The best way to avoid getting caught up in a data breach is to reduce your online footprint. When a data breach occurs, end users can do very little to protect themselves after the fact. The key is to be proactive. As in, do something right now to protect yourself.
If you’ve been involved in a breach, you know the drill. You get notified by the company or website that was hit. Then they offer you some kind of compensation, like free credit monitoring for a few years. They can’t do anything to ensure that personally identifying information won’t be compromised weeks or months down the line. That train has already left the station. The best they can offer is an alert for when your data is used in a criminal enterprise.
As a consumer, reducing your online footprint is the best way to avoid getting caught up in a data breach.
But Who Would Want My Data?
When you work in security, you get to hear all kinds of funny ideas from friends and family about how the internet works. The average user often thinks (and asks you at parties), “I’m not that interesting, who would want to know anything about me?”
They assume that because they’re just another one of the masses shopping online, paying bills, and receiving too many emails from their kid’s school (seriously with the emails!?!), that they will be lost in the swirl of bits and bytes and never be targeted.
What they have failed to consider is that the internet exists as much for collecting information as for distributing information.
Every website, app, and algorithm is built to gather information about YOU. Yes, “boring person,” you.
The behaviors you exhibit online are captured, recorded, and stored by Google, your bank, Instagram, or whichever gaming app you’re hooked on this month.
You are constantly being asked to provide information. Then provide a little bit more. And then save it on a site for convenience in future interactions. While you’re at it, why don’t you connect some other apps to this account?
A recent study completed by research firm Comparitech uncovered the depth and breadth of the Dark Web’s data marketplaces. The study examined how much credit cards, Paypal credentials, and Social Security Numbers are worth to criminals.
Comparitech’s findings indicate that credentials are bought and sold just like other commodities. They follow the laws of supply and demand, with variable prices based on availability and potential ROI. Many sellers even offer guarantees and comprehensive customer service.
Solo identifiers, like Social Security Numbers or other national IDs are not very useful on their own. But when matched up with other PII, can be used to open new lines of credit, withdraw from your bank, etc.
Credit card numbers are sold in bulk packages, usually gathered as the result of some data breach or attack (like a card skimmer on a gas pump). More than one third of all stolen credit card numbers being sold online are from the U.S. The median credit limit of a stolen credit card is 24 times the price of the card in the data marketplace. A great ROI for anyone willing to commit this type of crime.
The most valuable items on most marketplaces are full credentials, often abbreviated to “fullz.” Fullz typically include name, date of birth, and SSNs (or other national ID). They may include other info that will drive up the price. A driver license number, bank account statement, passport photo, or utility bill are all valuable add-ons.
Where You Live Matters
The country you live in matters when it comes to the cost of your fullz. Accounts based in the U.S. and UK are the most abundantly available, thus the cheapest. Comparitech found that a full set of credentials for an American averages $8 per record. The most expensive fullz are from the UAE and Japan at about $25 per record.
It’s no coincidence that these regional differences correlate to how data privacy is regulated in the countries of origin. The countries taking extra steps to make sure data privacy is protected by local companies have the highest price (least available) fullz.
In the U.S., we cannot currently rely on government regulation to enforce strict data privacy rules on businesses/organizations. The burden to keep our data out of the hands of malicious actors is on us as citizen consumers.
Chloé Messdaghi, vice president of strategy at Point3 Security, says, “In the US, we don’t put it as high up on the priority list as they do, and this research clearly shows that. Companies–and consumers–need to do better at privacy. We need better regulation, better legislation. And, really, we need more overall awareness of our digital footprint. Close accounts you don’t or won’t use. Delete payment info. Reset passwords to be more than 20 characters. It’s easier to prevent a fire than to put one out.”
Shrink the Target
Just as there are dozens of ways to be compromised on the internet, there are many ways to keep yourself safe. They all boil down to one idea: shrinking the target.
Doing anything online or making any purchase with a credit card carries some level of risk. But you can shrink your risk dramatically if you stay alert and mindful.
Number of Accounts
Register as few accounts as possible. And deactivate accounts you no longer use. If you bought one piece of furniture from West Elm 10 years ago and never made another purchase, why do they still have your name, address, email, and phone number on file? Deactivate or delete.
That old Yahoo or Hotmail email account you had in college should be deactivated too. (Seriously, Hotmail?!)
Skip the Optional Fields
When you create a new account on a social app or an ecommerce site, consider what information you provide. You can’t avoid the required fields. But skip anything that’s optional.
It may be tempting to sign up for that birthday email and discount code from the shoe site, but you’re leaving a breadcrumb trail for a potential cybercriminal.
Habits to Form
Use VPN to encrypt all the data you send and receive. VPN also masks your true IP address, making your physical location almost impossible to determine.
Don’t install suspicious apps on your phone. Stop and think before you click Install. Always steer clear if an app requests access to your contact list.
Unsubscribe from as many email lists as possible. CleanEmail and LeaveMeAlone are paid services that quickly remove your name from mailing lists. (Both services offer a form of free trial so you know how they’ll work before you commit.)
Disable location tracking on your search engine and phone applications. It’s tempting to use because it allows you to get location-based suggestions on your searches. However, turning it on enables location services to track your movement in real-time.
Lock down your social media accounts or delete entirely. If you decide to engage with social media, make all accounts friends only. Remove your Facebook profile from search engine results. And turn off location data.
Keep an eye out for card skimmers at points of sale. These are most likely to be installed on mag-stripe readers like you might still see at gas station pumps. But some thieves have advanced to chip readers. Many credit card numbers picked up at these readers wind up on Dark Web marketplaces.
And, like a broken record, let’s say it again: avoid phishing emails (and other messages) and use strong, unique passwords (or pass phrases) on all of your accounts.
If you’re on a serious quest to reduce your online footprint right now, there are some tools that can help.
Visit Have I Been Pwned to see what breaches your email address has been involved in.
DeleteMe is a paid service that individuals and businesses use to remove data from search engine results. They make a strong claim that their service can protect you and your business from the phishing attacks, identity theft, doxxing and more. They also offer a free DIY guide to removing yourself from the top data broker websites.
Be Online But Be Small
It all boils down to shrinking the target! Don’t be afraid of using the internet. It’s unavoidable in modern life. Make this your mantra: Be online but be small.
Asylas is a cybersecurity solutions firm focused on remarkable service and customized approaches to security, privacy, and risk assessment. If you need help keeping your company safe online, contact Asylas at 615-622-4591 or email firstname.lastname@example.org. Or complete our contact form.