Recently two of my accounts were hacked from Turkey while I was asleep. I’m not sure exactly what was looked at, what was copied without my knowledge, or what additional damage there was.
Ever since then I’ve become a tad paranoid about online security, Edward Snowden’s revelations notwithstanding. But there are a couple of steps that I’ve taken since then to increase security; and make certain kinds of hacking more difficult.
2-factor identification
This might seem silly; but many companies, Facebook, Google, banks, etc. are now looking at the mobile in your hand as the next two-factor identification device; and it’s a very reasonable thing to do. If you can, turn on 2-factor mobile identification on.
It’s not always easy to use yet, and there can be odd consequences such as locking yourself out of an account because your phone is out of battery! But worth considering.
New phone number
I’ve been giving out my old mobile phone number willy nilly for years; but because many companies now require SMS verification, that number is logged in my profile as an ID verification tool, even without 2-factor identification.
One of my accounts was hacked because the person hacking knew: my email address; my old password; and my phone number. He was able to get into one of my accounts just with that information alone. He didn’t even need two-factor identification.
Given that many passwords were published online a few months before, I was shocked that a major corporation hadn’t considered that as a line of hacking. In fact, they made it easy to do. And changing your password didn’t help because the hacker already had everything needed.
I suspect the hacker had all three pieces of information from some recent hacking of popular sites; though I’m not sure which is responsible. So I got a new phone number to be used for this, one that wouldn’t be published online anywhere, unlike the old number!
Email alias
If you’re using Google Apps (not a regular Gmail account) or any private hosting company, you’ll be able to create aliases that act to forward email to your actual account. For example, if I have an email address called primary@domain.com, I could create any number of aliases, such as secondary@, etc, that would redirect email to the primary address.
This is very neat if you : never tell anybody your primary email address; you create lots of aliases instead. This will reduce the risk of someone trying to login to your account successfully. The aliases cannot act as login ids.
The aliases you create can be unique to each account you need to use an email address for. So, for example, if you have an account at Wells Fargo and an account at Bank of America… you can create two different aliases.
Google Apps does allow you to change your old email address, and sets up your old address as an alias. If you use your Google Apps to login automatically to sites, you cannot use aliases to login like the primary login. It’s better to start fresh, if you can.
Social Media
I also had people trying to hack my Social Media profiles, by pretending to be Facebook or Google and asking for an email to disclose all sorts of personal information. I use an alias for Facebook that only Facebook knows. I have never used it elsewhere or sent email via that address before; it is completely private. Using the aliases has helped solve that issue.
The only other thought that I had was that changing the back up email accounts was a good idea too to prevent password recovery from only known information.
On a separate note: who answers undisclosed telephone numbers these days? I know I don’t. I just the answer machine pick those up.