloud storage and client-side encryption key creation. See https://en.wikipedia.org/w/index.php?title=SpiderOak&oldid=794905942 And Ed Snowden knows something about hacking. After all, he hacked the National Security Agency.
And, as for your other data, you can buy a back-up hard drive or a USB key and maintain a spare copy of your photos and important documents and e-mails. I save these documents and e-mails in .PDF format so that they are easily accessible as software versions change or in the event that I or someone else who needs access to those files in the future is using a different OS from the one that I am using now. Don’t carry the back-up with you; if at home, keep it in a locked fire-safe box and, if you are leaving town for an extended period, and you have a safe-deposit box, put it there. If the back-up is in the office, at least keep it in a secure locked drawer, and if you can do it safely, bring it home on weekends and on vacation and follow the procedure noted above. Encrypt access to the back-up drive if possible. If you’re going on vacation or working at a Starbuck’s leave the backup disk in one of the safe locations noted above. Also, perform a back-up every day that you use your computer. You cannot remotely hack a safe-deposit box, a fire-safe box or your front door unless you have an app remote-controlled lock. See https://www.wired.com/2013/06/smart-locks/ which I wouldn’t recommend that you purchase. See “Russian hackers” and “Equifax” above.
And as for those questions and answers needed for recovery of your online accounts, have fun with them. As I suggested previously, play with them. For example, you went to Pyongyang on your honeymoon, your dog’s name is FreddyMercury, the first car that you owned was a Tucker, you were born in the Damascus Hospital for the Criminally Insane, your elementary school was the Chernobyl grammar school and the city you’d most like to visit is Mogadishu. Answers like these will be more difficult to guess than if your dog’s name is Fluffy, your first car was a Ford, you were born in St. Joseph’s Hospital and the city you’d most like to visit is Paris. Don’t everyone use these examples or they won’t work.
Pick a strong password with a combination of numbers and letters, capitals and small letters and punctuation marks that you can remember. Use at least eight or more characters. Don’t use the same user name/password combination for multiple websites but pick something you can remember as using an online password manager to store your passwords is risky. Like anything else in the cloud it can be hacked. If you use passwords to access your bank accounts and your medical records as well as pay your credit card accounts, many of which are probably linked, a hacker can access those records and potentially empty those accounts. And who doesn’t want to have their gynecological or urological results revealed?
Use two-factor authentication. This works with Google. If someone tries to access your Google account on another computer, including you, Google will send a one-time code via text message to your cell phone. If you happen to be using checking your Gmail in a public library, this can be embarrassing. You then enter that code to log in. Two-factor authentication should become standard as it essentially generates a random multi-digit number that you must key in to gain entrance to a web site that resides in the cloud
Also, if your cell phone has a “kill switch,” activate it so that in the event it is stolen it becomes useless as a key to your personal records located in the cloud.
The lesson of the Equifax episode should be if information is really personal and of an intimate nature or otherwise potentially embarrassing or, for whatever reason, you are never going to want to disclose it to the world, don’t put it in the cloud. As I wrote previously, would you hand over the keys to your home to someone who knocks on your door and promises that he’ll take care of your house? I doubt it. People ensure the security of their home to either companies with a long-standing reputation for safety or leave their keys with a trusted neighbor or relative whom they know very well. The value of your investment account or bank account or personal reputation, all of which may be accessed by someone with your password, may be much greater than that of your house. Would you leave your password with a company that may not be around in three years? It looks like Equifax many not be. They had the records of half of America and lost them. Oops!
And, finally, what you do with your life is your business and everyone else’s. Your work history is in your LinkedIn account as are all of the names of your work and professional associates. Your marital status is on your Facebook page as are pictures of your kids, where you went on vacation, your spouse as well as posts about your politics, lists of your friends, etc. What once would have taken extensive efforts by an authoritarian state’s internal police force to learn about you, you have freely volunteered to the world.
So, while you may worry about your records with Equifax, it doesn’t take a hacker to learn the other intimate details of your life.