How to protect yourself from a data breach

June 10, 2011

Hackers have been having a field day of late, stealing data from big companies — with Citigroup the latest. So, now what? What are we supposed to if crooks keep breaking into the corporate vaults where we keep all of our information?

Is there cause for concern? Yes. But, let’s not panic too much, at least until you finish reading.

If what Citi says is true, the bad guys took account numbers and the associated names and contact information. Bad? Yes. But not terrible — yet.

Without the rest of the information: expiration date, the card’s validation code or your password, there’s not a lot the thieves can do with that information. That is, unless you help them.

What’s that? Help them? Yes.

The information they have right now gives them a powerful tool to get your help. For the 200,000 folks hit in this round, the crooks know who issued your credit card, your account number, your email and where you live.

“Now they can use what they have to construct some very credible phishing attacks,” says Jonathan Gossels, president and CEO of SystemExperts Corporation, an information technology security firm.

Unless you give up that information, typically because of a well-crafted fake email, there’s little other value in that data, experts say. Plain and simple, your bank is never is going to ask you for the information these crooks are phishing for.

“If you’re seeing that, it’s a trick,” Gossels says.

Citi will give the affected customers new cards, effectively nullifying the threat.

Still, that doesn’t offer much in the way of confidence to consumers who have watched one company after another take a hit. But experts agree that financial institutions are well ahead of many other industries, in large part because of what they’re responsible for — your money — as well as being driven by laws that force the issue.

One thing that isn’t always transparent to consumers is data storage. If security does fail at some level, most financial companies have systems in place (as Citi did) to alert them of the break-in. But because the information is in silos, what was taken was of limited use.

You don’t need to go far to see an example of what can happen when security isn’t as tight. Sony, whose Playstation system was hacked, gave up information to more than 70 million users.

Now what? How are these companies going to protect us?

“It’s about coming to a solution that is not overly intrusive to consumers,” says Paul Stephens, director of Policy and Advocacy with the Privacy Rights Clearinghouse. “You’ll never get to 100 percent security, but you want to get as close as you can.”

Believe it or not, most banks and credit card companies are already doing a lot on the consumer side of things to keep your personal information safe.

Site keys, those goofy pictures you have to choose on many sites, offer a way to assure you that you’re really on the right site. If you don’t see that ear of corn or picture of the moon one day, you’re supposed to know that means DON’T LOG IN. Some people don’t pay attention, though.

Then there are additional levels of authentication. At JP Morgan Chase (and others), if you’re on a computer you haven’t used before to check account information, you’re going to get challenge questions. And if you answer with the correct the name of your pet, for example, you then get a security code emailed to your address on file or sent to your phone via text message.

And then there’s the tool Bank of America offers, which allows any customer to receive that one-time use code. It’s called SafePass. Bank of America also offers, for a fee, a token (like the ones many of us have at work) that provides a code that must be added after you’ve already put in your password.

But EMC Corp.’s RSA, the top issuer of tokens, was also the victim of a breach. Which goes back to that idea that there are no guarantees of complete safety.

Phil Blank of Javelin Strategy & Research said his company’s survey of the top 25 players in the financial industry found that all use multiple levels of authentication with telephone banking. Two-thirds offer secondary authentication for online banking. “Educating the consumer and providing them the tools and knowledge necessary to fight fraud is important,” Blank said. “We have just seen that traditional security measure can eventually be breached.”

He said companies need to be prompt in reporting breaches and telling affected customers they are indeed affected. “Financial institutions need to protect all data, not just data that it believes is sensitive,” Blank said. “The Epsilon breach demonstrated that.”

Epsilon, which distributes billions of emails for hundreds of companies, coughed up contact information for untold millions of consumers.

“In the past, we would not have thought that notification in an email compromise was important at all,” says Lisa Sotto, a partner at the law firm Hunton & Williams, which has advised companies in the aftermath of some 750 data breaches. “We’re now seeing that it’s important to notify consumers of the compromise of information that previously wouldn’t have been viewed as data that would lead to identity theft.”

If that didn’t already make the landscape more complex, Sotto says the level of sophistication of the crooks has gotten so high that the best security last week isn’t necessarily enough this week.

“The problem for legitimate businesses is they have to stay one step ahead of a very sophisticated pool of criminals who have every incentive to succeed.” she says.

Now for the good news. You can stop most of the potential risk to your money by not responding to suspicious emails (and you should have your skeptical eyes out for them). In addition, you need to toughen your passwords.

If you’re like most people, that’s going to involve a radical change, but it’s one that should minimize your exposure.

Here’s what the experts suggest, from the most obvious, to the most annoying:

  • Don’t store your passwords.
  • Never use your name, a child’s name or some obvious sequence of numbers.
  • Have a different password for every account (don’t write them down and  keep them in one place).
  • Use upper and lower case and special characters in your passwords.
  • Consider getting a token or other form of one-time use code that only you can receive.

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see

You are putting all the burden on the customers! The Banks charge us coming and going. They have the resources and are responsible and should develop secure systems to protect our information. If they lose credibility the customers will simply stop using online banking which is far more cost effective for the banks than traditional banking! They have to get the job done so it simpler and more secure for the customer.

Posted by amj | Report as abusive

Don’t you guys think that BOFA had foreseen the potential threats and invested for a secure website that has been working, with a site key, safely for years and at any time a suspicious fraudulant use of their cards happens, the very night the card-holder is alerted; but sad to say that even American Express and Citi haven’t been doing such things for the protection of their card-members.
Also, this is not the first time Citi’s account details are stolen. So it’s high time that these behemoths should start learning things, so that the card-holders should feel safe.

Posted by Jane10 | Report as abusive

Different complicated passwords for each site which are not written down or stored? This is not a practical combination.

Posted by Solli | Report as abusive

There is nothing wrong with writing down your passwords. In fact, everyone should keep an up-to-date password list with their will, and let their executor know about it.

There are four basic ways to manage passwords:

1. The password manager: This is software such as lastpass or roboform, which manages your passwords for you. They store encrypted copies of all your sites / passwords and fill your web forms for you. You just need a single strong password to get any other password. The argument is what happens when they get hacked, or you have a keylogger on your machine?

2. The password list or book where you keep site names and passwords: The argument against this is losing the book. You can easily circumvent the issue by using a short hand in your notes. Instead of writing / [password], you could write tcn / [password] . You know that tcn means the crimson, but would the person who picked up your book know? That depends on if they know you, or they found it laying somewhere.

3. The password hasher: This runs a weak password through an algorithm using the site name as a seed. The best known of these is the Stanford Pwdhash. This is a simple tool that you enter the site address and a password. It then creates a more complex hashed password from it. For example, I used for the seed, then used 123456 for the password, and it generated LPdmlY40. The argument with this is that you are tethered to a tool. If you can’t get to the tool for some reason, you’re stuck with resetting your password. Also, if you use this, use a stronger password than 123456 to build your hash.

4. Your brain and a system: This is our recommendation. We are an advocate of the password sandwich. Our Healthy Passwords book is about this, so this will be a very brief explanation. This is where you create a short ingredient list. Preferably, two weak ingredients (the bread), and one stronger ingredient (the main ingredient) is used. You connect them with special characters (condiments). The system part is how you assemble it. First, We recommend one piece of bread be a site code such as tcn for thecrimson. Second we recommend an expiration code for the other piece of bread such as q2 for expires second quarter. For the main ingredient we recommend mnemonics of short rhythmic phrases. Use a song you cannot get out of your head. In the book we use the public domain example of “Three blind mice, See how they run” to create TbrShtr. Putting it together, thecrimson becomes tcn@TbmShtr!q2 and TWITTER becomes twt@TbmShtr!m4 (Twitter expires every month presently at the end of April). You can write these all down using a shorthand on a simple wallet card using your own shorthand.

If you are currently using weak passwords across sites, any of these is better than your current practice.

Posted by HealthyPassword | Report as abusive

Let’s face reality. By now you have had ten to fifteen years of posting personal information into cyberspace. All of this is available for social engineering and phishing. All that is needed is for someone to decide you are a desirable target. The best thing to do is skip out and change your identity. A fresh start is always good. You don’t like you spouse, the job bites, the kids are a pain; It’s a great idea! Oh, wait a minute. There’s that facial recognition software. Oh well, scratch that.

Posted by jrg | Report as abusive

[…] //]]> consumer protection | data breach | Personal finance | security Sony, Citigroup, Michael’s stores, Epsilon, Massachusetts unemployment recipients, Texas state retirees, […]

Posted by Data breach overload: Is it time for a new law? | Reuters Wealth | Report as abusive