Scotch Tech - Protecting Yourself Online

The past few months have seen numerous high profile online data security breaches. Personal names and e-mail addresses have been exposed. In some cases, passwords, physical addresses, phone numbers and more have also been compromised.

The recent spate began in early April when the third-party service company Epsilon had a breach. Epsilon is a marketing company hired by many of the largest web sites to manage their online mailing lists for advertising purposes. You probably been receiving mail from Epsilon every week without even knowing it...until now. Almost every web user received an email last month apologizing for the release of their e-mail address and personal name and a warning to beware of phishing scams. The clients of Epsilon ranged from Capital One and Best Buy to TiVo and Target. I know I received no less than three apology letters from my subscriptions.

Then in April, the Playstation Network (PSN) was compromised. The status is fluid, but it is appearing more and more to have been an inside job. More than 77 million PSN accounts were exposed and are currently listed for sale on underground hacker web sites for $100,000. The data exposed was vast – it included your birthdate and quite possibly your credit card number, used for making purchases on the Sony Network.

Just last week, a New York Yankees employee accidentally emailed a list of names, email addresses and seat locations of all season ticket holders to a large distribution, including a blog, by accident. The Yankees stated steps were put in place to ensure that never happens again. My theory is there’s a new person on the unemployment lines in the Bronx.

The question on the table is “How do I protect myself?”  I offer three simple steps:

1. Passwords
With many security intrusions, passwords, or a slightly encrypted version of them, are also taken. What this means is that if your Facebook login and password are the same as your Playstation Network login and password, if someone tried, they could get into your Facebook account using the stolen  PSN data.

As an IT professional, we despise it when people write down their passwords, a bad security practice. But if you had a different password for every blog, web site and account you used, there would be no other choice. Which I suggest is my practice - create two good passwords - easy to remember, but difficult to guess. Use the simpliest one for generic web sites - places where you don’t spent money and if someone stole your account it would have no impact on your life.

Chose a more complicated one on the sites where you want to ensure the security of your identity - i.e. Facebook, Amazon and PayPal.  Using this one, secure and unguessable, base password, now append the web site name to make it unique.  i.e my86securepasswordFB for facebook and my86securepasswordPP for paypal.  That way the message board you belong to discussing gardening doesn’t have access to your important accounts and you don’t have to remember 50 distinct passwords.  The data break-ins that make the news are the big ones, but small web sites are compromised every day.  You don’t know if the 15 year old kid running FredsFishChat.com is keeping your data secure.

2. Security Through Obscurity
Following the previous line of thinking – does every web site you join and create an account on really need to know your birthday, mother’s maiden name, your first pet and the name of your elementary school? Too many web sites ask too much information. Stealing your real identiy, then acquiring a real credit card, applying for a mortgage, requires legitimate information. Sites such as the Playstation Network, Patch and FredsFishChat.com don’t need accurate inforation, they want something for security purposes. Putting in Jan. 1 as your birthday is fine for PSN, but if stolen, might not get the impersonator a real loan or credit line in your name. Mother’s Maiden name is often asked as a secondary security question. However with a little research, a hacker could determine this and use that information to break into your account. Rather than give the website the true information, why not give it the last name of your favorite actor? No one is going to steal my GMail account by answering the security question to the maiden name question for me with, say, Tom Hanks – why would they even think to type that in? The key here is that you do need to remember, or write down, your common fake answers to these real questions.

3. Restricted Credit Cards
The final rule on my best-practices list is the use of credit cards. On one hand, I advocate people using as little credit as possible, not having a dozen cards in their wallet and reading their statements monthly. However, we all know that is just not possible, at all times, for all people.  I have a credit card that is used exclusively online. I don’t use my regular cards online, only this one card. This way, if the account number is stolen, I cancel this one card and it doesn’t effect my auto-debits or regular accounting.  As well, it is very easy to thoroughly examine this one bill monthly while glancing over the others.  You will also quickly find when that one-time payment you made to Ancestry.com was in fact a recurring debit, something I just found last month myself.  

Even more important however is searching for an account that has an online one-time use card number.  Discover Card, and some others, have a web feature that allows you to generate a single-use number.  I use that almost exclusively.  Granted, it takes another minute to check-out, but it’s well worth the effort.  When I ordered that random knick-knack from FredsFishMarket.com, I gave them a card that once used, became invalid.  So if or when this small web site is hacked, it’s of no consequence to me credit-wise.

The problem is that some sites you want to be able to use on a recurring basis - and the Playstation Network was one of them.  So they had my real credit card number on file.  But it’s on a card that is infrequently used and segregated from the rest of my credit for ease in managing.

If you put these three simply principles into action with your on-line life, you will be significantly more secure.  Also important is ensuring you don’t fall for phishing scams - if you receive an email that appears to be from a company you use, especially one asking you to enter usernames/passwords/phone/credit information - don’t click the link in the e-mail, rather type in the site in the address bar and log in manually.  Be careful out there!

Scotch Tech is a weekly technology blog written by Caleb Cohen, an IT professional and all-around geek.  If you have any Tech questions from which digital camera to buy to how to rid your computer of a virus, drop me a line at and we’ll try to address it in an upcoming post.