Ah yes, breaches. Not really a much better movie, I'm afraid, yet we keep seeing it over and over. Big splashy headlines touting eye-popping numbers, followed by unsolicited offers of credit monitoring from companies who are really, really hoping their arbitration clauses hold up.
They do seem to arrive in clusters, also. The latest one-two punch is Marriott, then Quora. Marriott managed to get hacked and then not detect it for four years, finally now disclosing that half a billion-with-a-B guest records were exposed. Credit cards, passport info, all the good juicy stuff.
This revelation was followed-up last night by Quora revealing that "only" 100 million-with-an-M records were breached. This email notification went out overnight and resulted in 150,000 people going, Dammit, my Quora account got hacked! and 99,850,000 people going, Wait... what?
In any case, the odds are very good that you have been among the nine-or-ten digit totals of a few data breaches already. Here are a few tips on how you can deal with this and get on with life
- Take the monitoring. When they offer you credit monitoring free for a year or so, take it. Can't hurt. Worth the price. But you probably won't need it because of the other things you are going to do on this list, like...
- Freeze your credit. Go to each of the major credit reporting agencies' websites (Equifax, Experian, TransUnion) and follow their process for freezing your credit reports. Yes, this will make impulsively opening new credit accounts more difficult. Why do you say that like it's a bad thing? Note: The three major bureaus have a process for Freeze that is free and for Lock that costs money. Don't pay them for what they are obligated by law to do for free. The free one will be harder to find, but it's in there. Dig.
- Check your statements. Look for any phony activity. Your issuer will make good on anything you report as fraudulent on your credit cards if you report it promptly. Don't wait. By the way: banks are not obligated the same way to make good on fraudulent activity on debit cards - even if you use them as a credit card at the point of sale. So in general, don't do that. I only use my debit card in the bank's ATMs.
- Check your credit report.
Likea lawyer, the credit report checking site you want is not on TV! Ignore all the catchy jingles and flying pigs with smartphones, and go to the only non-scammy site out there: annualcreditreport.com.
- Manage your passwords. We've talked about it in the past: how your passwords need to be different at every site you log into. If they got your Quora password, let that be all they got. For those of you who are not already using a password manager, the best advice I have is this: START USING A PASSWORD MANAGER RFN. There are things sites can do to make a password-file data breach lower impact; hashing and salting are not just cooking techniques! But not every site does the right things, and not every site does the things right. And it only takes one failure to give everyone a bad day. So you have to protect yourself, and using complex passwords that are unique per site is how you do that. And the only way to keep those passwords all straight is with a password manager.
- Enable Two-Factor Everywhere. Two-factor authentication is becoming widely popular since the vast majority of sites are now able to leverage things like Google Authenticator apps on users' smartphones. This means that dedicated hardware tokens are no longer required, and the barrier to users adopting it for their own logins are as low as they can be now. Be sure you use this wherever it's available: it means the difference between a password compromise being annoying vs. Game Over.
If you can get yourself to where you are doing these six things, Breaches can be another movie that you just make fun of.