I was recently the victim of a hack. My identity was impersonated and the information was used to steal my personal data from GoDaddy. How could this happen I asked myself? The cybercriminal got hold of my social security number, used it to locate my credit card number from my bank, then used that credit card number to access my GoDaddy profile by socially engineering a customer service representative embedded at the hosting giant’s offices.
Don’t get me wrong here. I’m a huge GoDaddy fan. In fact, I’ve been with the company for over a decade. And, to GoDaddy’s claim, they did give me a massive account credit to use towards any purchase. Clearly, I won’t have to pay for domains or hosting for a very long time to come. However, it doesn’t feel good being the victim of an identity theft. When it’s a one-off situation, it feels even worse. This wasn’t part of some greater scheme that infiltrated the company to release millions of records of consumers; it was a very personal and private attack.
Now, if you’re thinking that I was silly by not utilizing two-factor authentication, you’d be wrong. My GoDaddy account was two-factor enabled. So what happened here? Aside from a major misstep on the part of GoDaddy to protect my data, which they’ve stated “was an isolated incident caused by human error when a representative failed to follow standard operating procedures,” according to Todd Redfoot, Chief Information Security Officer, there’s a larger question at play here.
The question is, how do you protect your identity from hackers and cyber-thieves who are hell-bent on penetrating and stealing your financial or personal records in an effort to profit or get rich from that data?
Protecting Your Identity From Theft
We’ve heard about major recent hacks in the news lately. From Sony’s epic infiltration to Yahoo’s security debacle and even Target’s woes in the retail space, hacks are happening on a massive scale all around us. It’s constantly in the news. In another article, where I discussed some of the top cybersecurity threats that exist online, I dove deep into all the different ways that criminals can access your personal information and what you can do to protect your identity.
Aside from being prudent, by not getting lured into a phishing scam or becoming the latest victim of a malware, virus or ransomware attack, your options are fairly limited for protecting your identity and personal data from theft. Sure, you could opt to enlist one of many companies that offer 24-hour monitoring services of your identity, alerting you when something seems amiss, but is that enough? Will that stop cyber-criminals who are determined to infiltrate the world’s largest repositories of personal data?
The truth is that it’s highly unlikely that anyone, whether a business or a person, can thwart such attacks. They’re designed and tested to poke and prod the most vulnerable aspects of technology and human interaction. They go after anyone that seems like a lucrative target or companies that successfully market anything online. For those that are determined, it’s clear that virtually nothing can stop them. However, that doesn’t mean you shouldn’t try. That doesn’t mean that you shouldn’t take all the necessary precautions that you can to deter such attacks.
But where do you start and even begin? The information handed down to me by some of the world’s foremost purveyors of legal and technological knowledge had a lot to say on the subject. From some of the leading attorneys in the privacy and data security space, to companies that are taking charge in their effort to protect us from prying eyes, there are quite a few options that many people or businesses might not be aware of.
Understanding Your Data-Protection And Privacy Rights
I knew that, in order to begin anywhere, I had to understand the legal rights to both our privacy and what’s expected of businesses today when it comes to the protection of our data. We entrust businesses to shield that data, and they’re actually held to relatively high standards. When a company fails to protect us, what are we supposed to do? Do we sit by and idly watch as our personal information is traded on the black market, or is there something we can do about it?
If you’ve been the victim of identity theft, or you were involved in a large breach that affected a sizable group of individuals, and the cause was within the control of the business, many attorneys will tell you that you need to prove a direct connection between the breach and harm that’s come to you. While most businesses will step in and provide identity-theft protection and long-term monitoring to you, if you’re the victim of a one-off breach, you might not get that.
Emilio Cividanes, partner at Venable, one of the largest privacy and data security law firms in the world, tells me that whenever a company makes a promise about how they will treat the consumer’s data, they should live up to that. If they claim some data-protection superpowers, or that their systems are “bulletproof,” then they should be held to a higher standard. Companies could be held responsible if there was a specific violation of the law, class action or not.
Cividanes has been practicing law for over 30 years and has helped to shape a great deal of the privacy laws and regulations here in the United States in the past few decades. Considering my curiosity, and the fact that many others likely had the same questions about protecting their data and privacy, Cividanes was kind enough to share his views with me, stating that it’s important for businesses to avoid surprise mitigation for the consumer in the event of a breach.
Marcy Wilder, partner at Hogan Lovells, tells me something similar. As another one of the world’s foremost privacy and data protection attorneys who worked as the deputy general counsel of the U.S. Department of Health and Human Services (HHS), where she played a leading role in drafting critical security and HIPAA privacy regulations, her advice is worth its weight in gold. Hogan Lovells represents some of the biggest players in the corporate world and has been involved in some of the most notable cases with respects to data protection and privacy.
Due to her extensive government experience, Wilder is often called on to help deal with large scale and highly complex intrusions that occur as a result of cyberattacks. Wilder tells me that the onus is on businesses to put robust privacy and security programs in place and to ensure that all employees are properly trained. However, in order for a tort to exist, she also confirmed that consumers have to prove direct harm, something that’s easier said than done considering that data can be peddled on the Dark Web for months or years after a breach.
Protecting Your Identity From Hackers And Thieves
No matter how you look at it — whether or not a business is in the wrong pursuant to a breach — there are certain steps that you can take to protect your identity from hackers and thieves. The following recommendations should be adhered to as both pre-emptive measures and post-breach-protection means. If you’ve been a victim of a hack, it’s important that a company inform you of this and put measures in place to protect any further intrusions.
#1 — Shield Your IP Address
Anyone who’s serious about protecting their identity from hackers and thieves needs to use a system for shielding their identity online. Malicious websites and software can track your movements around the internet, collecting data in the form of cookies that are shared amongst unscrupulous sites. By using a system like HMA!, a data-layer-security protocol that was originally created by Jack Cator in 2005, you can take serious efforts to protect yourself online.
Avast, which was founded by Pavel Baudis and Eduard Kucera in 1988, acquired the HMA! service in 2016 by aquiring AVG technologies, which acquired the company one year prior in 2015, growing their base of protected consumers to over 400 million. The HMA! service has 860 servers in over 300 locations, with over 100,000 IP address choices. I recently spoke to the CEO of Avast, Vince Steckler to learn more about their mission and why it’s important to shield your IP address. Steckler tells me:
“Ensuring security and privacy online was a founding principle of HMA! and we share that mission at Avast. People are seeing the high security risks associated with connecting to unprotected, unsecure networks and don’t want to worry about their protection and privacy when they’re online, whether that’s at home, a coffee shop, airport or another location. While we see public WiFi protection as a big use case for VPNs, we also see VPNs relied on for everything from bypassing domestic censorship to providing additional privacy against prying eyes.
This is also important in today’s climate with governments looking for back doors to access encrypted devices and threatening to require access to every aspect of your online profile when you enter or leave the country. This makes it more critical than ever that we provide our users access to secure, easy to use tools to browse and connect to the web freely, privately and securely.”
#2 — Turn Off Remote-Image Loading
One thing that most people don’t realize is that, when it comes to malicious emails by hackers and spammers, that a small one-by-one pixel image is often embedded directly into the email that reveals three crucial things. 1) your location, 2) the date and time you viewed the email, and 3) that your email address is valid. That information is like gold to people who are fixated on penetrating your personal and financial information.
However, what most people don’t realize is that they can turn off remote-image loading so that images don’t automatically load and that hackers, phishers and cyber-criminals don’t know whether or not you accessed the email and what your present location is. You can do this a number of ways, but there’s a great article on how this can be achieved with iOS devices here. For those that are using Gmail, one forum response states that there’s actually no way to turn this off, which is certainly disappointing, to say the least, for those using a Gmail account.
#3 — Use Two-Factor Authentication
Although two-factor authentication failed me at GoDaddy, that’s not to say that it will fail elsewhere. Most online service providers, banks, web services and other larger companies have two-factor authentication these days. It’s best to enable this across the board and install an authenticator app on your phone or another device that will allow you to authenticate yourself when you log on to any of these services.
#4 — Sign Up For Credit Report Alerts
Most of the credit reporting agencies provide alerts anytime a change is detected on your credit report. Whether your information was accessed in the form of an inquiry or a new account was created or a late payment was noted, it will send you an alert. This is critical for protecting your identity in the case of a data breach. Regardless, whether you were the victim of a breach or not, it’s prudent to sign up for these services directly through Experian, TransUnion and Equifax.
#5 — Freeze Your Credit Report
What most people don’t realize is that credit reporting agencies allow you to freeze your credit report. That means that no changes can occur without a specific unique code that will be provided during the inquiry or new account creation. Without that unique code, your credit report is on lock down. Each of the credit reporting houses provide this service, but you need to be a paying monthly member to utilize it.
#6 — Avoid Public WiFi Hotspots
Okay, I know that it’s enticing to use “free” public wifi, but did you know that this is one of the best-kept secrets for stealing all your personal information? All the hacker has to do is setup a remote wireless network called “free public wifi” or “free network” or something similar, in a heavily-trafficked location, and they can remotely grab all of your web-surfing data and even perform man-in-the-middle attacks. Stay away from these “free” networks at all costs.
#7 — Use Different [Strong] Passwords
While it’s easy to use a simple password, it’s more and more important these days to make it strong. Brut-force attacks are still very common, and if you use a simple password, you could risk being the victim of a hack. Use different passwords that are strong for all the popular services that you use. Vary the letters, the casing, numbers and special characters in them. Make them as strong as possible to avoid one of the most common hacks around.
#8 — Carefully Check All URLs
The Guardian recently reported that Apple was the victim of a Unicode domain hack, where a Cyrillic domain name that looks very much similar to the main Apple.com domain name, was used in a phishing attack. The domain had a lock with an SLS layer. and looked like this: https://аррӏе.com. Looks pretty similar to the real thing, right? Be very careful and wary of these kinds of emails and domains that look legit but aren’t.
#9 — Check Social Media Privacy Settings
Hackers and cyber-criminals can collect a large amount of data from you through your social media profiles. Be sure that you check all your privacy settings on Facebook, Instagram and Twitter and be careful about what you share. You don’t want to reveal too much that will assist criminals that want to steal either your data or your personal belongings by breaking into your house while on vacation, as one example.
#10 — Use A Shredder At Home For Sensitive Documents
Be very careful what you throw into the trash. One very easy way that criminals can specifically target you is by going through your trash. If you don’t shred documents that have personally-identifiable information on them such as bank account statements, credit reports, and others, then you’re taking a big risk. You’re effectively luring in criminals to target you by obtaining very personal information about your financial activity.