Thursday, July 30, 2015

Have You Already Been Hacked?

I recently wrote a post entitled, “Assume Your Social Security Number is Already Out There”, which was inspired by an article I read suggesting that the personal information of about a quarter of Americans has already been hacked. My experience in the computer networking industry makes me think that number is likely quite conservative.

I have been notified four times in the past year that my personal information might have been compromised. When large companies like Target are hacked, they often offer their customers a year of free credit monitoring service and I currently have two such subscriptions going simultaneously.

There is only so much these services can do, however. Neither noticed when someone filed a tax return in my name, for instance.

Long before business school and my interest in retirement finance, I was a systems analyst with a degree in computer science. My specialty was data communications networks. Truth be known, computers are my first love and much of my financial research is done at my computer with code I write in Mathematica or R.

I had an email account 35 years ago. (As geeks go, I’m ancient.)

Today, I read an article in the New York Times Personal Tech section under the headline, “How Many Times Has Your Personal Information Been Exposed to Hackers?”. The authors began with this statement:

Half of American adults had their personal information exposed to hackers last year alone.

That sounds more like it, but since most companies don’t know they’ve been hacked until they find their data for sale somewhere on the Internet, it might be an optimistic guess. Many companies will never know they were hacked.

The quiz at the NYT article will give you an idea of your vulnerability, but look at the names. Who hasn’t subscribed to AOL, or used a charge card at Target or K-Mart, applied for a government job, joined E-bay or Twitter, or downloaded Adobe something-or-other?

The article reinforces my own feeling that nothing is currently safe on the Internet: “Security experts say there is no way to keep hackers out of systems with traditional defenses like firewalls and antivirus software.” The skills and tools available to hackers today have a huge advantage over the tools available to protect us. Passwords don’t work. Firewalls and anti-virus software are speed bumps.

I’m not suggesting you avoid these tools. It’s a little like making sure yours isn’t the easiest house on the block to break into. But if a burglar wants your house badly enough, he can probably find a weakness.

I have long suggested two-step authentication wherever it is available. A list of websites that support two-step authentication can be found at For many of these websites, a hacker would need your password and your phone. I use two-step authentication at Fidelity, Vanguard and Charles Schwab and on several other sites, including FaceBook.

(Some two-step authentication processes use a special key fob device to provide an ever-changing PIN (Charles Schwab, for instance) and others use an authenticator app on your smart phone (several companies use Google Authenticator). But many use text messaging to send a one-time password to your phone. Be aware that hackers may be able to access your phone at say,, and forward these text messages to themselves. If your carrier's website is not also protected by two-step authentication, this leaves a hole for hackers to get through. A fob or an authenticator app are safer.)

Password managers like LastPass can help you create and “remember” complicated passwords. (They say the best password is the one you can’t remember.)

If you don’t have virus protection, don’t let the cost hold you back. I like Avast and it’s free, but there are plenty to choose from.

Another important step that I think makes a lot of sense, especially for retirees, is a credit freeze. I wrote about those in Assume Your Social Security Number is Already Out There. They can be a bit of a pain if you open credit accounts frequently, but most retirees don’t. Even if you do, it’s less painful than finding out someone has opened a credit account in your name and run up a huge bill. You won’t be responsible for much of that bill, if any, but cleaning up the mess will be formidable.

Personally, I’m not sold on credit monitoring services, though I do use them when the companies I trust with my personal information get hacked and offer those services free. They can’t hurt, but they monitor your credit report, not your accounts.

I use alarms on all my financial accounts that send a text message to my phone if there is an overseas charge on a card, an ATM withdrawal, or a charge above some maximum amount.

To summarize, here are a few things you can do to protect yourself:
  • Consider a credit freeze at all three credit agencies
  • Use two-step authentication whenever it is available
  • Use your free annual credit report from one of the three agencies every four months to review your credit
  • Use a password manager to help create and use strong passwords online
  • Use a firewall and a virus checker at home. Excellent versions of both can be downloaded free.
  • Set up text message alarms to notify you of unusual activity on your bank or credit card accounts
These won't fully protect you, but as my grandfather used to say, they're better than a poke in the eye with a sharp stick. It's more efficient for a hacker to steal your personal information in  bulk from Home Depot than to attack your home computer, but the latter still happens.

As I said in the previous post, I think it’s safest to assume that identity thieves already have your personal information, even if they haven’t gotten around to using it, yet. They probably do. The credit freeze may keep them from opening a new account in your name.

In general, the bad guys currently have all the artillery. If you don’t believe that, take the quiz at the Times article. It will open your eyes.

My post on Social Security benefits and early retirement generated several comments. (Posts on Social Security always do.) If you're looking for a basic booklet that explains your benefits in a very readable way, I recommend The Social Security Claiming Guide from Boston College Center for Retirement Research. There is a small charge for hard-copies, but downloadable versions are free.


  1. Thanks Dirk. Sound and no-nonsense advice!

    Is it still necessary to download firewall and anti-virus? Are those built-in to Windows 10 good enough to make hackers no easier to intrude your home than to intrude Home Depot?

    What is the Web browser of your choice for safer financial transactions? I heard of two schools of thought: sand-boxing (Chrome) and disabling (Firefox). I lean towards the latter because the process seems to have more check and balance. At times, Firefox can make nobody run Flash until Adobe addresses a vulnerability. Having an independent non-profit ensured public safety and motivated a corporation to do the right thing probably beats placing all our bets on one company (albeit a non-evil one). What do you think?

  2. Is it still necessary to download firewall and anti-virus? It just depends on how much effort you're willing to put into it. OS-X and Windows both have built-in firewalls. Most routers have one, as well. There are better firewalls available, some for free. They will provide a little more protection, but if someone really wants to get in, they'll figure a way. You could use MAC filtering, for example, if you are willing to update the MAC address in your router every time someone in your family gets a new computer of mobile device. If it helps you sleep, there are many things you can do, but you may not be fixing the weakest link.

    I download virus protection because free packages Avira and Avast! get such good reviews.

    I can't give you an unbiased opinion on Firefox because I was part of the AOL team that bought Netscape and I later helped transfer the browser and some staff to Mozilla. It still feels like my child. I use Chrome and Safari, as well. The most important thing, I think, is to make sure you see the padlock on your browser at home and at public hotspots. I also worry about man-in-the-middle attacks at public hotspots, so I'm careful to ask the business their router's SSID so I know I'm logging onto the correct network. If I do, the link encryption indicated by the padlock protects me.

    You can do all those things, as I mentioned, and the bad guys can still just steal your information from Target.

    Good luck and thanks for writing!

  3. I like the idea you suggested about a two-step authentication process...this can help keep the hacking to a minimum. The credit freeze is also a good idea if you do not want to open anything new. Older people especially are more susceptible to money hassles when it comes to this kind of problem.