Two months ago I went away for a long weekend and came back to find a pair of unfamiliar transactions on my debit card. They were small — less than $10 each, one at a Thai fast food place and another at a grocery store near my apartment. But since the transactions happened on the weekend when I was out of town, I was positive my client card had been compromised.
Fortunately, I was able to call my bank and have the charges reversed, but I know I’m not alone: According to Symantec’s 2017 Internet Security Threat Report, almost 40% of data lost in breaches last year involved personal finance information such as credit card details or banking records. More than 1.1 billion identities were stolen worldwide in data breaches last year, almost double the number for 2015. Among those were 15 mega breaches (cases like September 2017’s Equifax breach) where more than 10 million identifies were stolen.
If you're feeling a little anxious, don’t worry, that’s healthy. According to Dr. Ali Ghorbani, director of the Canadian Institute for Cybersecurity, you should be extremely careful about your cybersecurity.
“We should turn away the attitude that it’s not going to happen to me, because it will, it’s just a matter of time,” he says.
The good news, says Ghorbani, is that there are some very easy steps you can take to protect yourself. You don’t need to become a paranoid conspiracy theorist who wraps their cards in tin foil. There are much easier things you can do. Like these:
1. Check the record You can check to see if your data has been compromised right now. Go to Have I Been Pwned? and type in your email address and it will tell you if your personal information has already been involved in a known data breach. I personally found five cases where my username and password were compromised from different websites including Myspace, Zomato and Neopets (ah, childhood). So if you’re the type of person who reuses passwords, you probably want to make sure you at least change the logins for anything you find here.
2. Get a password manager There’s good news for those of us who hate changing our passwords. Researchers at Carleton University did a study where they showed changing your passwords “provides little help” against attacks, unless it’s to stop someone like a friend who already has your password. Bill Keenan, head of engineering at Shopkick, a shopping rewards app, agrees. In fact, he believes changing passwords “probably diminishes your security in the long run” since people end up writing them down or just having bad passwords. The most important thing, he says, is to use a different password for every service because if one of the sites you use has their data stolen, then the thieves now have your username and password to other accounts. His recommendation? A password manager.
Cloud-based password managers reduce the hassle of it all, and the risk of forgetting since now you only have to come up with and remember one amazing password. The password manager does the rest. There are a few, but popular ones that have free versions include LastPass and Dashlane. To use it, just log into your account using your master password and let the software generate and manage random passwords for different accounts, auto-filling in passwords, and storing all the important information in a vault that is only unlocked by your master key.
3. Skip the public Wi-Fi “The free Wi-Fi is probably a bad idea,” Keenan says. The reason it’s so unsafe is because it gives other people access to your data. And yes, that includes your local coffee shop where you have to ask for the password. “There’s essentially no difference,” he says, between places that need passwords and ones that don’t.
Ghorbani agrees. “You can actually sit there in a passive mode in some corner of the building and basically grab all the data,” he says. When you’re on public Wi-Fi, not all your data may be encrypted, meaning that a man in the middle can easily grab your information if it’s not encrypted. “The point of contact that you’re sitting there is pretty vulnerable and that’s where the problem comes,” he says. If you absolutely have to some banking, use your data. Or wait until you get home.
4. Give Apple and Android Pay a big hug If you love using tap-to-pay for transactions — as I do — consider setting up Apple or Android Pay on your phone. According to Keenan, using Apple Pay is like using the tap chip on your credit card except with an extra level of security since your fingerprint is also required to complete a purchase. In fact, he uses it himself and thinks it’s safer than bringing your physical card. Ghorbani adds that the probability of encrypted transactions through Apple or Android Pay being hacked “is very low.” Using tap with your client card is relatively safe too, but it is actually possible for somebody with the right gear to bump into or walk near you and take your chip data. If you think this sounds like a plot in a bad TV show, I’m pretty sure this is what happened to me. I physically still had my debit card, but I may have bumped into someone at some point and had my card details ripped. Keenan says the pattern of attackers is that they start with multiple small transactions to test the card before making large transactions on your card.
5. Be an email hawk OK, there is one place where you should be paranoid: Your inbox. If you get an email and you don’t who it’s from, just delete it. Receive a text or email from your bank asking for personal details? Just delete it. You may have to unlearn everything you know about good manners, but it’s not being rude, it’s being safe. Keenan says that we’re not obligated to respond or figure things out. “Email should be treated with the same level of security as a postcard,” he says. In fact, he says it’s arguably less secure. Anybody in between can read your email, just as anyone who looks in your mailbox can read a postcard. And FYI, that means you should NEVER send secure information like usernames and passwords through email.
Ghorbani says that it’s our behaviour that makes us vulnerable and all we need to do to protect ourselves is act thoughtful. “We don’t think. We just quickly react,” he says. And it’s this human nature that hackers use to get what they want. “Nothing will happen if an email arrives and we don’t answer it in an hour,” he says.
Have you ever had your personal information stolen? How did it happen and what did you learn? Send your stories to [email protected] and we promise we’ll answer. You seem pretty legit.