This story was originally published on ProPublica by Cezary Podkul.
Ngô Minh Hiếu was once a fearsome hacker who spent 7 1/2 years incarcerated in the U.S. for running an online store that sold the personal information of about 200 million Americans. Since leaving prison, Hiếu has become a so-called white hat hacker, attempting to protect the world from the sorts of cybercriminals he once was.
These days, Hiếu said, it doesn’t take much hacking to access sensitive details about Americans. Companies and governments routinely leave databases exposed online with little or no protection, as we’ve reported, giving cybercriminals an easy way to harvest names, emails, passwords, and other info.
While in prison, Hiếu wrote an online security guide for the average internet user. As he and others have pointed out, it’s impossible to create an impenetrable shield. But here are some of his tips for how you can mitigate your risks, along with some other practical online security advice.
Make 2022 the year you finally stop reusing passwords. Once a password is exposed in a data breach, as routinely occurs, cybercriminals may use it on other websites to see if it grants them access and lets them take over an account or service. To help you generate lengthy, difficult-to-guess passwords without having to commit them to memory, use an encrypted password manager such as 1Password or LastPass.
These services, which typically charge $3 to $4 per month, also monitor databases of breached passwords, like Have I Been Pwned, which can identify some passwords that have already been made public.
Another benefit of using a password manager is that every time you create a new account at a website, you can log it in your password app. The app will track when you created a password and when you last modified it. If you notice that you haven’t used a website in a few years, and you don’t think you’re likely to use it again, delete your account from that website. It will mean one less place where your data resides.
Use multifactor authentication — which requires a second, temporary code in addition to your password to log in to a site or service — whenever possible. Some services send a six-digit code via text message or email. But the most secure method is to use an app that generates a numerical code on your phone that’s in sync with an algorithm running on the site.
To make the process easier, you can download an app like Authy that, like a password keeper, helps you generate and manage all your multifactor authentications in one spot.
A lot of the data about us that gets leaked consists of information we don’t even realize apps and services collect. To limit that risk, check the privacy settings for any new app that you install on your computer, smartphone, or other device.
Deselect any services you don’t want the app to have access to, such as your contacts, location, camera, or microphone. Here are some guides on how to manage your apps’ privacy settings for iPhone and Android devices.
Clicking on a link from a text message, an email or a search result without first thinking about whether it’s secure can expose you to phishing attacks and malware. In general, never click on any links that you didn’t seek out, and avoid unsolicited emails asking you to open attachments.
When in doubt, hover your cursor over a hyperlink and scrutinize the URL. Avoid it if it would lead you to somewhere you don’t expect or if it contains spelling errors like a missing or extra letter in a company’s name.
And for safer online browsing, consider paying for an antivirus tool like Malwarebytes that helps you avoid suspicious URLs online (or sign up for a free browser guard extension).
Whether it’s your web browser or the operating system on your computer or smartphone, it’s always a good idea to download and install the latest software update as soon as it’s available. Doing so fixes bugs and helps keep your systems patched against the latest security threats.
To make sure you don’t forget, turn on notifications for new updates or enable auto-update settings if they’re available.
Some of the large collections of personally identifiable information that have been floating around online weren’t hacked or stolen: They were simply scraped from social media websites like LinkedIn or Facebook. If you don’t want a particular piece of info about you out there, don’t put it on your social media profile.
Scrub anything you don’t want exposed in your profiles, and check the platforms’ privacy settings to see who can access whatever is left. You can also pay for a service like DeleteMe, which helps centralize and pursue requests to delete your personal information from various data brokers.
One technique that has become increasingly common in recent years is SIM swapping: A cybercriminal tries to dupe your mobile carrier into switching your number from a SIM (the memory card that tells your phone it’s yours) that you control to a SIM that they control. The goal is to commandeer your phone so they can get around multifactor authentication settings that protect your financial accounts.
To guard against SIM swaps, contact your carrier to establish an account PIN, or follow these directions if you’re with Verizon, AT&T or T-Mobile. And if you switch carriers, change your PIN.
If you’re afraid that a scammer might use your identity to open a fraudulent credit line in your name, consider placing a freeze on your report. A freeze will restrict access to your credit report, meaning that no one (not even you) will be able to open a new credit line while it’s in place.
If you decide to apply for a loan or a new credit card, you can always unfreeze your credit later on. Freezing and unfreezing your credit is free, but you have to contact each of the three major credit bureaus separately to do it. Here’s a guide on how to get started.
Don’t assume that you’ll always have access to all your files and folders. Backing up your data can help you guard against virus infections as well as hard drive failure and theft or loss of your computer.
You could use well-known cloud storage providers such as Dropbox or Google Drive to save copies of your data or buy a subscription to an online cloud backup service that automatically saves your files and lets you restore them if anything happens.
All such services offer encryption, but if you’re afraid of storing your data in the cloud, keep an encrypted copy on a separate hard drive.