By Sam Catania
Following reports that hackers leaked highly sensitive stolen data belonging to members of the Stanford community, Stanford cybersecurity experts have recommended numerous steps you can take if you’re worried your personal information may have been compromised. Though the exact breadth and scope of the breach remain unknown, these steps can also act as important preventative measures to ensure you are kept safe in any future breaches.
Place a fraud alert on your credit, and consider freezing it
Because Social Security numbers and other sensitive financial information were included in the breach, it may be necessary to take precautions to protect your credit.
Riana Pfefferkorn, a research scholar at the Stanford Internet Observatory, recommended two free options: putting a fraud alert on your credit and a “security freeze” on your account with all three of the major credit bureaus.
The Federal Trade Commission (FTC) details how to quickly add this alert by contacting only one credit bureau — the bureau will alert the other two. A fraud alert will not prevent you from accessing credit or applying for new lines of credit (i.e. opening a new credit card, applying for a car loan, etc.), but it will require businesses to verify your identity before granting credit. Credit bureaus will ask for updated contact information when you place the alert to make sure they can get in touch if you (or a bad actor) tries to open a credit line on your behalf. The alerts last for one year but can be extended.
A credit freeze, by contrast, entirely prevents you or anyone who may have your personal information from opening a line of credit under your name. A freeze restricts any access to your credit report. It can be lifted temporarily at any time, but you will need to directly contact a credit bureau to do so.
You can freeze your credit with the credit bureaus Equifax, Transunion and Experian by going to the linked sites. You will need to individually freeze your credit with each of these three major bureaus for it to fully be frozen.
A credit freeze will likely prevent you from applying for any type of loan while it is in effect but will not prevent you from using existing loans like mortgages or credit cards. Credit checks would also be affected, according to Pfefferkorn: If a person was trying to buy a car or open a credit card, for example, the freeze might temporarily prevent them from doing so.
“You can lift the freeze, though, so the prudent course following a data breach of sensitive information like SSN is to put a security freeze in place and then deal with lifting it if/when you need to,” she wrote in an email to The Daily.
Herb Lin, a senior research scholar for cyber policy and security at the Center for International Security and Cooperation agreed, calling freezing credit “inconvenient, but necessary.”
Practice good password habits
All cybersecurity experts interviewed by The Daily noted that good password practices can also be key to digital safety. While it is unclear if any passwords were leaked in Stanford’s recent breach, having strong passwords can prevent a multitude of other types of digital attacks.
“Never re-use a password,” Pfefferkorn wrote. “Use a password manager such as OnePassword or LastPass to generate and store strong passwords for all the sites and apps you use. (They will also tell you if a site for which you have a password stored, has been affected by a data breach, so you can go change your password.) You can also store passwords in your browser, such as Safari or Chrome.”
Matthew Masterson, a non-resident policy fellow with the Stanford Internet Observatory who has served as Senior Cybersecurity Advisor at the Department of Homeland Security, agreed that using a password manager was a good option, as “trying to memorize all your passwords just leads to reusing weak passwords.”
Experts also agreed that multi-factor authentication (MFA, sometimes also referred to as 2FA or two-factor authentication) should be used if possible, especially on “crown-jewel” accounts such as emails or financial accounts tied to your bank.
Those interviewed by The Daily recommended using MFA apps such as Google Authenticator or Duo, since they can be more secure than phone text messages. However, using any MFA is better than none, according to Pfefferkorn.
Pfefferkorn said that SMS two-factor authentication can be risky because of something called “SIM swapping,” where a malicious actor gets your mobile phone provider to transfer your phone number to them so that they can receive your texts, including login codes sent via SMS.
“To cut down on the chances of SIM swapping, some providers such as T-Mobile offer a way for you to add extra precautions before the company will port your phone number to a new phone (although they don’t always actually follow their own instructions),” Pfefferkorn wrote in an email to The Daily.
Be mindful of what goes online
Masterson also suggested that people should be mindful of what they share online.
“Simple social media posts may seem innocent but provide clues and information that can be used to target you,” Masterson wrote. “For instance, password clues like pet name, high school mascot, etc. may be shared on social media and used to access accounts.”
Lin suggested going a step further, writing that people should use a fake mother’s maiden name, location of birth and high school of graduation when registering the correct answers for security questions on websites. He said this would make the information “hard to remember” but helpful in preventing hacks. He suggests people record their fake answers to these questions in a secure location so that they do not have to remember their made-up responses.
Beware of phishing
Masterson advised that people should be especially protective of giving important information such as Social Security numbers, driver’s license information and account numbers over the phone, on websites or over email. “Banks and other institutions don’t just cold call you and ask for this type of information,” he wrote.
Protect data through other means
Both Pfefferkorn and Lin recommended using encrypted messaging services like Signal instead of traditional SMS texting for added security.
Cryptography professor Dan Boneh recommended using digital payment methods like Apple Pay and Android Pay because these services generate “one-time” credit card numbers so merchants won’t have your actual information if they’re ever hacked.
Boneh also advised that students wait for Stanford to provide additional guidance on the nature of the breach for more steps to take, since some precautions can be situation-specific.