With the massive breaches of Capital One and StockX and the accidental doxing of Electronic Entertainment Expo (E3) journalists by the Entertainment Software Association (ESA), it seems to be a futile endeavor to protect our identity. Regardless of the overwhelming news about breaches, hacks, and leaks, it is possible to take simple steps to secure our identity in personal interactions and on the internet.
In this article, I will share some of the techniques I have learned from working in Operational Secure (OPSEC) environments and how these techniques can be used to provide measurable security with minimal interruption to daily convenience. This is not a comprehensive list of tips or techniques for staying secure in a digital world and the reader should diligently seek out multiple resources to extensively secure his or her identity. Additionally, all of the tips in this article should be weighed with proper judgment — deciding when the risk of compromise justifies the cost of a service or technique.
Protection Is not Paranoia
The most important rule to remember is that securing our identity is not paranoia. Exerting effort to secure our identity is not irrational and taking simple steps to ensure we reduce the risk of personal loss or even doxing is not excessive. In fact, failing to take these measures is lackadaisical and negligent. Protecting our identity can be taken too far — in the same way that a person could refuse to leave his or her house in fear of getting injured or for fear that an aberration is out to get them — but that is not a reason to swing in the opposite direction and do nothing.
Share on a Need-to-Know Basis
The easiest step to take is not sharing information with anyone we do not trust without a valid or pressing Need-to-Know (NTK). When working with classified or sensitive information, the easiest means of reducing the spread of sensitive data — and therefore the chance of divulging that data — is for as few people to know the data as possible. In both military and civilian circles, this means that a person is restricted from sharing any information unless the person or entity that they are about to tell can prove that they have a valid reason to know the data (and have the proper credentials, in the case of classified data).
In daily life, this means sharing sensitive data, such as mailing addresses, email addresses, phone numbers, credit card or bank numbers, Social Security Numbers (SSNs) — or equivalent identifying information or non-Americans — and names with as few strangers as possible. Thinking about telling a conference our phone number and mailing address? Be sure that the conference really needs this information. Maybe this information will be used for marketing by the conference organizers and is optional. Sometimes the entity requesting this information will not tell users upfront that the information is optional — since they want people to provide the information by default — but it cannot hurt to ask if that information is required.
The level that we guard information should depend on the nature of the data itself, as well. For example, we may consider our email less important than our SSN and should guard each accordingly. In some cases, agencies or companies will request SSNs to process inquiries or payments quicker, but this information is not required.
By default, do not hand out information unless it is required or the value of handing over that information outweighs the risk. For example, providing a company with an email address to get a 20% coupon for a large purchase may be worth it for some. Or providing the Internal Revenue Service (IRS) with an SSN to hasten the processing of payment may be worth the possible disclosure.
It is also important to consider the nature of the agency that we are handing the information over to. For example, we may be more comfortable handing a bank routing number to the IRS than we would to a small online store. Remember, though, that no institution is impervious. Even the Office of Personel Management (OPM) — the agency that manages security clearances for the US Department of Defense (DoD) — divulged more than 21 million SSNs and more than 6 million fingerprints in 2015.
We need to use our judgment when providing any institution with our information and share that data on an NTK basis. If the information is required, be sure that the benefit outweighs the risk and that the institution takes proper precautions to secure that information. If information is required, there are also steps that we can take to ensure we are not adversely affected by a breach or hack.
When we are required to share information, it is a good idea not to directly share our personal information, but rather, to proxy it. In the case of the ESA breach, journalists were required to provide their mailing address and phone numbers in order for the ESA to provide gaming companies with contact information (in case the companies wanted to get in contact with the journalists). The ESA hid the information behind a password-protected portal — or so they thought. In actuality, the Excel sheet containing this personal information was accessible from the E3 website if a person had the URL.
Some journalists used their business addresses and phone numbers, which means that their personal information was not divulged. Others, such as game streamers who run a personal, one-man business, did not have this luxury. Instead, they used their home address and phone number; this information was leaked on the internet, amounting to an accidental doxing.
Those who provided a business address or phone number insulated their actual identity and their home address and personal phone number remain unknown. This should always be the case when providing information that will be shared directly or indirectly with organizations that we do not know or trust. For example, when signing up for a conference, it’s a good idea not to use our personal phone number or home address — if it can be helped — especially as a high-profile personality that will draw attention. Having such insulation ensures that if the information is leaked, we can terminate the proxied address or phone number and our personal information is still secure.
In the case of mailing addresses, the goal is to detach the location of our home from our mailing address. Considering one of the following options:
- Open a PO box: A Post Office (PO) box can be reserved directly from the US Postal Service (USPS) and acts as a legal address. This is often used for small businesses that do not want to provide the personal address of the owners to customers, but it can also be used for personal use. The price of a PO box varies by region and can be reserved on a three, six, or 12-month basis. For more information, see the official USPS PO box website. It also might be useful to open a PO box in a nearby town, not necessarily our home town, since the location of the PO box address may implicitly tell others where our hometown is.
- Create a proxy address: Apart from official postal addresses, companies offer services where they will receive mail at a proxied address and only forward we the mail if approved. For more information, see ShipToProxy or USA2Me. Keep in mind that this requires that we trust these organizations enough to provide them with our personal address.
For phone numbers, consider creating aburner number that can be discarded if divulged:
Having a proxied address and a burner number will ensure that even if an institution, such as the organizer of a conference, leaks this information, our personal information remains secure.
Protect Internet Access
Apart from proxying contact information, we can also proxy our internet access. Normally, our computer directly connects to a server and downloads a webpage, which allows the server — or our Internet Service Provider, ISP — to monitor that connection and obtain information about our browsing patterns and the device that was used to download the webpage.
To stop this snooping—or more malicious man-in-the-middle attacks—we can use a Virtual Private Network (VPN) connection, which establishes an encrypted connection between our computer and a VPN provider server, which then makes a connection to the web server on our behalf. From the perspective of the web server, the VPN server is making the request; the web server does not know that the request is then being forwarded to our computer.
The encryption ensures that any entity, such as our ISP, cannot inspect the connection.
There are numerous VPN providers, including:
Using a VPN can also allow us to act as if we are in a different location than our computer. For example, if we do not want someone to know that we live in Indianapolis, IN, we can connect to a VPN server in Phoenix, AZ. Then, when we try to view a website, the web server will think that our computer is in Phoenix since this is where the connection originated.
Beyond protecting our identity and internet access, we can also protect our data stored on our devices. For example, if someone were to obtain our laptop, they might be able to extract files and data off of the hard drive, without even booting the Operating System (OS) on the device — bypassing any Windows or Mac password we have. Likewise, if someone obtains our phone, they could obtain important information, such as our contact information or contact list.
This is especially important when traveling, where losing a device in an airport or leaving a device in a hotel is plausible. Although it is likely that no one will attempt to steal our information, it provides peace of mind to know that they cannot.
The means of encrypting a device depends on the type of device and the OS installed on the device:
Note that encrypting a device could cause it to behave more slowly. Additionally, encrypting a device could cause the device to become unrecoverable if the encryption password is lost. For the same reason that a malicious agent cannot access the device without a password, we can also be locked out of the device is we lose the password. It is important to use a password that is both secure and can be memorized when encrypting a device.
Even with all of our best efforts, there are times when our sensitive information might be compromised. For example, even if we made sure to not give out our credit card information, if we had a Capital One credit card, our personal information may still have been compromised through no fault of our own.
To handle the aftermath of such a breach, it is important to have some level of identity theft protection. Such a service ensures that when our information is made public, our finances and identity are secure. For example, if our account numbers were disclosed, it is important to ensure that charges are not made to our account without our permission.
Likewise, it is important that our identity is secured. While our financial data may not have been compromised, leaking of SSNs or even addresses could allow a malicious agent to file our tax returns before we do or inquire about a new line of credit without our say-so.
Identity theft protection cannot stop all of the attacks that can happen to us, but they are one important step in mitigating the risk of identity theft. Some of the most popular identity theft protection services include:
Identity theft protection can be expensive—depending on the level of protection — but if the price is acceptable, it can be an important part of a comprehensive security posture.
The number and scale of recent compromises and hacks have been alarmin, and the sheer scope of these infiltrations can make it seem like security in a digital world is futile, but it is not. There are simple steps that we can take on a daily basis — and others on special occasions, such as conferences — to ensure that we provide ourselves with a reasonable level of security.