How to secure cyber privacy and prevent identity theft
by Reese Kimmons, MS ISA
We enter 2022 facing an accelerating erosion of our personal privacy and an increasing chance that our sensitive data will be compromised.
We increasingly face the risk of identity theft and other crimes being perpetrated against us. The recovery costs and long-term impacts of these crimes can be devastating.
It is up to all of us to get educated and arm ourselves with the tools and information needed to become cyber secure.
Those who collect and sell our personal data and the bad actors who attack us are often based in nations with governments that shield them prosecution. Unless we protect ourselves, we will remain among their preferred targets.
There are a number of safeguards you can implement and other actions you can take to raise your level of online security. Many of the tools and actions recommended in this article are free or cost very little compared to the expense you may otherwise incur if you become a victim of cybercrime.
1. Consider using a VPN
We begin with the Virtual Private Network (VPN) because using one will protect your personal information from being intercepted by criminals, mask your physical location, and prevent online trackers from collecting information about you and your activities as you browse the Internet.
Here’s how VPNs work:
- A VPN application creates a secure tunnel between your device and the sites you visit. All data exchanged is encrypted and travels through this tunnel. Even if the data is somehow intercepted, it cannot be decrypted and read by the hacker. This means that, if you’re using a quality VPN app, you can securely enter passwords, payment card information, and other sensitive data without fear that it will be stolen in transit.
- When you sign into your VPN, the application establishes a connection with a VPN server. When this occurs, you begin using an IP address provided by that server rather than the IP address of your device. Online trackers gather information about you and your activities by tracking your device’s IP address. If you are not using that address, you cannot be identified and tracked. The best VPN providers will have a network of servers in many locations world-wide and, depending on your VPN provider, you may be connected to any of those servers each time you log in. This means the IP address you’ll be using will also change frequently, making it even more difficult to track you.
- The location masking functionality provided by VPNs can also help if you’re in a country that blocks certain websites. You can often securely connect to these sites using a VPN server located in an unblocked region.
There are both free and paid subscription VPN options available, but be wary if you’re considering one of the free applications. Some of these have been found to be collecting data and tracking their users while blocking others from doing so. This essentially defeats a primary purpose of using a VPN.
Note that, while a VPN will protect your information and anonymity, it will not protect your devices from malware and viruses.
Also, you should never log into accounts or transmit any sensitive information while using public Wi-Fi unless you are also using a VPN. Criminals are known to routinely monitor traffic on these networks and to steal sensitive data.
2. Use antivirus/anti-malware protection and keep your devices up to date
Your devices can be infected with malware in a number of ways:
Your operating systems and applications may have vulnerabilities that can be exploited by cybercriminals. You may inadvertently visit a malicious website and download a virus. Malware is sometimes delivered in the form of email attachments. These are but a few examples.
To reduce the likelihood that your devices will be infected, be sure they are set to regularly and automatically check for operating system and application updates and to install them as they become available. These updates often include patches for newly-discovered vulnerabilities.
Your phones, computers, and tablets should all be running antivirus/anti-malware protection software. This, too, should be set to update automatically and to scan for threats periodically without the need for you to remember to do it.
Updates will ensure that the latest virus definitions are installed. Automatic scans will identify any known threats and address them.
3. Secure your Wi-Fi router
Home network security begins with securing your home router, the gateway that stands between the devices on your network and the threats that lurk on the Internet searching for a way to get inside.
To better secure your router, you’ll need to access its settings.
If you don’t know how to do this or if you don’t know your router’s default user name and password, you can search online for lists of default router login credentials for the most popular makes and models.
Using a browser on a device connected to your home network, you’ll enter the default IP address provided and, when the login screen appears, you’ll type in the default user name and password to access the settings.
We recommend that you reset your router’s default password and change its SSID (your router’s name). Default SSIDs can allow attackers to identify your router’s make and model, then search for known vulnerabilities applicable to that particular device that they can then exploit.
Changing the SSID makes router identification more difficult for cybercriminals. Resetting the password also increases security.
If you have searched for your router’s user name and password online (as described above), you will see that default credentials are readily available to anyone who wants them, including criminals.
If you have any issues changing the SSID and/or default password, you should be able to find the information you need in the router’s manual, by searching for help online, or, if the router was provided by your Internet Service Provider (ISP), by contacting the ISP for assistance.
While you’re changing SSID and password settings, you may also wish to disable the broadcasting of your router’s SSID so that no others within range will see it as being available for connection.
4. Consider using a private DNS
Reports have recently revealed that some of the biggest Internet Service Providers (ISPs) are tracking their subscribers’ online activities and sharing the information collected with others.
The consequences of such tracking could include subscribers having information about their activities being incorporated into extensive online personal profiles available for sale on “people search” sites (more about this later). This tracking is possible because these ISPs are providing the Domain Name System (DNS) services for their users.
DNS is what allows you to enter the name of a website rather than having to use its numerical IP address. You can prevent your ISP from tracking you by setting your devices to use a free and private DNS service like Quad9.
You’ll simply need to change a setting on your devices to direct them to Quad9, bypassing the ISP DNS. Instructions are available on the Quad9 website. Additionally, Quad9 has built-in security features that include the blocking of known malicious site names that could end up infecting your systems.
You may also find that your browsing speeds increase when using one of these secure DNS services.
5. Consider using privacy-based browsers and search engines
While browsers like Chrome and Firefox have security settings that can reduce the amount of data they collect about their users’ online activities, there are some browsers available that were purpose-built to protect users’ privacy.
One of these is the free Brave browser. Ranked the best for daily use and fastest of the private browsers by Lifewire.com, Brave’s default settings block trackers and ads and, in the process, save you time and bandwidth through improved service. The default home screen for Brave displays running totals of the number of ads and trackers blocked as well as bandwidth and time savings.
The search engine that comes with the Brave browser is the privacy-centered DuckDuckGo, which does not track its users’ online search activities. It also blocks tracking cookies and includes an encryption enforcer capability that reduces the chances you’ll accidentally visit malicious sites.
In some instances, users may need to switch off Brave’s blocking functionality in order to allow sites to load and function properly, but this is fairly rare.
6. Use encrypted email and texting
If you’re a Gmail user, have you ever received a reminder that you had a bill coming due or an upcoming appointment? If so, it’s because Gmail scans your messages.
They’re not the only ones. In some cases, governmental agencies may even be scanning email messages looking for specific types of content. And, unfortunately, your emails and text messages may be intercepted by criminals looking for sensitive and useful data.
Consider utilising an encrypted private email and/or messaging service. There are a number available, many at no cost.
This author uses ProtonMail and Signal. Mobile App Daily published its top 15 list for private texting apps. Take a look at what they offer. You can always keep your Gmail or other account and use your privacy-based encrypted service for more sensitive correspondence.
7. Take advantage of multi-factor authentication
Multi-factor authentication (MFA), also known as two-factor authentication (2FA), adds another element to the login process, usually in the form of a PIN sent to your mobile device.
Banks, online shopping sites, and others have been making MFA available to their users for quite some time now. Take advantage of MFA whenever it is offered.
8. Use a password manager
Even after years of being advised to use lengthy, complex passwords, many are still using things like “Password123.” Although most are probably aware that using the same password for multiple accounts is dangerous, many still do that as well.
Some also write down their passwords and even maintain files named “passwords” on their devices that contain lists of every password they use and where they use them. What happens if a hacker gets access to one of these devices?
The good news is that there are password managers out there, some of which are free, which will generate and remember all the complex passwords you need and remember them for you. When you visit a site for which your password manager has stored your credentials, a quality password manager app will verify that the site is authentic and not a malicious look-alike, then enter your password for you.
Password manager apps are easy to find and use. Simple online searches will reveal many options and provide reviews to help you select the one that best fits your needs. Avoid clicking on search returns labeled “AD” as those may, on rare occasions, be malicious sites.
9. Take advantage of identity theft protection
No matter how secure we make our devices or how well we protect ourselves and our sensitive information, we still must live our lives. This means buying that new car, applying for financing, giving sensitive information to our healthcare providers, etc.
Data is only as secure as the servers on which it is stored. We must provide our information and rely on the entities with which we do business to secure it, which doesn’t always happen. Major data breaches seem to make the news daily.
When breaches occur, merchants often offer free identity theft protection policies to the customers impacted. If you are offered such protection, always take advantage of it.
You can also consider taking out a paid identity theft insurance policy for yourself, as the costs associated with recovering from identity theft can be devastating. No, we shouldn’t have to pay to protect ourselves from criminals, but the cost of an identity theft policy is far lower than the potential cost of recovery.
Be proactive in discovering whether your passwords, email addresses or other information have been involved in a breach. You can quickly run a quick check by visiting HaveIBeenPwned.com (yes, that’s supposed to be a “P”).
There you can enter your information and perform searches for known breaches involving your data. You can also sign up for various alerts.
Cyber criminals love social media. These sites often provide all the information they need to perpetrate a crime against someone who shares too much information in their profile or posts.
When using social media, avoid doing the following:
- Posting information that could be answers to account access security questions, like the name of your first pet, the street you grew up on, your mother’s maiden name, or your child’s birth date
- Sharing information about your vacation plans or whereabouts, especially if you’ve also offered up your home address
- Providing information about your work, like your job title and/or contact information
- “Friending” people you don’t know even if they’ve tried to convince you that you have friends or acquaintances in common
- Placing too much trust in someone you meet on a dating site, particularly if that person seems to want to rush into a relationship, makes dates to meet face-to-face and cancels at the last minute, and claims to have some sort of emergency and requests that you send money to bail them out
11. Remove your information from “people search” sites
This one will take some time, but that’s all it will cost you.
People search sites are websites created and run by data brokers. One of the most infamous of these sites is MyLife.com (link purposely omitted), but there are many others. A quick online search will surface them.
Data about your Internet search habits, browsing behavior, online purchases, and more is collected and attributed to you through your device IP address (if you haven’t been using a VPN and the other tools we recommend). It is then combined with data from public record sites like tax and real property records and the result can be an astonishingly detailed (and horrifyingly intimate) personal profile.
These profiles can include your name, employment history, home address, names of relatives and neighbors, any arrest records, the price you paid for your home, the types of shows you watch, your online buying habits, and even your religious and sexual preferences. The profiles may also include data stolen in breaches. These profiles are made available to anyone who wants to buy them. That’s alarming.
Search via Google (because, for this subject, it will likely provide the best results) using the phrase “remove my information from people search sites”. This search will reveal multiple articles with lists of people search sites, links, and instructions on how to remove your information and stop them from collecting more going forward.
Each site will have a different process for removing your info and blocking future data gathering. Going through all the different sites individually and following their processes will take some time, but it will be worth it. You’ll likely never get them all, but you’ll get enough of them to significantly reduce the threat to privacy that they pose.
12. Keep abreast of the threats out there
If you’ve made it this far in this article, it means you’re truly concerned about online security and protecting yourself, and possibly your loved ones, from the growing number of threats out there. Keep up the good work!
Visit sites like this one to keep abreast of emerging threats. Learn about how phishing messages target people and the tactics used by criminals who exploit human nature to manipulate their victims. Read about why you shouldn’t click on links or open attachments in suspicious emails.
Appoint yourself as the IT security expert in your household and educate your children and housemates. By doing so you will reduce the likelihood that you or your loved ones will be victimized.
The chances that your sensitive personal information will be compromised online is very real. The risks grow every year and the erosion of personal privacy is ongoing and accelerating.
Bad actors protected by the countries from which they operate are continually coming up with new scams and attack vectors. We constantly discover new vulnerabilities in software and hardware, often only after hackers have already found and leveraged them.
The best way you can protect yourself and become a ‘hard’ target in 2022 is by implementing many of the recommendations we’ve outlined above.
Do this and bad actors will not find you or your devices, or, they will move onto potential victims with obvious vulnerabilities. Preparation is a powerful deterrent.
About the Author:
Reese Kimmons is an experienced IT executive with an AAS in Applications Programming, a BS in IT Management and an MS in Information Security and Assurance. During his time in the IT industry, Reese has earned certifications in ethical hacking, forensics investigations, ISO/GIAC, and Cisco networking.