Huge online attacks, such as the recent Adobe break-in, bring to mind a pressing question: What should we do if our credit-card data or sign-in credentials are stolen?
Plus, what steps will help minimize future exposures when large corporate sites are cracked — as they no doubt will be — by malicious hackers and cyber thieves?
A real-life experience with data theft
Let’s start with a potential worst-case scenario, as related by a Windows Secrets reader. To protect his privacy, I’ll call him KP. He was among the three million Adobe customers whose sign-in information — and in some cases credit-/debit-card data — was stolen in the recent, highly publicized breach of Adobe’s servers (more info).
Being victim in the Adobe theft was bad enough, but KP (and many, many others) used a practice that made things even worse: he reused the same username and password on many different sites. This meant that the one theft from Adobe instantly compromised his security at every other site where he used the same sign-in info!
Here’s the note he sent:
- “The thieves who robbed Adobe’s data now have the username and password I’ve used on many sites. I’ve changed my password on the accounts I remember using, but I’m sure there are many accounts I’ve forgotten about. I’m now at risk of fraud on those accounts.
“I know that I should use a separate password for each account I set up, but that’s just impossible.
“Is there anything I can do? Help!”
Yes, there’s lots you — and everyone else who has sensitive data on webservers — can and should do, both when involved in a data-theft incident and as a general policy.
In cases such as the Adobe break-in, the immediate response is to ensure that the damage doesn’t snowball into a full-fledged identity-theft incident — one that could ruin your personal finances and compromise your privacy.
Next, take the necessary steps that will limit any vulnerabilities from future breaches. (Practically speaking, there will be more major break-ins, and it’s impossible to eliminate all threats.) Contrary to conventional thinking, it’s emphatically not hard to use a unique sign-in for each and every site. In fact, using unique sign-in credentials is quite easy and doesn’t have to cost a dime.
I’ll come back to these points later, but let’s deal with the emergency situation first.
Steps to take after a data-theft attack
The keys to your online data are your sign-in credentials. Here’s what to do if your username and password are stolen from any site where you’ve conducted a commercial transaction:
- Credit-/debit-card transactions: If a commercial site you use suffers a data breach that might expose your credit- or debit-card numbers or data, act immediately. Virtually all credit-/debit-card companies print a toll-free number on the back of their cards. Call the number, tell them what’s going on, and ask them to send you new cards with new numbers. You’ll typically receive the new cards within a few days and there’s usually no extra charge for the replacements. The card issuers are just as anxious to avoid fraudulent card use as you are.
- Other financial transactions: If a hack attack compromises the username, password, or account information for financial transactions such as checking, savings, mortgage, etc., contact the bank or other institution, tell them what happened, and follow their advice. Some institutions will simply increase the level of monitoring on your accounts; others will issue new account numbers. If you’re given a choice, opt for wholly new account numbers.
Changing user and account information will, of course, require the annoying and time-consuming task of updating your user information on online sites. It simply has to be done. But if you can’t recall all sites where you’ve had financial transactions, at least the old account information will be useless to cyber thieves.
- Monitor and protect your financial identity: Contact the major credit-reporting agencies (in the U.S.: Equifax, Experian, and TransUnion) and ask to have a fraud alert placed on your accounts. That should impose extra identity-verification steps and thus prevent thieves from opening new accounts or new lines of credit in your name.
You might also choose to sign up for one or more of the identity theft–protection services the reporting agencies offer — such as immediate notification of any and all new activity in your credit records, insurance against ID theft–related losses, and so on. Each site lists the services offered; read carefully, as there are often extra costs involved.
If you prefer a no-cost option, you also can monitor your credit records for free, though often at a somewhat slower pace. In the U.S., the Fair Credit Reporting Act requires that the three major credit-reporting agencies listed above provide you with one free credit report every 12 months. By staggering your report requests to each agency, you could obtain a free report every four months. (Their reports tend to overlap, so major problems with your credit reports should show up in all three agencies.)
- Keep records of all account calls and contacts: It’s easy to lose track of whom you’ve contacted. Include dates and times, and if a human contact is involved, get the name of the person with whom you speak. If you work online, take screen shots or make printouts of the relevant webpages. These records could help prove due diligence on your part, should the worst happen and your stolen data be used for fraudulent or malicious purposes.
Letting your browser manage sign-in credentials
We can’t eliminate all breaches of corporate data. However, as already noted, we can limit our exposure from future data-theft events relatively easily — by using a unique password for every site. (Using unique user names would increase security, but it’s impractical — especially as more and more sites use an email address for the sign-in username.)
Many PC users still quail at the thought of remembering potentially dozens of passwords. But password-management software easily solves that problem. You just have to use it.
In fact, the browser you’re using right now most likely has a free, basic password manager built in. (That should not be a surprise — most major browsers ask whether they should save usernames and passwords when you first sign in to sites.) Browsers store sign-in information in an encrypted file on your hard drive. They then automatically fill in the correct credentials for each specific site. So there’s no excuse not to use a unique, complex, difficult-to-crack password on every site you sign in to.
There are a few exceptions. For example, browser-based password managers might not work with some banking sites — especially those that use two-step verification.
Here’s information on the password managers built into the big-three browsers:
- Internet Explorer’s User names and passwords on forms is a selection in the AutoComplete Settings (tool icon/Internet options/Content). It’s explained on the Microsoft help page, “Remember passwords and fill out web forms.”
- Chrome’s Offer to save passwords I enter on the web is found in its advanced settings (three-bar icon/Settings/Show advanced settings/Passwords and forms). It’s explained on Google’s “Manage your website passwords” page.
- Firefox’s Remember passwords for sites option is in its Security section (Tools/Options/Security). See Mozilla’s “Remember, delete and change saved passwords in Firefox” page for more info.
All three browsers also let you review and edit saved credentials. For password management in other browsers, check their local and online help pages.
Stepping up to a standalone password manager
I’m a belt-and-suspenders kind of guy when it comes to security, so I generally use a browser’s built-in password manager only for low-risk sites — typically, sites where I don’t enter credit-card numbers or other sensitive personal data. That way, if some newly exploited browser flaw exposes my saved passwords to hackers, there’s little serious risk to me.
For sites where I perform commercial transactions and/or enter sensitive personal data, I use a separate, standalone password manager that operates independently of my browsers.
There are many available, both free and paid. I use RoboForm Everywhere (free trial, U.S. $10 for the first full year; site). It will store your passwords in a file encrypted with the method of your choice (I use 256-AES). It can also automatically synchronize your passwords across the various digital devices you use, including PCs, Macs, tablets, smartphones, and so on.
RoboForm is good, but I freely admit that some of my preference for it is based partly on simple inertia — I’ve been using it for over a decade. I list some excellent alternatives below.
Here’s what a good standalone password manager can do: my RoboForm vault currently contains 592 unique username/password combinations. I need to remember only one — a master password I established when I set up RoboForm.
When I go to any of those 592 sites, RoboForm recognizes the specific site and automatically fills in the sign-in boxes with the correct username and password for that site.
If I need to generate a new password, RoboForm’s internal password generator creates a unique, hard-to-crack password on the fly — of whatever length and level of complexity I specify (see Figure 1).
For example, the RoboForm-generated password shown in Figure 1 follows the best practice rules for secure passwords:
- Long: I chose 16 characters for this example, but some sites might allow a maximum of eight or 10 characters.
- Random: The password contains no simple patterns or recognizable words, names, or phrases.
- Numerals: In this example, I set a minimum of two.
- Upper case/lower case: Good passwords use a mix of upper- and lowercase letters.
- Special characters: Always include keyboard characters that are not letters, numbers, or spaces.
Clicking the Generate New button instantly created the password 3w$pEf95aNL!kc*h; a second click produced WDQ3*GU^Rq4q8qo7; a third click generated YB6s3aV*^6xJVDNF; and so on.
Those are all excellent passwords. For example, the Kaspersky Secure Password Check (free; site) estimated an average PC would require over 10,000 centuries to crack those passwords. The following four password-testing sites confirmed the passwords’ quality.
- How Secure Is My Password
- The Password Meter
- How Big is Your Haystack?
- Check your password — is it strong?
Obviously, I’d be hard-pressed to remember any of those passwords on my own! Fortunately, I don’t have to.
And again, RoboForm is just one of many excellent free/paid password managers. A Web search will turn up dozens more. Some of the best-regarded include (in no particular order):
- LastPass (free/premium; site) installs and sets up easily on Windows and Macs and has a good help system. The free version is ad-supported; the premium version — currently $12/year — removes the ads and includes support for mobile devices such as phones and tablets.
- S10 Password Vault (free for personal use, $35 for businesses; site) is available in both installed and portable versions for Windows. An Android version is also available.
- KeePass Password Safe (free, open-source; site) is also available in installed or portable versions; it runs on Windows, Macs, and most smartphones and tablets. The fact that it’s open source makes it unlikely there could be any covert backdoors into the software. But, as is often the case with open-source software, the help system is relatively thin. The easiest way to get KeePass going is to read the KeePass Help Center page, “First steps tutorial.”
- 1Password ($39 and up; site) gets rave reviews and is available for Windows, Macs, and most smartphones and tablets.
Again, no matter which one you choose, a good password manager makes it easy to create and use a long, hard-to-crack password for each and every site you visit.
Once you’re using unique sign-in everywhere, any future data hacks should be just a one-site annoyance that you can contain with the steps outlined at the top of the story. The problem won’t snowball into a potentially widespread threat to your identity, privacy, and financial security.
Remember: Stolen usernames and passwords are often sold or given to other cyber thieves. If you give someone access to your entire online financial cookie jar, you have no one to blame but yourself!
Subscribe to our Windows Secrets Newsletter - It's Free!
Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!
Subscribe and get our monthly bonuses - free!
Want to hack the new Start screen and tiles for your Win8 Device, the new Lock screen, the new tile-based apps, or the automatic notification information? Yes, you can do that. How about running other operating systems inside Windows 8, running Windows 8 on a Mac, or hacking SkyDrive and social media? We'll show you how to do that as well. Get this excerpt and other 5 bonuses if you subscribe now!