It’s the most vexing digital-age question: Should I share this?
There’s no way to interact with most websites and apps without surrendering at least some basic personal information—and at sites ranging from AdultFriendFinder.com to IRS.gov, users often ended up sharing a lot more.
Sometimes there aren’t great alternatives: Experts say there’s nothing the IRS hack victims could have done to ward off that attack, for example. (It’s a bad idea to avoid telling the IRS how much money you made last year.) But there are some steps you can take to protect yourself online.
Read More IRS breach: What taxpayers should do now
Think long-term when posting on social networks. Software makes it so simple to overshare—posting a photo takes just a few clicks and friends can tag you and your location before you realize it—that it’s easy to overlook how much information is actually being divulged. But a few “likes” today aren’t worth big headaches tomorrow.
While it’s possible to untag yourself and to delete tweets and Facebook posts later, that doesn’t mean the data hasn’t been vacuumed up and stored someplace. Criminals scout the Internet to build dossiers on consumers that can be used in elaborate digital impersonations—that’s essentially how they broke into the IRS’ “Get Transcript” service. Most people don’t realize how much they contribute to hackers’ efforts. Users post photos of their pets (with names!) their old schools, their family members (with names!) … all potential clues for criminals who might try to hack your accounts.
Anything typed into a keyboard or uploaded onto a site can come back to haunt you years later. Many of the victims in the Adult FriendFinder data theft had already deleted their accounts, claims Channel 4, the U.K. outlet that broke news of the leak.
Your best bet: Avoid sharing personal information, whether it’s vacation destinations or family names. And use the tightest privacy settings, so random strangers can’t pick up tidbits about you.
Read More Do you suffer from ‘progress bias’?
Use multiple passwords. “The rule of thumb for the consumer is, don’t use the same username, don’t use the same password, don’t use the same security questions,” said Morey Haber, vice president of technology at BeyondTrust, a security management firm. The IRS breach, he said, is a perfect example of how one piece of compromised information can be used to hack new accounts and cause further problems. “It shows the chain reaction in something that can occur.”
If you can’t use a different password at every site, at least employ password “families.” Use very strong, distinct passwords for financial sites, and simpler passwords for sites that require them for registration, such as news sites.
Consumers frequently surrender their critical passwords to almost every site they visit, a terrible habit. (A report by fraud-detection vendor CSID, released in the fall of 2012, found that 6 in 10 consumers reused passwords at multiple sites.) That means your online bank account is only as safe as the security at any other site you’ve accessed with the same password.
Even something as harmless as a Starbucks gift card account with $9 in value can be hacked and turned into a big headache. The company recently acknowledged that attackers were using passwords stolen from other websites to hack into its accounts and steal money from credit or debit cards linked to Starbucks mobile app.
Another option: Use made-up names and birthdays for websites where who you are really doesn’t matter. Keeping your digital footprint as small as possible works to your advantage.
Don’t click, call: So many hacks boil down to someone clicking on a booby-trapped link in an email or on a website, then unwittingly giving personal information to a criminal. Turn up your skepticism to 11. Any request for information should be suspect, even if it appears to come from a friend, colleague, or a company you do business with. Call to verify. It only takes a moment and it can save you hours of hassle.
In perhaps the most worrisome hacking development of all, criminals have seized on an attack known as “spear phishing” to pull off dramatic heists, many times informed by information gleaned from public sites like social media networks. Traditional phishing attacks involve millions of spam emails sent randomly in the hopes that a few recipients might be fooled into divulging banking information. Spear phishing involves carefully crafted, very personalized emails sent to a target who holds the key to very valuable information, such as the admin for a CEO.
The tempting emails might say, “URGENT: From Susie’s teacher,” and trick the recipient into clicking on a booby-trapped attachment that helps hackers commit espionage, or worse. Spear phishing is suspected as the cause of the Sony hack and the infamous Target credit card hack, according to a report issued this month by the InfoSec Institute, a security training firm.
“There’s no reason to panic,” in light of the recent breaches, said Kevin Epstein, vice president of advanced security and governance for Proofpoint, a security management firm. “But there is a need to act differently.”
Epstein likens protecting your personal information online to guarding your physical possessions in real life. “If you grew up in a small town and you’re used to leaving your doors open, when you move to a big city, you probably don’t want to leave your doors open anymore,” he said. “You probably want a deadbolt.”
—With additional reporting from CNBC’s Kelli B. Grant.