Imagine you wake up tomorrow and find out that you’ve been locked out of your own personal email account.
You type in your password, which hasn’t changed in five years, only to get an ‘incorrect password’ error. You double check to make sure caps lock isn’t on and type it again, but with the same error. Then you slowly type one letter at a time to make sure you’re typing it correctly and get the same ‘incorrect password’ error.
At that point, it hits you that something is wrong. After a few minutes of searching, you realize that you’ve most likely been hacked, and can no longer access your own personal email account.
How would you feel?
At first, you would probably feel mostly annoyed and violated.
That is until you realize that having access to your personal email account means whoever locked you out can now access just about every single one of your online accounts with ease.
How? It’s quite simple. They just have to use the reset password link for any account they’d like to access and then open up your email inbox to change the password and lock you out of those too.
And it’s at that point that it begins to sink in how vulnerable you truly are.
Recently, we’ve all heard dozens of stories of unvaccinated people going through major medical complications from Covid. And whatever their reason for not getting vaccinated, they all have two things in common…First, they never thought it would happen to them. And second, they would do just about anything to rewind the clock and make small actions that could have saved a lot of suffering.
Online security and identity theft are quite similar. Nobody thinks it will happen to them. But when it does, the victims would do anything to rewind the clock and make some different decisions to protect themselves from the internet.
The goal of this article is to show you steps that you can take to protect yourself from bad actors online who want to access your accounts, or even worse, steal your identity.
These four things will make you a much less desirable target, and a much more difficult task to hack.
1. Use a password manager
I use LastPass for all my passwords. This means I don’t have to use a common password like ‘123456’ for every password just to remember it. In fact, I have a unique and complex password for every single login without ever having to remember anything except my LastPass Master Password.
Once I’m logged into my LastPass account through the browser plugin, all of my passwords are autocompleted for any saved websites or apps that I visit.
While this undoubtedly makes life a lot easier, it also makes me a lot more secure.
Most people think this is important because a complex password like vYT%k12H2& is more difficult for a hacker to guess than 123456, which is true. But the real reason this is important is because each password is unique.
This means when a large internet company gets hacked and someone gets access to your login information to one site, they don’t automatically also get access to your login information for every other site you use. When you’re lazy and use the same password for every online account, it means if anyone learns this one password, it gives anyone access to every account you have.
If I’m being honest, setting up a password manager is a little annoying for the first 3-6 months while you have to change and save each password to add them to your password vault. You can try to do this all in one day, but I would suggest just updating each online account one at a time as you access them.
Now that I’ve been using LastPass for about 6 years, I have over 500 accounts saved in my LastPass vault. Each of these has a complex and unique password, making it very difficult to access any single account, and nearly impossible to access several of my accounts.
Using a password manager for all of your online accounts is the first step to protecting yourself online.
2. Use 2-Factor Authentication (2FA) for all of your major points of entry
If you’ve ever received a 6 digit code via text message that you need to enter in order to complete your login, this is 2FA. Essentially, your password is your first factor for authentication, and this code is the second, hence, 2-Factor Authentication.
This adds a second layer of protection to your online security. And while I don’t suggest that you do this for your Domino’s Pizza account, I would highly recommend doing this for all of your major points of entry.
I would classify ‘major points of entry’ into 4 categories:
- Any accounts that you use to login to any of your online accounts (i.e. email accounts, Facebook accounts, Google accounts, etc.)
- Any accounts that hold or can access any of your money (i.e. bank accounts, investment accounts, credit card accounts, crypto wallets, etc.)
- Any storage vaults (i.e. your password manager, your cloud accounts, etc.)
- Any social media or messaging apps (i.e. Facebook, WhatsApp, Skype, etc.)
Each of these categories provides a different type of vulnerability if it’s not properly secured.
- Accounts you use to login to other online accounts are a major point of vulnerability because they act as a password reset for most accounts.
- Accounts that hold or can access your money makes it extremely easy to transfer money or balances to another account.
- Storage vaults have sensitive information that can be extremely dangerous and costly in the wrong hands.
- Social media or messaging apps would allow bad actors to communicate with your trusted friends who would have no reason to suspect it’s not actually you.
Again, I’m not suggesting that you use 2FA for every online account, but it would be foolish not to take this precaution with your major points of entry. This will generally cause you to have 5-20 accounts that require 2FA to log in.
The most common type of 2FA is text authentication, where a six-digit code is sent to you via SMS. And while this is far better than not having 2FA at all, I would highly recommend using an Authenticator App like Google Authenticator or FeeOTP for 2FA instead.
An Authenticator app is still a phone-based option, but the code is accessed locally via an app on your phone, rather than being sent over SMS. The code is renewed every 10 seconds, which means the only way to access this code is to physically have your phone.
This creates an additional layer of security since the code isn’t being passed through a network. It also means you can access your code even if your phone isn’t connected to a mobile network.
The downside of using an Authenticator App for 2FA is that if your phone is replaced, lost, or stolen, you could lose access to your app, and therefore your codes. The easy fix to this is to print out the QR code used to set up the 2FA for each account and store them somewhere that you can access them if needed. And if you’re using a Password Manager, you can store a screenshot or PDF of each QR code in a secure note in your password vault for easy access.
3. Freeze your credit and set up credit alerts
Freezing your credit is free, easy, and can save you a lot of heartaches.
I first decided to freeze my credit back in 2017 after the Equifax data breach. It seemed like the responsible thing to do. And I’ve kept it frozen ever since, with the exception of a half dozen or so times that I’ve put a temporary lift on the freeze to allow specific businesses to access my credit.
Freezing your credit with each of the three major credit bureaus, TransUnion, Equifax, and Experian takes less than an hour to do the first time. Once it is set up, nobody can access your credit unless the freeze is lifted. You’ll be assigned a pin that you can use to unfreeze your credit if needed, so be sure to store this pin in your Password Manager.
Once your credit is frozen, it makes it impossible for anyone to set up credit or loans in your name or do something that would negatively impact your credit (i.e. run a credit report) without your consent.
If and when you do need someone to access your credit, you can simply unfreeze (or thaw) your credit. Thawing your credit takes less than 10 minutes and allows you to set a date range in which your credit is no longer frozen and can be accessed to set up new loans or lines of credit, or to run a credit report.
Additionally, you should set up an account to monitor your own credit and get alerts for any significant changes. I use the free app Credit Karma. This allows me to see all of my credit accounts, payment history, credit score, and will send me automatic alerts anytime there is an important change to my reports.
Here’s how to set up your security freeze with each of the major credit bureaus:
TransUnion
Set up your TransUnion freeze online here or call 1-888-909-8872
Equifax
Set up your Equifax freeze online here or call 1-800-685-1111
Experian
Set up your Experian freeze online here or call 1-888-397-3742
4. Add a PIN to your cellular account
While it may seem crazy, it’s actually fairly easy for a hacker to hijack your mobile account and take control of your phone number.
Since your mobile phone number is how many companies like your bank, email provider and social media services verify it’s actually ‘you’ when you log in, they can now bypass your 2FA and access many of your online accounts once they’ve taken control of your phone number.
If you don’t have a PIN or password set up with your carrier, someone with the last 4 digits of your SSN or a fake ID has a pretty good chance of being able to trick a service rep into changing the SIM on your account. This type of attack is called mobile hijacking and can cause an incredible amount of inconvenience to fix.
Setting up a unique PIN or password provides an extra layer of security that will make it much more difficult for you to get hijacked.
Here is how to set this up with each of the major carriers:
T-Mobile
Dial 611 from your T-Mobile phone or 1-800-937-8997 to set up your passcode
Verizon
Have the account owner visit the security page in your My Verizon account or call 1-800-922-0204
AT&T
Log into your account and click on your name > View Profile > Sign-in Info > Wireless passcode > Manage extra security
Sprint
Sprint requires all customers to set up a PIN and security questions to their account, so you already have it set up.
These four steps will add multiple layers to your online security and should allow you to freely use the internet without fear of being hacked or hijacked. However, you should still employ common sense and skepticism to avoid phishing scams and act on any unusual online activity.