Toughen up your passwords to protect against identity theft incidents online

They're going to happen, so be prepared

1/28/2012

BY OMAR L. GALLAGA
AUSTIN AMERICAN-STATESMAN

If you do any shopping, banking, or other business online and it hasn't happened to you yet, it probably will.

Last week, the online retailer Zappos (which is owned by Amazon), sent an email to 24 million of its customers telling them that their personal information might have been compromised in a data breach.

Though credit card and payment data were unaffected, the company said that names, email addresses, billing, and shipping information, phone numbers, and other information were at risk.

It was far from the worst such attack on our personal data. Last year, Sony battled a series of attacks against its PlayStation Network and online entertainment sites that affected about 100 million accounts. The Texas comptroller's office and companies including Citigroup were victims of similar breaches. Over the holidays, Austin-based Stratfor, a political analytics company, was attacked, and credit card information for its customers was accessed by hackers.

The hacking attacks seem to be getting more aggressive, and it's unlikely we've seen the last of them.

So what can you do when you receive an email like the one from Zappos, alerting you that your personal information could be at risk?

Brian Hjelm, vice president of marketing for Austin-based security firm CSID, said that the most important step to take is the one that Zappos outlined in its email to customers: Change your account password as soon as you can.

"They reset everyone's passwords instantly -- that's good. It was proactive. They locked down your old one and forced you to create a new one," said Brian Hjelm, who happens to be a Zappos customer. He got the email too.

Passwords in general are a major problem we have as computer and Internet users. Robots are great at remembering complex, hard-to-crack passwords; we humans, not so much. The best passwords are a combination of letters, numbers, special characters, and capital and lowercase letters.

A terrible password: "mydogspot."

Much better: "!mYd0ggS48t?&"

But good luck remembering that. There are password managers for computers, tablets, and mobile phones (1Password is the one I like the most) that can remember passwords and generate new ones for you.

Having one great password, though, can be a problem if you use the same one on multiple Web sites. If one site is breached and hackers get your login (which is sometimes just an email address) and your password, they can access all your accounts.

Another thing you can do is avoid using the same email account as a login for both personal and work-related services. If a breach happens to a site that you do business with, for instance, all your personal services might be hacked too. Or you could create a separate email address just for shopping and Web service signups.

If you've been lax, Mr. Hjelm said, "you need to go and make sure you're resetting all those passwords. That's the biggest risk at this point. If you use that same user name and password on your Wells Fargo account, you're in big trouble."

Identity thieves, he said, can use fragmented information to piece together enough data, for instance, to apply for credit cards using your Social Security number or draw money from an online bank account.

Beyond simply changing your password, there are other things you can do, from contacting your bank to reissue credit cards that might be at risk, to issuing a credit freeze through the major credit report agencies to signing up for an identity protection company's services that can monitor your accounts and alert you to possible fraud.

"Most of them offer identity restoration services where specialists walk you through the process," Mr. Hjelm said. "That could mean filing a dispute with a credit bureau, working with a credit card at a bank, or filing paperwork with the IRS and Social Security office in the event that your Social Security number is compromised."

In the case of such companies as Sony and Stratfor, they will often offer customers who are the victims of a security breach at least a year of identity monitoring services. Mr. Hjelm's company has worked with companies to offer these kinds of services.

"You might see Zappos offer some kind of identity coverage. Twenty-four million is a lot of customers, and it'll be interesting to see how ultimately Zappos chooses to respond," Mr. Hjelm said.

Jason Lavender, founder and CEO of Austin-based ID Theft Solutions of America, which offers identity monitoring, said that criminals who hack databases can sell the information on the black market and that they're rarely caught.

The worst thing you can do if you haven't yet had your personal information lost is to wait for it to happen. Now would be a good time to toughen up your passwords, change them across the myriad online services you use and to always be wary of suspicious "phishing" emails that might be pointing you to a different Web site than the one you're intending to visit.

Mr. Hjelm said that it's been a busy year for hackers and security companies, but that customers slowly are getting more savvy about their personal data. "They realize that at some point, through all the companies they do business with, they may be the victim of a breach.

"It's better to get in front of it now instead of panicking later," he said.

Omar L. Gallaga writes for the Austin American-Statesman. E-mail: ogallaga(at)statesman.com.

Story Filed By Cox Newspapers

For Use By Clients of the New York Times News Service