Securing your digital life, part two: The bigger picture—and special circumstances

In the first half of this guide to personal digital security, I covered the basics of assessing digital risks and protecting what you can control: your devices. But the physical devices you use represent only a fraction of your overall digital exposure.

According to a report by Aite Group, nearly half of US consumers experienced some form of identity theft over the last two years. Losses from these thefts are expected to reach $721.3 billion for 2021—and that’s only counting cases where criminals take over and abuse online accounts. Other valuable parts of your digital life may not carry specific monetary risks to you but could still have a tangible impact on your privacy, safety, and overall financial health.

Case in point: last September, my Twitter account was targeted for takeover by an unidentified attacker. Even though I had taken multiple measures to prevent the theft of my account (including two-factor authentication), the attacker made it impossible for me to log in (though they were locked out of the account as well). It took several weeks and some high-level communication with Twitter to restore my account. As someone whose livelihood is tied to getting the word out about things with a verified Twitter account, this went beyond inconvenience and was really screwing with my job.

The attacker found the email address associated with my Twitter account through a breach at a data aggregator—information probably gleaned from other applications that I had linked to my Twitter account at some point. No financial damage was done, but it made me take a long, hard look at how I protect online accounts.

Some of the risk tied to your digital life is taken on by service providers who are more directly impacted by fraud than you. Credit card companies, for example, have invested heavily in fraud detection because their business is built on mitigating the risk of financial transactions. But other organizations that handle your personal identifying information—information that proves you are you to the rest of the digitally connected world—are just as big a target for cyber crime but may not be as good at preventing fraud.

Everything counts in multiple accounts

You can do a number of things to reduce the risks posed by data breaches and identity fraud. The first is to avoid accidentally exposing the credentials you use with accounts. A data breach of one service provider is especially dangerous if you haven’t followed best practices in how you set up credentials. These are some best practices to consider:

• Use a password manager that generates strong passwords you don’t have to remember. This can be the manager built into your browser of choice, or it can be a standalone app. Using a password manager ensures that you have a different password for every account, so a breach of one account won’t spill over into others. (Sorry to again call out the person reusing letmein123! for everything, but it’s time to face the music.)
• When possible, use two-factor or multi-factor authentication (“2FA” or “MFA”). This combines a password with a second, temporary code or acknowledgment from someplace other than your web browser or app session. Two-factor authentication ensures that someone who steals your password can’t use it to log in. If at all possible, don’t use SMS-based 2FA, because this is more prone to interception (more on this in a minute). Applications like Authy, Duo, Google Authenticator, or Microsoft Authenticator can be paired with a wide variety of services to generate 2FA temporary passwords or to send “push” notifications to your device so that you can approve a login. You can also use a hardware key, such as a Yubico YubiKey, to further segment authentication from your devices.

• Set up a separate email address or email alias for your high-value web accounts so that all email regarding them is segmented off from your usual email address. This way, if your primary email address is caught up in a data leak, attackers won’t be able to use that address to try to log in to accounts you care about. Using separate addresses for each service also has the side benefit of letting you know if any of those services are selling your personal information—just look at where and when spam starts showing up.
• If you’re a US resident, make sure to claim an account for your Social Security number from the IRS for tax information access and other purposes. Much of the refund and stimulus fraud over the past few years has been related to scammers “claiming” accounts for SSNs that were unregistered with the IRS, and untangling that sort of thing can be painful.
• Register for account breach checkups, either through the service provided through your browser (Firefox or Chrome) or through Troy Hunt’s haveIbeenpwned.com (or both!). The browser services will check stored passwords against breach lists using a secure protocol, and they can also point out risky reused credentials.
• Consider locking your credit reports to reduce identity theft risks. Equifax provides an app called Lock & Alert that allows you to lock your credit report from all but existing creditors, then unlock it from the app before you apply for new credit. TransUnion has a similar free app called TrueIdentity. Experian charges $24.99 a month to lock your credit checks, and TransUnion has a “premium” version of its service that locks both TransUnion and Equifax reports on demand for $24.95 a month. In other words, if you want to have tight control over all your credit reports, you can do it for $300 a year. (You can, with some searching, find the free versions of those credit freeze services—here’s Experian’s and here’s TransUnion’s—but man, those companies really, really want to lift a giant pile of money out of your wallet in exchange for a bunch of highly dubious “value-adds.”)

When 2FA is not enough

Security measures vary. I discovered after my Twitter experience that setting up 2FA wasn’t enough to protect my account—there’s another setting called “password protection” that prevents password change requests without authentication through email. Sending a request to reset my password and change the email account associated with it disabled my 2FA and reset the password. Fortunately, the account was frozen after multiple reset requests, and the attacker couldn’t gain control.

This is an example of a situation where “normal” risk mitigation measures don’t stack up. In this case, I was targeted because I had a verified account. You don’t necessarily have to be a celebrity to be targeted by an attacker (I certainly don’t think of myself as one)—you just need to have some information leaked that makes you a tempting target.

For example, earlier I mentioned that 2FA based on text messages is easier to bypass than app-based 2FA. One targeted scam we see frequently in the security world is SIM cloning—where an attacker convinces a mobile provider to send a new SIM card for an existing phone number and uses the new SIM to hijack the number. If you’re using SMS-based 2FA, a quick clone of your mobile number means that an attacker now receives all your two-factor codes.

Additionally, weaknesses in the way SMS messages are routed have been used in the past to send them to places they shouldn’t go. Until earlier this year, some services could hijack text messages, and all that was required was the destination phone number and $16. And there are still flaws in Signaling System 7 (SS7), a key telephone network protocol, that can result in text message rerouting if abused.