The Lockdown Diaries — 6 Steps to Increase Your Online Security

Pardon me, but your passwords are leaking. Like, all over the internet.

The companies that store our information are selling it, losing it, and just plain giving it away. From security breaches at Target to Equifax, millions of passwords, social security numbers, and credit cards are now on the web. Account takeovers in 2017 resulted in $5.1 billion stolen from 1.3 Million U.S. consumers.

Seriously, you can look yourself up on sites like Spokeo to see your data on public record and Have I Been Pwned to check if your email address has been compromised (if you have an old Yahoo e-mail from high school, I can almost guarantee it has).

Before throwing away your computer in Ron Swanson-like rage, know that there are actionable steps to take to lock down your accounts. Now that I share my net worth online, it was time for me to do a full security sweep, and I recorded each step to share with you.

Disclosure – this post contains affiliate links. If you buy a product through these links, I receive a small percentage at no extra cost to you. 

The Checklist

If you don’t care much for the details and just want to know what to do, here is the quick and dirty summary:

  1. Download a password manager, then change your most critical passwords, such as your bank, credit card sites, and your emails.
    1. Free Option: LastPass
    2. Paid Option: 1Password
  2. Make up or randomize answers to common security questions.
  3. Freeze your credit at all three credit bureaus:
  4. Enable 2-Factor Authentication on every site that supports it.
  5. Install a VPN.
    1. Free Option: Windscribe
    2. Paid Option: Encrypt.me
    3. Install HTTPS Everywhere on your browser (ChromeFirefox)
  6. Remove your data from public aggregator sites

Step 1: Password Manager

I held out on using a password manager for a long time, shying from the idea of putting all my password eggs in one basket.

Instead, I remembered them, organizing them into a few password “buckets.” There was a unique password for my Facebook and bank accounts. Then, I had variations on a theme for each email account. Finally, there was a common password for all those little inconsequential accounts that don’t have stored information about me.

Password Generation

It worked fine for me, and I haven’t suffered a hack besides my ages old middle school e-mail. I gladly let the hackers have it, hoping that it would never be associated with me again. Middle school was an embarrassing time where one might (hypothetically, of course) make emails containing words like ‘roflcopter’ or ‘sparklez’. It was most likely compromised by the Neopets hack, a hazy era of my life where I didn’t shop online or have access to a credit card.

Even though nothing important to me has been compromised, the fact of the matter is that my brain can’t store hundreds of passwords with the ideal complexity. As much as I hate to admit it, my brain’s password basket is flimsy and easy to knock over.

Generating secure passwords with LastPass

A password manager can generate secure passwords that meet all of the ever-changing requirements of the sites you visit and then store them in order to auto-fill the next time you log in.

Trustworthy Encryption

Password managers like LastPass, 1Password, and Dashlane have withstood the test of time. What finally convinced me to use a password manager was understanding that even if hacked, your data is completely encrypted and unreadable.

If someone at LastPass was kidnapped and held for ransom for your bank password, there would be no way, even with their insider knowledge, to access your data. The only way to read the information is by using your master password. Good for me, bad for the hostages.

A Single Master Password

Mr. Mechanic once forgot his LastPass password and lost access to his account, which was a wake-up call to make a secure but memorable master password.

One way to pick a memorable password is to pick up a book and circle four or five random words to use as your password. The webcomic XKCD expands on this strategy. For an example, I grabbed Randall Monroe’s book What if? and cobbled together this password: “dubbed shoebox large transfer.” A thief is more likely to steal your electronics than that book (unless they are a huge nerd) and even less likely to know that the circled words mean anything (unless they are actually in a Dan Brown novel).

Ultimately, the tradeoff of setting up LastPass and installing it across devices is worth having strong, unique passwords safeguarding every account you set up.

Step 2: Randomize Answers to Security Questions

We’ve had to answer security questions before, but the questions don’t provide as much security as we once hoped. Your mother’s maiden name is available through public record. The name of the first company you worked for is available on LinkedIn. Your Facebook reveals your high school mascot. Each detail is something we would readily write up in a Facebook survey Kathy tagged you in called “10 Facts About Me You Never Knew!” or just while oversharing with our dentist.

Here are two methods to circumvent this flaw:

  • Make up a memorable but nonsensical answer to use from now on.
  • Generate randomized answers and save them in LastPass

For example, your mother’s maiden name might be Smith, but from now on use something that would be more difficult for a fraudster to guess, like Smithsonian. When asked about your favorite book, you can store your random answer of “fYW69!H)tb]Fb3Fj”, in the secure notes section of LastPass.

Step 3: Freeze Your Credit!

Identity theft is a nightmare, and the ramifications of someone opening new lines of credit in your name and dragging you into debt are severe. One quick and easy way to safeguard against identity theft is actually quite simple, and takes only 15 minutes: freeze your credit.

You used to have to pay to freeze your credit and again when you wanted to allow creditors access to it. Even when you had to pay, it was 100%  worth the extra security.

Thanks to the 2017 Equifax breach when 143 million people had their social security numbers, addresses, driver’s license numbers and other information exposed, credit freezes are now free. As online attacks are primarily financially motivated, it is critical to lock down your credit so nobody can pretend to be you to finance their new Ferrari.

from Verizon’s 2018 Data Breach Investigations Report

You can temporarily lift the freeze if you want to sign up for a new credit card or take out a loan, and it will not negatively affect your score at all. Anybody trying to sign up for a new line of credit in your name will be unable to without the PIN you are provided upon freezing. (Be sure to store your PIN somewhere you won’t lose it!)

First, get your free yearly credit report to check if there is any suspicious activity. Then, lock it down.

In 15 minutes, I froze my credit at all three credit bureaus: ExperianTransUnion, and Equifax.

Step 4: Two-Factor Authentication

Signing in with your username and password is one-factor authentication (1FA). Add in another layer of security — a fingerprint, a text, or an email — and you have two-factor authentication (2FA).

Recently, someone accessed Mr. Mechanic’s e-mail account and set up a filter to send all e-mails from Amazon straight to the trash– before ordering a bunch of gift cards online and a GoPro to our house. He only found out through the Amazon App when he got a “Your package is being delivered” text, otherwise, we would not have known until either the package or the $300 bill arrived.

If he had used 2FA, the hackers would not have been able to get into his account. As it was, a couple of calls solved the issue, but I don’t like to imagine what would have happened if it were his PayPal or bank account instead.

It took me embarrassingly long to get around to setting up 2FA on my accounts. It felt like a tedious extra step to log-in. In my security overhaul, I checked this list, and added 2FA to every site I used that supports the extra protection.

The PIN gets sent to my phone immediately and I key it in– simple. It might be one more step for you, but that means it is one more layer of security to keep you safe.

Note on SIM Hacking

There was a fascinating episode on the podcast Reply All called The Snapchat Thief, wherein hackers bypassed 2FA by contacting phone carriers to swap numbers to a new phone. This meant that recovery emails were sent straight to them.

There are three methods to stop this kind of hijack:

User on computer with a hardware token
Having a hardware token is one of the most reliable ways to keep data secure

For convenience, I recommend getting the free Google Authenticator app and using it on any sites that support it. Here is a guide with examples of how to set up 2FA for WordPress, Outlook, Evernote, Dropbox, and LastPass. If you are very serious about locking down access and don’t mind needing a physical key to get into your accounts, buy a Yubikey.

In addition, when registering contact info for password recovery, you can use a Google Voice number, which is hijack proof. You can port your own number to Google Voice for $20, or generate a new Google Voice number for free. Generating a number took a matter of minutes, and I got to choose a Denver area code! Google will route texts and calls to your Google number straight to your phone, and it can’t be ported away in a SIM-hijack.

Both options will increase the security of your Google account, Apple device, Twitter, Instagram, and other social profiles.

Step 5: Use a VPN

When you connect to public WiFi, you run the risk of a cybercriminal intercepting your unencrypted data. Personal VPNs secure your web traffic and protect you from these types of attacks.

It is hard to find reliable, free VPN services. The process requires servers and bandwidth to function, so they need to profit somehow. Most free options do this by selling your browser history, inserting ads into pages you view, or piggybacking traffic onto your personal bandwidth. Avoiding these invasions often requires paying for the service. Your best bet is to find providers that offer free tiers of VPN services along with premium paid options.

Free

The best free option I could find is Windscribe, which provides 10GB of data monthly with unlimited connections. Our data usage runs around 30GB a month, largely due to video streaming at home. We don’t mind the world knowing that we are still only on Season 3 of Game of Thrones (no spoilers please!), but as for our logins and financial transactions, we make sure the VPN is on.

Paid

Ecrypt.me is a highly regarded VPN that goes for $9.99 per month or $99.99 for the year. It has a streamlined interface and works for multiple platforms.

Note on HTTPS

One of the major risks of accessing public hotspots is that unencrypted data can be intercepted. One nice add-on to have is HTTPS Everywhere, which defaults to HTTPS on sites that support it.

Step 6: Clean up your Data

After you have finished the big hitters (using a password manager, freezing your credit, setting up 2FA, and installing a VPN), you can follow one more step to keep your data from being easily searchable.

Several aggregator sites collect data on you, but they will remove it if you ask. I went through the steps at the end of this workbook to remove my data. What I found on these sites was interesting. I saw my employment history attributed to someone else with the same name.

There was a satellite map that pinpointed my exact address, and another showed the last 5 addresses where I lived (which are coincidentally security questions I answered to prove my identity to the credit bureaus when I froze my credit).

It should not have been surprising, but it was a bit of a shock to see that anybody could look up where I live knowing only my name.

Head to these sites and opt-out:

Spokeo

TruePeopleSearch

Mylife (which creepily also has a ‘reputation score’)

Radaris

Whitepages

Intelius

Been Verified

Infotracer

There are many more to opt out of, but those are the bigger ones. This chapter provides more detail about Public Data Removal from the book Hiding From the Internet.

Bonus: You know those credit card offers you get in the mail? Through doing research for this post, I found out that Consumer Credit Reporting Companies are allowed to include your name on those offer lists. I pick out good credit cards myself, so all those letters are a waste of time and paper. I found out that you can opt out electronically from receiving offers for 5 years.

man with phone cover photo

Conclusion

Financial security comes in many forms, from the knowledge that you can pay your next bill to the literal lockdown of your financial accounts. Prepare for inevitable attacks by following the checklist and securing your financial future. Practice security as you would practice for skydiving– it is worth the hours on the ground prepping for a bad situation. When it comes to parachutes and passwords, a lot is at stake. Do the due diligence to ensure your safety and security.

Have you ever been hacked? Do you have other recommendations for keeping your finances secure? Am I the only one with an embarrassing middle-school e-mail address?

Leave a comment below!

16 Comments

  1. Welp, apparently everyone has my email and password.

    My work has a service called Passpack that I use for some things. This reminded me that I need to upgrade to the latest version so I can auto fill the password on forms (like lastpass). I need to do a better job at doing this. You would think being on the computer all day I would have prioritized this. But nope. Great post!

    1. Yes it took me this long to get around to using a password manager at all, and I’m a software developer! Sometimes being around the stuff all day makes it even harder to change. Hope it was useful!

    1. Nice! I just looked into Protonmail and it looks like a good service. I thought about adding some more tech to use like encrypted mail, texts, and browsing services. Maybe I should add in another section!

  2. Wow, that is a lot of information.
    I just realized that when I click on ‘unsubscribe’ on those unwanted emails, its like clicking on a link, which is of course a big ‘no no as you pointed out. I loved the Ron Swanson skit. Very entertaining reading!

    1. True! Most e-mails have to provide an unsubscribe option now, but it is always good to be wary if you didn’t sign up for something. It might be best to just send those e-mails to spam.

      Ron Swanson is my favorite!

  3. I kinda miss neopets lol. Surprised I haven’t seen anybody walking around with neopets shirts since everything else from my childhood is being slapped on shirts and sold to the masses!

    Sounds like you’ve got your information locked down for sure! Staying anonymous helps with sharing your net worth I’m sure.

    I’ve been too lazy to start using a VPN but at least use LastPass. I fear the majority of people use the same password for all of their accounts *cough* *cough* my wife *cough* 😮

    1. I think you just stumbled on a great side-hustle idea!

      True, staying anonymous helps a bit, although I’m not sure I’ll stay anonymous forever, so it’s good to have a plan in place. The VPN was super easy to set up! I recommend using it, at least for while you’re out and about at coffee shops and airports.

      Not the same password! Eek! I found that once I had LastPass installed and always asking if it could save my password– that was a big motivator. Then once it gets all the passwords as they are it gives you a security score and warns you if you have duplicate passwords across accounts. Maybe that would help!

  4. Another piece of advice: don’t just stop at unique passwords. Use a unique username for each account. If a hacker doesn’t even know your username they can’t even begin to attack your account.
    If you’re already using a password manager, this step adds no additional difficulty as you just record it in your database.

    Now unfortunately, some services only let you use your email address as your username. I also recommend using a unique email address for each account. The quick and easy way if you use Gmail is to do +@gmail.com, e.g. finmechanic+chase8363@gmail.com.
    Why the four random digits? Well without that, then your email address for each service is easily predictable, which defeats the entire point.
    Unfortunately, not every service allows “+” in your email address. If that’s the case, you have a couple more options
    1) You can generate an infinite number of email address using blur.com. https://dnt.abine.com/ However, I wouldn’t trust a service like this for anything critical, not because I don’t trust their security or privacy policies, but because if they ever go out of business, you can lose access to your accounts
    2) You can buy your own domain, and set up a catch all with your email provider. This will, in general, cost money.

    Ah you have discovered inteltechniques.com. Have you listened to his podcast? I went pretty deep down that rabbit hole.

    If you want a better free VPN option, there’s ProtonVPN. The free tier, which is subsidized by their paid tiers, is rated as slower, mostly because there’s only a couple free servers and there’s a lot of users. While it may be slow (I haven’t tried the free tier in a long time), there’s no bandwidth limit whatsoever.

    1. Thanks for the email trick! I also learned of mySudo, which lets you set up different online identities. A bit of a different use case but still an interesting tool.
      I haven’t listened to his podcast, but I can add it to my ever-growing list of something to listen to!
      I’ll check out ProtonVPN, sounds good to me.

      1. Yeah mySudo is really nice. I bought a used iPhone off eBay (I have an Android) just so I could use mySudo. I am grandfathered into the nine number plan for free, but I think I’m only grandfathered in for a year.

        Oh yeah – one note about using VPNs to access financial services. Some financial institutions will either block access entirely (rarely) or block transactions (more common) when using a VPN. Square Cash, the free money sending service, will block transactions entirely when using certain VPNs. Ally Bank recently blocked online access to my account because I accessed it through a VPN.
        They do this because VPNs are commonly used for account takeovers.

  5. Thank you for putting this together! I just spent like 3 hours setting up lastpass and earlier this week removed all my info from aggregator sites.

    1. I’m so glad it was helpful Molly! I also realized it took more time than I expected to set all this up and write about it but definitely worth it.

Leave a Reply