Even if you have nothing, you still have something hackers want.
Why should I bother with all this complicated security stuff? I have nothing hackers would want! I don’t have anything to hide, so why would anyone come looking for me? I don’t do banking on the computer, and I don’t have much money anyway.
I hear variations on this all too often. Many people feel that because they don’t have lots of things they think a hacker would want, they’re not a target.
Wrong. Everybody’s a target.
You definitely have things hackers want. I don’t say this to scare you; I want it to motivate you to protect yourself and continue to use the internet safely and happily.
Become a Patron of Ask Leo! and go ad-free!
You're a target
Any of your online accounts, if compromised, can cause you anything from incredible hassle to loss of money to identity theft. Prevention is easier than you think and much less costly than recovering from a problem.
"I don’t have much money, so hackers won’t come after me."
This is a common comment, but it assumes hackers only target rich people. They don’t. They have no idea how much money you have.1
And they don’t care.
Why? Because by stealing your personal information, they can make money no matter how much is in your bank account.
Sure, if you have money to be stolen, hackers will be happy to relieve you of some or all of it. But it’s not just about money. Even if they never steal a dime from you, hackers can still hurt you. As you’ll see, they can damage your reputation and cause you a ton of hassle and stress.
"I’m nobody, and I’m hardly online. They can’t find me."
I frequently tell people not to fear being tracked online because you and I just aren't that interesting. Unless you are a high-profile individual, it’s extremely unlikely someone is targeting you specifically.
But hackers target everyone.
Much like a fisherman, hackers aren’t looking for a specific fish. They’re casting a wide net to gather as many fish as they can, without concern for which fish they catch.
The hackers' "nets" are sophisticated computer programs methodically trying to compromise the accounts of thousands of people across hundreds or thousands of different online services. Once they know your name and email address -- which are pretty easy to find -- you are likely to be included in those hacking programs.
"I don’t bank online, so hackers can’t mess with me."
There are many other kinds of accounts besides banking that hackers value just as much. Do you have email account(s)? Do you use Facebook or other social media? Do you keep photos on your phone or computer? All of your online data is valuable and vulnerable to hackers.
For example, hackers can use your email account to send spam to your email contacts, who are then more likely to fall for their ruse because it looks like it came from someone they trust: you.
They can use your online accounts to send out malware, and even trick you into installing malware yourself. Once you’ve installed it, they could have access to your computer and start logging your keystrokes, stealing even more passwords, and breaking into even more accounts. Or they could just use your machine to send lots and lots of spam, and you’ll likely never know it.
With access to your social media accounts, they could post messages, photos, or videos as if they were you, once again to trick your friends and followers to fall for scams, install malware, and otherwise become victims themselves.
And of course one of the first things hackers often do with all of these accounts is lock you out. I hear heartbreaking stories daily of people who have lost access to all their email, their email address, their photos, their social media accounts, and more.
"I don’t bank online, so hackers can’t get my money."
Do you have a bank account? Then you bank online.
Banks are all online in one form or another. Be it a customer portal you're choosing not to use or their own back-end computing system that is connected to the internet, your choice not to bank online doesn't really reduce your exposure that much.2 You're still just as likely to be affected by a data breach that isn't your fault.
Hackers hack to gather personal information about you — your name, your social security number, your phone number, your address, your social media accounts — and using that information, they can act online as if they are you. That's identity theft, and it’s rampant.
Even if you don’t bank or have any financial activity online (more and more difficult to achieve these days), hackers can gather enough information to impersonate you from non-financial accounts. Even without access to your money, they can make money.
Once they can operate as if they were you, they can open new accounts in your name. They use these new credit or bank accounts (which you know nothing about) to make fraudulent charges, take out loans, or get cash advances, any of which you could be responsible for.
They could redirect your automatic pension or Social Security deposits into different accounts of their own. They could even use your accounts for money laundering.
"My bank / credit card company / online service will take care of me."
No organization can "take care of" you in the case of complex account or identity theft. Even when they help, it is still an enormous hassle.
Most of us have experienced having a credit card compromised at one point or another. That’s a hassle. When it goes further — deeper into account theft or full-on identity theft — it becomes much more than just a hassle. It can quickly turn into a confusing, frustrating, expensive, and painful process to recover from, taking months of effort to untangle, get your identity back, and prevent it from happening again.
And, of course, the damage from permanently losing access to your important online accounts, like email, photos on cloud storage, or social media, can be irreparable.
Do this
Many people consider online security a hassle. I get that. I really do.
But please trust me when I tell you it’s much, much less of a hassle than having your accounts compromised. I see the stories every day: money lost. Precious information (emails, photos, and more) lost. Friends and family put at risk.
And security need not be that hard! Make good security a habit (my article Internet Safety: 7 Steps to Staying Safe Online will get you started), and you’ll hardly notice it. Even the occasional minor annoyance of supplying a two-factor code when you sign into a new machine is nothing compared to having to engage identity theft services or lose valuable information forever.
Enjoy the internet. It's a wonderful and powerful tool. Use it to learn and connect with others. Just keep yourself safe and happy while you do.
Also, get more support from me. Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week. I'll see you there!
You wrote “2: Choosing not to bank online could even put you at greater risk, as you’re left relying on older, less secure alternatives.”
I would suggest not having an online account set up may put you at more risk, especially if you still use checks, which show all the information needed to set up an online account.
If you don’t do it, someone else may set up an online account for you, and you would not know until you get that monthly statement in the mail.
I’m posting this here rather than “staying safe on the internet” where this will be near the top and not buried under years of comments.
DO NOT RELY ON YOUR ISP’s ROUTER ALONE! At a minimum, install your own router between your ISP’s router* and your personal network. Or install two routers in series; the bandwidth loss will be negligible. Do your research, do not install two ‘identical’ routers from different OEMs. Additionally, buy your own router and replace the one from your ISP. Use vastly different, max length passwords/pass phrases for each. Yes, this is more work, but it’s “one-and-done.”
If your router has provisions for MAC address filtering, use it! If it doesn’t, get a newer router. This will go a long way to prevent wireless break-ins, but there are no absolutely safe methods against hacking. Again, more work but one-and-done until you purchase a new device. This is especially crucial in high density cities or suburbs where you may sense 20 or 50 wireless networks, so they also ‘see’ you; simply not broadcasting your SSID will not stop a hacker.
*Your ISP’s router is likely a combination modem/codec/router which unscrambles their internet signals (DSL, cable, etc) and provides the more common local internet via hardwired connectors (Rj-45) and wireless.
I’m a VITA volunteer tax counselor. Unfortunately, every year several tax payers learn that their identity has been compromised when their e-filed return is rejected because someone else filed with their SSN. Correcting the problem is difficult and will delay any refund by 10-14 months. (It doesn’t delay the requirement to pay, if due.)
I’m a retiree, so I don’t have to access a corporate network. If you must access one use a VPN to do so (and suggest to your supervisors that they should require everyone to use a VPN for remote access).
I try to lock down my computers as much as I can with the security tools available to me (Windows 10/11 Pro). For starters, my Microsoft account is secured with 2FA (Microsoft Authenticator), and I have activated ‘password-less’ access (I use Windows Hello to log onto my computer. Since I have a biometric fingerprint scanner on all three of my computers, I have set up Windows Hello fingerprint scanning to log on – so now, it’s my finger or my PIN to get me in).
I have a desktop PC and two laptops, one of which will never meet Windows 11’s hardware requirements (although it does have Secure Boot and TPM2 enabled – the CPU’s too old), so it runs Windows 10 Pro. My desktop PC and my newer laptop both run Windows 11 Pro. All three PCs have a Windows System partition, and (on an external drive) a data and a backup partition (for a total of three partitions each). I have encrypted all three partitions on each PC with BitLocker (the two partitions on the external drives have a password so I can access them in the event I can’t boot Windows. I have saved the recovery keys for all nine partitions to my Microsoft Account and printed them too. The printouts are stored in a safe in my home office. On my desktop PC, Windows will lock the screen after 5 minutes of inactivity if I forget to lock it when I leave my desk. Both of my laptops lock the screen when I close the lid (I found a small utility called lidlock on Downloads.com. I have used it for over a year with no issues. Reputation-based protection and SmartScreen are both enabled on all three devices, and I have never received an alert about lidlock on either laptop, so AFAIK it’s safe).
On the first day of each month (as one of my System/Security Maintenance routines), I go through the security settings in the Windows Security dashboard to make sure everything that should be turned on, is (this almost seems like a waste of time, but if I ever get any malware, it may pay off).
I use Macrium Reflect to back up my computers. On Monday, I generate a full system image, then I generate a differential image every other day of the week. I keep four image sets (a set consists of one full system image, and six differential images). Since they are written to an encrypted drive, I have little fear that in the event any of my computers get stolen, my data will be at risk. The one thing I wish could be possible would be to have a setting that disables the ability to clear the CMOS memory/TPM storage areas on my motherboard without entering an administrative password (if one is set), so a thief would be unable to install an OS to sell the machine. As it stands, I can short two pins on my motherboard to clear any password(s) I configure in the UEFI/BIOS system.
I keep all three computers as up to date as possible. I use Windows Update to keep Windows up to date on each patch Tuesday (IIRC, the second Tuesday of each month), and I have Patch my PC installed to keep my apps updated (I check it the first day of each month too).
I use LastPass here. I decided to wait and see what they do in response to the hack. At this point, I am satisfied with their behavior (so far), so I will keep them for now (this could change). I changed (and lengthened) my password, then took the steps they suggested to update my account’s security, so now (unless I misunderstand) everything should be safely encrypted. I check my vault monthly to ensure there are no duplicate passwords (another monthly system/security maintenance routine). I use the LastPass Authenticator for 2FA with my LastPass account/vault (not Microsoft Authenticator) to keep things under their own roof.
I have gone through all my Internet accounts (using LastPass), and enabled 2FA where it’s supported. For the few accounts that do not support 2FA as well as those I no longer use, I have requested that my account be deleted. All have complied, so now I can say that I use all the Internet accounts I have, and that they are all protected with 2FA. As a result, if some miscreant should somehow get the password to any of my Internet accounts, they will not be able to get in unless they have my phone too. Another monthly Maintenance/Security routine is me going through all my accounts in LastPass and canceling/deleting any I no longer want/need (this usually means I change nothing, but at least I know that I have no unused accounts). For the most part it’s easy, I log in to the site, go to my profile/account settings and choose the option to delete my account (if it exists – if not, I send an email to the webmaster to make the request). After I am notified that my account is deleted, I remove it from my LastPass vault (so far, no site that I have an account with lacks the ability to remove/delete my account).
Following the infamous Experian hack, I decided to freeze my accounts with the ‘big three’ credit reporting bureaus, Experian, TransUnion, and Equifax. Then when Leo published that there were other agencies, I also froze my accounts with them (so now, my credit is frozen with at least six reporting agencies. If my identity gets stolen, (IIUC) it’s unlikely the thief will be able to get an ID or open any account of any kind in my name. While I understand that my identity may still get stolen, at least the thief will not be able to get money in my name, and perhaps it will be much harder for him/her to get a legally recognized ID (driver’s license, social security card, etc.). Since I have no need to get a new credit card any time soon, all this works very well for me (and if I should decide that I want/need a new/different credit card, I can always temporarily unfreeze my account with whichever bureau will be used by the creditor – a little extra bother, but well worth it for the added security), YMMV :).
Finally, and perhaps, most importantly, I employ what I call ‘Cognitive Security’. It involves never blindly trusting anything on the Internet. Rather, I hover my mouse over any link I want to click (be it in an email, or on a web page) to check where it will take me. If I have ANY doubt, I DON’T click! I never blindly believe anything others post, especially when what they say re-enforces what I already believe. Instead, I fact check, using several sites I have learned to trust (factcheck.org, the associated press’s fact checking site, and a few others). Then I search the Internet for keywords I find in the post to try to learn where it came from. I don’t trust far-right or far-left sources. After doing my due diligence, if I find that the post is accurate, I still take it with a small grain of salt (I never know what the poster’s agenda may be). For the most part, I try to make up my own mind about politics, religion, and most anything else I see on the Internet.
For the most part, these are the things I do to keep myself secure. Everything I have done so far has been intended to make it as hard as possible for the bad guys. You may not want to go as far as I have, but you can feel free to use what I’ve written here as a general guide. Hopefully, doing so will help you to remain more secure on the Internet (and less susceptible to the propaganda of others).
Ernie
I don’t see a major advantage in using a VPN to access a corporate network. Most, if not all, corporate networks use an HTTPS:// (SSL) connection which is already encrypted end-to-end. That’s even safer than a VPN connection by itself, because a VPN connection is not encrypted between the VPN and the computer you are accessing, unless the site you are accessing uses SSL, which would make the VPN redundant.
I gotta say Ernie, that if (and that is a pretty big IF at this point), you do get hacked or compromised in some way, nobody is going to say you did nothing to prevent it. When you wrote about the 3 credit agencies, I immediately thought to ASKBOBRANKIN’s article where he wrote about the 6 of them, but then you mentioned Leo having written about them. I’ve been reading Bob’s stuff since he was publishing his TourBus. Having just recently found Leo’s newsletter, I feel confident to say that subscribing to both Leo and Bob will cover a large range of topics . I, too, am retired (as in like the past year, officially). I started with computers back in college and had to use punch cards to create 1 line of code (or data). Boy was I happy when I got a job in the computer lab (my job was to take the other students’ punch cards and run them through the Univac 1106 card reader so their job could be created. And then of course, hand them out when done. Good times. A perk of the job was that I got an online account. So no more 500-card COBOL decks for me. Oh, and text version D&D.