Thursday, July 30, 2015

Have You Already Been Hacked?

I recently wrote a post entitled, “Assume Your Social Security Number is Already Out There”, which was inspired by an article I read suggesting that the personal information of about a quarter of Americans has already been hacked. My experience in the computer networking industry makes me think that number is likely quite conservative.

I have been notified four times in the past year that my personal information might have been compromised. When large companies like Target are hacked, they often offer their customers a year of free credit monitoring service and I currently have two such subscriptions going simultaneously.

There is only so much these services can do, however. Neither noticed when someone filed a tax return in my name, for instance.

Long before business school and my interest in retirement finance, I was a systems analyst with a degree in computer science. My specialty was data communications networks. Truth be known, computers are my first love and much of my financial research is done at my computer with code I write in Mathematica or R.

I had an email account 35 years ago. (As geeks go, I’m ancient.)

Today, I read an article in the New York Times Personal Tech section under the headline, “How Many Times Has Your Personal Information Been Exposed to Hackers?”. The authors began with this statement:

Half of American adults had their personal information exposed to hackers last year alone.

That sounds more like it, but since most companies don’t know they’ve been hacked until they find their data for sale somewhere on the Internet, it might be an optimistic guess. Many companies will never know they were hacked.

The quiz at the NYT article will give you an idea of your vulnerability, but look at the names. Who hasn’t subscribed to AOL, or used a charge card at Target or K-Mart, applied for a government job, joined E-bay or Twitter, or downloaded Adobe something-or-other?

The article reinforces my own feeling that nothing is currently safe on the Internet: “Security experts say there is no way to keep hackers out of systems with traditional defenses like firewalls and antivirus software.” The skills and tools available to hackers today have a huge advantage over the tools available to protect us. Passwords don’t work. Firewalls and anti-virus software are speed bumps.

I’m not suggesting you avoid these tools. It’s a little like making sure yours isn’t the easiest house on the block to break into. But if a burglar wants your house badly enough, he can probably find a weakness.

I have long suggested two-step authentication wherever it is available. A list of websites that support two-step authentication can be found at TwoFactorAuth.org. For many of these websites, a hacker would need your password and your phone. I use two-step authentication at Fidelity, Vanguard and Charles Schwab and on several other sites, including FaceBook.

(Some two-step authentication processes use a special key fob device to provide an ever-changing PIN (Charles Schwab, for instance) and others use an authenticator app on your smart phone (several companies use Google Authenticator). But many use text messaging to send a one-time password to your phone. Be aware that hackers may be able to access your phone at say, VerizonWireless.com, and forward these text messages to themselves. If your carrier's website is not also protected by two-step authentication, this leaves a hole for hackers to get through. A fob or an authenticator app are safer.)

Password managers like LastPass can help you create and “remember” complicated passwords. (They say the best password is the one you can’t remember.)

If you don’t have virus protection, don’t let the cost hold you back. I like Avast and it’s free, but there are plenty to choose from.

Another important step that I think makes a lot of sense, especially for retirees, is a credit freeze. I wrote about those in Assume Your Social Security Number is Already Out There. They can be a bit of a pain if you open credit accounts frequently, but most retirees don’t. Even if you do, it’s less painful than finding out someone has opened a credit account in your name and run up a huge bill. You won’t be responsible for much of that bill, if any, but cleaning up the mess will be formidable.

Personally, I’m not sold on credit monitoring services, though I do use them when the companies I trust with my personal information get hacked and offer those services free. They can’t hurt, but they monitor your credit report, not your accounts.

I use alarms on all my financial accounts that send a text message to my phone if there is an overseas charge on a card, an ATM withdrawal, or a charge above some maximum amount.

To summarize, here are a few things you can do to protect yourself:
  • Consider a credit freeze at all three credit agencies
  • Use two-step authentication whenever it is available
  • Use your free annual credit report from one of the three agencies every four months to review your credit
  • Use a password manager to help create and use strong passwords online
  • Use a firewall and a virus checker at home. Excellent versions of both can be downloaded free.
  • Set up text message alarms to notify you of unusual activity on your bank or credit card accounts
These won't fully protect you, but as my grandfather used to say, they're better than a poke in the eye with a sharp stick. It's more efficient for a hacker to steal your personal information in  bulk from Home Depot than to attack your home computer, but the latter still happens.

As I said in the previous post, I think it’s safest to assume that identity thieves already have your personal information, even if they haven’t gotten around to using it, yet. They probably do. The credit freeze may keep them from opening a new account in your name.

In general, the bad guys currently have all the artillery. If you don’t believe that, take the quiz at the Times article. It will open your eyes.



My post on Social Security benefits and early retirement generated several comments. (Posts on Social Security always do.) If you're looking for a basic booklet that explains your benefits in a very readable way, I recommend The Social Security Claiming Guide from Boston College Center for Retirement Research. There is a small charge for hard-copies, but downloadable versions are free.