Fraud.org is a project of
The National Consumers League.
1701 K St NW
Washington, DC 20006
Data breaches occur on a daily basis at websites and online services that millions of consumers use. This means that all of us are vulnerable to harm stemming from our information getting into the wrong hands. This harm can range from the merely annoying (needing to change a password) to incredibly costly and disruptive (identity theft). While it’s practically impossible to protect yourself from all online threats, there are steps you can take to reduce your risk. Here are step-by-step instructions for what security experts recommend all of us do to better protect our sensitive data.
Two-factor authentication (also known as multi-factor authentication, TFA, MFA, 2FA, and other abbreviations) is a tool that gives Internet users an additional level of account security beyond the standard email address/username + password combination.
TFA works on the principle of “something you know + something you have.” “Something you know” is your most often your username and password combination for a particular account. “Something you have” can be a smartphone, USB security key, your fingerprint, or other physical object that lets a website know that you’re you.
The importance of two-factor authentication
TFA is increasingly becoming a critical security feature that should be implemented on your important online accounts, especially your primary email, financial, e-commerce and social media accounts.
TFA is critical because the email address/password combination has been thoroughly compromised by hackers and no longer provides strong protection from account breaches. Since so many of us reuse the same (often weak) passwords across multiple accounts, when one account is compromised on a website with weak security (say, on an online forum), hackers will quickly use that username/password combination to try and compromise other, more sensitive accounts such as email, bank, and e-commerce.
Turning on two-factor authentication is relatively painless
More and more websites and online services are implementing TFA as a way to provide an additional layer of security to users. Setting up TFA is fairly painless for most users. It typically involves inputting a code received via text message or an online app (such as Google Authenticator) in addition to the username/password combination before logging in to a website for the first time.
Typically, when the website authenticates a particular device (e.g. a laptop or smartphone) once via TFA, you won’t be prompted to enter the second factor again on that device.
Who offers two-factor authentication?
There are many websites online where you can find out which websites offer TFA. One of our favorites is twofactorauth.org, which is maintained by Josh Davis, an engineer at Amazon. Our colleagues at Stop|Think|Connect also maintain a great list, with step-by-step how-to videos at their Two Steps Ahead campaign.
Your operating systems (or OS) manages all of your computer and smartphone’s hardware and software. Operating systems are incredibly complex pieces of software that require millions of lines of code to work properly. This means that there are millions of opportunities for hackers to discover coding vulnerabilities that can allow unauthorized access to your devices.
Operating system makers such as Microsoft, Apple, Google, and others are constantly working to patch code vulnerabilities as they are discovered. However, these patches are only useful if consumers install them. The best bet for most consumers is to enable automatic updates for your operating system. At the very least, be sure to manually install updates regularly to keep your operating system’s security as strong as possible. Instructions on turning on automatic updates and installing OS updates for the major desktop and mobile operating systems are at the links below:
Windows XP – Microsoft is no longer supporting Windows XP, so upgrading to a more recent version of Windows is highly advised. Instructions on how to upgrade from Windows XP to Windows 7 are available here.
Windows 10 – Automatic OS updates are the default option, so you shouldn’t have to do anything. Additional information on updates in Windows 10 is available here.
Instructions for updating Android vary by device manufacturer. Since different manufacturers may install different versions of Android in different devices. For instructions on how to update your specific device, visit your wireless carrier’s support website or the support website for your device’s manufacturer.
Chances are that you will receive a notification on your device when a new version of Android is available for your device. Follow the instructions provided to install an over-the-air Android update automatically.
On most Android devices, you can manually check for OS updates from your home screen by tapping on the applications icon => Settings =>About phone => System updates => Check for update.
Web browsers are the primary way most consumers access the Internet. As such, browsers are a popular target for hackers, who exploit vulnerabilities in a browsers’ software code. Once a hacker has access to the browser, they can install malware. The severity of this malware infection can range from the merely annoying (pop-up ads) to the truly harmful (capturing keystrokes to harvest things like account passwords). Increasingly, browsers are being set to update automatically. However, many consumers still use browsers that require manual updates. Instructions on how to update some of the most popular browsers are at the links below:
Apple Safari – Note: Safari is updated when OS X updates
Google Chrome – Note: Chrome is set to update automatically by default
Microsoft Internet Explorer
Microsoft Edge – Updated automatically by default in Windows 10
A password manager is a program that stores a consumer’s login credentials (such as usernames and passwords) and automatically inputs them when a consumer logs in to websites that require authentication. Password managers come in many forms, such as browser plugins and standalone programs. Some are integrated with a particular web browser or operating system. Some password managers can also generate passwords, alleviating the user of the need to come up with their own passwords. To access the password “vault” consumers must remember a single “master password.” Password manager software is often free (with a paid version offering more functionality).
Password managers help consumers keep multiple accounts more secure
Consumers create multiple different accounts to access email, social media, banks, utilities, online forums, e-commerce, and dozens of other types of websites. For each account, consumers are asked to use a username/password combination. This can result in consumers needing to remember dozens, if not hundreds of username/password combinations. Rather than create unique passwords for each account, consumers often reuse the same (often easy-to-guess) passwords across multiple websites. This creates a major security vulnerability, since a compromise at one website can leave consumers accounts vulnerable at other websites where the same username/password combination is used.
It may seem counterintuitive to keep all passwords in one place, protected by a single password, but remembering one strong password for a password manager is actually a better strategy than memorizing (or worse, reusing) weak passwords across multiple sites.
How to choose a password manager
There are dozens of good password managers available. Here are some links to help get you started:
How-To Geek: Why You Should Use a Password Manager and How to Get Started
PC Magazine: The Best Password Managers for 2016
LifeHacker: Five Best Password Managers
If you’re not comfortable using a password manager program, our advice is to make sure your passwords are long and strong. Use a mix of upper and lower case letters, numbers, and symbols. The longer the password is, the better protection it will offer against hackers who use password-guessing software to crack the code.
Most importantly, do not use the same passwords across multiple accounts. The risk of one account compromise leading to subsequent breached accounts (using the same username/password combination) is very great. There is no shortage of advice on creating strong passwords. Some useful guides are available below:
How-to Geek: How to Create a Strong Password (and Remember It)
Google: Creating a strong password
Microsoft: Tips for creating a strong password
PC Magazine: Password Protection: How to Create Strong Passwords
Even if you take all of the steps we recommend to reduce your data breach risk, it will still be possible for your information to fall into the wrong hands. One of the most pernicious ways that hackers can use consumers’ compromised personal information is to commit identity theft. To help prevent identity fraud, consumers should pay close attention to their credit reports and consider taking proactive action such as a credit freeze to protect your identity.
Checking your credit report
Under federal law, consumers are entitled to access their credit report for free from each of the three major credit reporting bureaus once every 12 months. This can be done at AnnualCreditReport.com. When you download your credit report, check it for anomalies such as accounts and lines of credit which you don’t remember opening. If you spot problems, report them immediately to one of the three credit reporting bureaus (Experian, Equifax, and TransUnion).
Consider a credit freeze
Putting a credit freeze (also known as a security freeze) on your credit report will prevent anyone–including legitimate creditors such as banks, credit card companies, cell phone providers, or utilities–from accessing your credit report until you unfreeze the report. Depending on your state of residence, there is likely to be a fee for freezing and unfreezing your credit report (anywhere from $3-12 per freeze/unfreeze, per bureau). Our colleagues at the U.S. Public Interest Research Group recently published a report detailing exactly why a credit freeze can be a superior option for reducing data breach risk than other services such as fraud alerts and identity theft monitoring.
Fraud.org is a project of
The National Consumers League.
1701 K St NW
Washington, DC 20006