How to Protect from Data Breaches in an Ever Growing Digital Marketplace?

Surfer Dude on 18/10/2022 - 13:42
Last edited 18/10/2022 - 13:56 by 1 other user

Howdy,
Everyone by now would be aware of the Optus hack & subsequent data breach that occurred in late September. The newest significant data breach /hack was of My Deal where up to 2.2 Million customers details could have been obtained.

Question to all OzBargainers out there: how do we savvy online shoppers maintain our private information secure in an evergrowing digital marketplace where every retailer requires some degree of personal information in order to transact with them?

Should we be creating fake emails specifically for online shopping and be using pseudonyms for our names and contact information?

I'd like to hear OzB's thoughts on how members try to minimise their exposure in data breaches.

Internet

Comments

  • Cheaplikethebird on 18/10/2022 - 13:46
    +12

    Use separate passwords for every account. Don't store bank details where possible. Enable 2FA where able. Consider your name, e-mail and address as already in the public domain.

    • Hybroid on 18/10/2022 - 13:55
      +4

      2FA is very much the main thing here. If it's offered, definitely set it up.

      You don't need separate e-mails necessarily but can sometimes use surferdude+store@my-email.com for various places you want to sign up to (if your provider offers it like gmail). This way gives you greater control.

      Don't sign up to random competitions and giveaways from dodgy places either, it's all there to harvest your data.

      Never click on random links in e-mails or pickup or reply to random callers on your phone. That puts you on a database of active numbers and get bombarded more with targeted scams. Ignore them and anyone important will leave you a voicemail.

      • Surfer Dude on 18/10/2022 - 14:12

        Yeah good advice. My annoyance is more to do with the amount of personal information that retailers require for what seems a simple transaction, especially when orders are click and collect.

        All you get once the retailer gets hacked and your info is leaked is a 'sorry, we should have done better, please be vigilant in future'.

        • Cheaplikethebird on 18/10/2022 - 14:43
          +1

          What information though? Name, Address, E-mail, this stuff is easily found already and there's not a lot you can do.

          • Indomietable on 18/10/2022 - 16:29

            @Cheaplikethebird: Optus hack expose Date of birth, License or Passport details, and Medicare which can lead to identity Theft.

            • Cheaplikethebird on 18/10/2022 - 16:34

              @Indomietable: Yeah but OP seems to be referring to online retailers for simple online shopping in the comment I'm responding to, in most cases then it's just going to be Name, Address, E-mail. Unfortunately there are some high-value accounts you can't avoid (online banking, phone account, primary e-mail, paypal, OzBargain).

  • Neoika on 18/10/2022 - 13:48
    +1

    Fake private info stolen

    • DoctorCalculon on 18/10/2022 - 20:05

      ^This.

      Other than address (use a PO box if possible), don't share any of your real / legal personal information.

      • SaberX on 20/10/2022 - 20:07

        Does a Po box require someone to open one up at a local post office? Or does it allow them to drop it to the PO box then get routed to your home address courtesy of Aus post? How much is it for a residential po box?

        • Lucille Bluth on 21/10/2022 - 06:54

          There is a cost to get a PO box

  • Quantumcat on 18/10/2022 - 13:49
    +10

    Don't give away your real date of birth, make up a fake one that you use across all websites

    • illogicalerror on 18/10/2022 - 14:00
      +1

      That's right. Few of these people asking for this personal detail actually need it.

    • ESEMCE on 18/10/2022 - 14:11
      +7

      This.
      I just use my wife's birthday… helps me to remember it as well.

      • 87percent on 18/10/2022 - 14:30
        +2

        i always use 01/01/1985

        • SBOB on 18/10/2022 - 18:34
          +1

          Hey we have the same birthday…. :)

      • whatwasherproblem on 18/10/2022 - 20:39
        +3

        I just use my wife's birthday… helps me to remember it as well.

        That's a next level strat that I'm shocked never occurred to me. Well played, sir. I'm stealing this.

      • jasong on 19/10/2022 - 12:34
        +1

        I also use ESEMCE's wife's birthday

    • Cheaplikethebird on 18/10/2022 - 16:36
      +2

      Just make sure to remember the DOB you use so you remember to claim birthday discounts 😂

    • SaberX on 20/10/2022 - 20:11
      +1

      I've started doing this. Mash up of relations but definitely need to start using a common one so I can remember it.

      My biggest worry is which places neeed it to be entered accurately? Like booking flights and hotels I do wonder if you can screw yourself over with an incorrect dob used in a hotel. Particularly as I see those highly vulnerable points for hackers. But for shopping websites and non government and non registration (shares, brokerages etc) I now use the fake dob.

      Not sure if a fake name lands you with issues if a parcel or purchase arrives and goes to the post office, providing you have your licensee proving you live at the same address?m

  • 87percent on 18/10/2022 - 14:10
    +1

    i never put my full name when i purchase something. i'll put something like "J BLOGGS" or "JOHN B". Always use the gmail + option (so [email protected] as an example)

    I'm considering getting a PO BOX or something so my address isn't widely out there, too

    • SaberX on 20/10/2022 - 20:11

      When you get pickup from post office notices does it provide an issue when your picking up parcels with a non matching full name though?

    • cerealJay on 21/10/2022 - 01:45

      The gmail + trick doesn't really hide your email though, it's not meant for that purpose. Eg, [email protected] is not hidden because he used [email protected]!

      If I was a spammer I'd do a search replace on any gmail addresses containing plus signs. It's much better to use genuine email aliases. eg "[email protected]" (not possible with free email services like gmail).

      • SaberX on 25/10/2022 - 03:54

        good point. it crossed my mind registering for somethings today, wanted the newsletter, but didnt want my details. made a fake name, albeit a play on my names, and realised the [email protected] was dead obvious haha.

        YOu'd hope any spammer wouldn't go through it in detail in this fashion though.

        I am curious about the short form names that 87percent mentioned- more if there's issues picking up parcels as your drivers license wont match. e.g. mail to J BLoggs, go to pick it up with drivers license Jeremy Bloggs listed. That said address would match, which i presume would be all that's needed?

        • cerealJay on 25/10/2022 - 13:51

          If you mean picking up parcels from the post office, they will want to know your license matches "J Bloggs"…. Jeremy Bloggs is a valid match.

          It's about minimising your details being spread around all the time. Hard to avoid completely, but it's good practice to aim for minimal personal details. I use a parcel locker sometimes, and it's my primary address in paypal.

          If you want genuinely useful email aliases, then pay for email. You will usually get other perks too such as cloud storage and other things for the price.

          I don't use it, but Apple offers email aliases in their paid iCloud+ service. They call the feature "hide my email". You also get "Private Relay" which hides your IP address for basic web browsing. The disadvantage is that I don't think you can choose the email alias, it generates a random email, and I think is designed to be used only a few times then discarded. I prefer the aliases that you choose yourself, and keep for things like shopping, or forum sign-ups etc. I have dedicated ones for many reasons ranging from technical dev purposes, government related contact, etc.

    • 87percent on 18/10/2022 - 21:17
      +4

      I’ve been trying to delete all my unused accounts that I’ve signed up for over the years, and it’s actually really difficult for a lot of them. Really should be as simple as “I want to delete my account” but some of them make it seem like I’m asking for a kidney

    • SaberX on 20/10/2022 - 20:12

      Good reason I should stop deleting initial registration and setup emails for this purpose. Hard to remember all the one time useless stuff used.

  • AustriaBargain on 18/10/2022 - 14:51
    +2

    Let Keychain come up with your passwords. Have a really good password on your iCloud account, and have two factor on your iCloud account, have a really good password on your email account, and have two factor on your email account. And pay attention when Keychain tells you a password of yours was in a known leak.

    • DoctorCalculon on 18/10/2022 - 20:06
      +1

      Also, if you pay for iCloud+ then you get access to Hide My Email (which is an email relay service).

    • SaberX on 20/10/2022 - 20:13

      I agree if one uses a password manager the manager and any backup emails should be completely independent with strong passwords. Preferably remember your email passwords off by heart as if your password manager is hacked or broken somehow most accounts reset back to your email account. So this needs to be rock solid.

  • spal on 18/10/2022 - 16:40

    Now ios allows you to create online accounts with other merchants without sharing your email. It creates a random email.

    • CheapandUsed on 18/10/2022 - 17:58

      I have to admit this functionality has been pretty awesome, it provides an easy way to kill the account also.

    • Ugly on 18/10/2022 - 19:40

      You can? How do you do this?
      Do you have a link to instructions?

      • spal on 19/10/2022 - 07:04
        +1

        Whenever I try to register for a new merchant the ios pops up with an option if I want to hide my email. If I say yes, it generates a random email.

  • DingoBilly on 18/10/2022 - 18:51
    +1

    Realistically you can't. At some point your real info will be breached.

    Honestly recommend not caring too much. 99% of the time it won't matter, and the 1% will suck but that's bad luck/how life goes.

  • penguincat on 18/10/2022 - 18:56
    +2

    My question is why do some companies tech ones especially offer such lousy security? You can enable 2FA and the like but some have ways around it.

    In my experience some 2FA isn't even worth the effort to set up due to the reliance of legacy systems.
    I've had 2 of my old outlook/hotmail/live accounts logged into by intruders even with 2FA enabled. Basically anything outlook.com/live.com/hotmail.com has old legacy systems attached.
    If you go and login to them via particular 3rd party programs that use the legacy system then 2FA isn't requested/required.
    The program that the intruders had used even sent me a survey of what I thought of the app. You have recently used ペンギン猫 to manage your email account what did you think of it? Rate the app here! was what I got from google translator the apps name was a picture so no clue what it was called.

    Shouldn't there be a way to disable old legacy access or have more control over our accounts? Do I really need for my outlook account to work on the original xbox if I don't own one nor do I plan on owning one?
    I don't need POP3 or IMAP access for the email account I use to buy dog food from why can't I disable those as well? Web browser access only with 2FA would have be fine for me.
    PS the Kanji just says penguin cat. :)

    • whatwasherproblem on 18/10/2022 - 20:54
      +3

      My question is why do some companies tech ones especially offer such lousy security?

      One of the higher-ups at my work has no idea how Windows directories work and can't find anything that's not on his Desktop or in the Downloads folder. The woman in charge of a department down from mine once asked me to look at her computer because it was "going too slow"; turns out she had a hundred or so Chrome tabs open, because every time she needed to do something on the company intranet she'd open a new tab, google the company's name, and then click through to the portal. One of the older gents I rarely ever see in the office has his login credentials in plain sight written on a post-it note stuck to his monitor.

      The fact is that many of the money-movers, CEOs and people who are otherwise high up in the chain of command—i.e., those who would be responsible for putting proper security systems in place and ensuring that their organisations are tech-savvy—just aren't tech-savvy themselves. Even (nay, especially) the ones working heavily in the tech sector that ought to know better.

      (This "Too-eff-ayy" stuff sounds intriguing, though! I'll namedrop it to the boss during the next meeting. We might be able to combine it with blockchain and a Big-Data pipeline.)

      • mikekiwimike on 19/10/2022 - 10:21
        +2

        True story, one of my customers who did not have Multi factor authentication enabled for the their users had a finance officers email account compromised last month and this cyber criminal requested money be sent to an account.

        $30k loss later they are blaming everyone else (MSP, Microsoft) for this loss.

        Luckily MFA is on by default from now on with new tenants and legacy protocol access to corporate M365 email is also turned off now.

        Use MFA (2FA) where possible

        Use random complex passwords secured in a password manager and different for all sensitive sites: Email, Government, Bank, Steam, amazon, eBay etc where money could be lost or identity stolen (email tends to be where password resets are sent for example).

        Don't go to The pirate bay and download anything

        Use AV on your computer but don't buy it, use Microsoft Defender and maybe free Malwarebytes - I don't use AV but Mac has AV and Malware protection built in (don't buy AV for Mac unless you are dodgy As Flip)

        Don't open attachments you receive via email unless you know who they come from and the content of the email makes sense.

        Do not even give anyone money over the phone for anything unless they have proven their identity and are who they say they are, even then ask them to send an email request and confirm the sender.

        Use a false birthdate everywhere that is not an official site, your full name and birth date make you unique amongst 8 billion other people, so don't use the correct date.

        Do not trust anything you read about cyber security either until your run it past your bulls.t detector, cyber security news sells advertising so the number of reported breaches is simply there to pay the medias hosting bills.

        If a reported breach states that customers email, name was stolen then no worries everyone already has that detail about you from previous breaches. What matters is full name, birthdate, address + any more sensitive data.

        Use https://haveibeenpwned.com to find out whether you are the subject of a previous breach, or enter one of your passwords to find out if that password has been detected before meaning your data is available on the dark web.

        • SaberX on 20/10/2022 - 20:18

          Ive been thinking of going down the password manager route and random creating and changing all my passwords to unique ones. What scares me though is some point all those neeed to be stored in said password manager. So if your phone is accessed, hacked or the like I feel like the keys to every house is left wide open.

          I do think one medium is having all but your emails in the password manager. Complex unique one for your primary and backup email with 2FA on… So if apssword manager is hacked usually your backup email is required to change passwords or email addresses of registered accounts.

          With 2fa I am not sure why so many places offer SMS and not authentication apps? I understand the apps are more secure than SMS given the Sim swap tricks. Although I guess if hackers hack your phone the authentication apps are prone to the same issue.

          Out of interest has anyone got an opinion on 1password (recommended by haveibeenpwned) vs LastPass as far as fee vs free password managers go?

          • mikekiwimike on 21/10/2022 - 08:29

            @SaberX: Get something that integrates well with your browser of choice and requires a mobile app based 2FA, both of those solutions you have mentioned should be good, I believe both have previously been compromised and that means they will have upped their app security :)

            If you use MacOS then the built in Keychain utility is free and integrates well with everything.

            Now days, everything a criminal wants to know about your name and email address is available somewhere and more sensitive details have probably been captured, so you are really just wanting to make it difficult for a bad guy to log into any service you use. Randomised passwords and 2FA for monetary sites and you are mostly sorted.

            • SaberX on 25/10/2022 - 04:20

              @mikekiwimike: Yes, randomised passwords via the password manager was one thingg i thought about.My worry is if using a web browser on laptop then if your using the mobile app you'd have to type it out character for character.

              I am not too sure how secure having an integrated into browser password manager would be though? Your saying you can integrate one where you need a mobile based 2FA code each time you access the browser? If so that sounds b etter, my thoughts were you'd login, and then the web browser integration would be available all throughout your session for anyone (i.e. you) to copy and paste your randomised passwords in for logins? Hence i was abit worried about the privacy aspect of this.

              Even the idea of a mobile app having all the keys to all the vaults seems abit offputting. I do presume biometrics or a pin is required to access, or perhasp 2FA even to access mobile app? I mean 99% of the time no one would ever phyysically access your mobile, but the thought of malware infecting an android and spying/lurking for you to access your password manager - is that possible? or largely unfounded paranoia?

              i'd imagine you'd leave your passwords for your emails off the password manager and memorise those, as all password resets at least can go through there if password manager is compromised.

  • pharkurnell on 18/10/2022 - 20:02

    The more all our lives are on computer systems the more this will happen.

    • mikekiwimike on 21/10/2022 - 08:31

      Everything is already on a computer system, be scared when you realise how little security is against this data by at least one of the custodians of it

  • capslock janitor on 18/10/2022 - 22:44

    BITWARDEN + YUBIKEY?

    • Quantumcat on 19/10/2022 - 11:00

      I'd love to use a yubikey but I can't think of a way to easily have it with me always. The only thing I always have with me is my phone. I don't carry a wallet or handbag anywhere. It could go on my car keys but I don't carry those around with me in the house or have them at my computer when I'm working. I don't like wearing jewellery so having it on a necklace I would find irritating. How do you manage yours?

      • capslock janitor on 19/10/2022 - 11:19
        +1

        I don't currently have YubiKey but thinking about it too.

        Mine would probably go on keyring or same as you say phone,
        options might be inside the phone case, back of phone, or if your case has accommodation such as phone pocket/holder feature built into the case itself!

        • Quantumcat on 19/10/2022 - 12:31

          Part of the phone case is a great idea! I need to replace my case anyway

    • SBOB on 19/10/2022 - 11:39

      not going to do anything for the example sites or data that was leaked from recent data breaches.

      Yubikey can help you secure your primary level accounts like google, microsoft etc for the large 'primary' players that support it or password managers etc (like Bitwarden or Lastpass). Excellent for ensuring your top-level authentication medium (eg email) and password vault isnt comprimised.

      Most online stores or company logins (eg optus) wont support it, and even if they did, it wont stop your data being stolen from the back-end anyway

  • Marty-69 on 18/10/2022 - 22:52

    Use 10 minute mail to sign up for accounts. Store email and password in a password manager as a password reset email won't be an option after 10 minutes.
    Some companies (I think Stan, Doordash and many others) keep your credit card details for identification. Just use a prepaid credit card.

    • SaberX on 20/10/2022 - 20:19

      Never heard of this 10 minute mail?? Is it a temporary email service. Like the imgur upload drop bucket for photos of the email world?

      • Marty-69 on 20/10/2022 - 20:23

        It provides you with an email address that will last for 10 minutes. Open 10-minute-email (there are a few around), use that email address to signup, a confirmation email will be in the inbox, confirm and done. After 10 minutes the email address is gone so save login details (email address and password) as a password reset email will never arrive.

        • SaberX on 25/10/2022 - 03:46

          How does privacy work though given would randomly created emails not come back in a loop eventually?highly unlikely but once you create a 10-minute email you can never ever change your email? So those services that require you confirm change of email addresses via your original email you'll be stuck i presume?

          Also any concerns over the login data/info they get via these temporary signups (the acutal email hosts/providers)?

          • Marty-69 on 25/10/2022 - 15:15

            @SaberX: The email is only for one-off signup. If you want to receive email or make account changes, don't use it. It's only for sites that force you to register with an email address.

            What's the concern with a sign-up? They send you a confirmation email and if that gets intercepted, your expired temp email was vulnerable. As long as you don't use your real details for the sign-up there's no risk.

            You don't use this for serious stuff with your real details. Temp email and fake details.

  • RockyRaccoon on 19/10/2022 - 07:06

    C.A.S.H 😀

  • TheOtherLeft on 19/10/2022 - 08:26
    +1

    I like Westpac's security. They require a password of something like 6 alphanumerics and no 2FA

    • moar bargains on 19/10/2022 - 13:24

      We should lobby the government to make everything high security like this! I'm writing to my MP right now!

    • SaberX on 20/10/2022 - 20:19

      This really shits me as all my password combinations are always more than 6 letters so I always forget what i set. Need to reset.. then can't use my previous set passwords … Finally nailed it though…for now!

  • Danstar on 19/10/2022 - 09:29

    Ask yourself this; how many times has your identity been stolen or you personally know of someone whose identity has been stolen?

  • Sinnerator on 19/10/2022 - 09:38

    Use throwaway email accounts for all non-vital accounts (for me anything less than government and banks/insurance is non-vital).
    Have a secondary mob phone number in a dual sim phone, use in same manner as above.
    Never include real ID in your non-vital accounts.

    Remember, when the product is free you are the product, so I don't use cashback/rewards programs etc etc unless directly linked to a vital account.

    Follow other people's advice above for your vital accounts.

  • timmypete on 19/10/2022 - 16:38
    +1

    As mentioned already, a password manager and using fake DOBs where possible is a good start. 1Password has worked well for me over the years, but there are plenty of other good options out there these days.

    One email address per company/sign up is also essential. A few folks have already mentioned Gmail plus addressing and iCloud Hide My Email. My email provider Fastmail and 1Password have a really neat Masked Email integration, which if I was starting from scratch is probably what I would use.

    However I've got my own domain name(s) and set up with wildcard mode, which makes it a cinch to use one-off emails for privacy and filing efficiency. This is far more powerful but has a higher setup effort initially. More on my setup in this post.

    • SaberX on 25/10/2022 - 03:51

      Thanks - never heard of masked emails, will have a look at this.

      I got introduced to 1password via haveibeen pwned. How have you found this? it's premium version is it worth the payment, given there are other freemium popular services namely lastpass? I have seen some blogs claiming 1password hasn't been hacked before and something about lastpass technically having some deficiencies, or logs? Can't quite recall. But if paying, would you go 1password or lastpass?

      On another note, one thing that scares me is that password managers with password random generators for all your logins sounds great. But one key to the vault seems awfully worrying to me. I mean just the idea that some latent buried deep software if malicious could lurk and view your mobile as you peruse the password manager, or the like.. abit of paranoia, and probably less likely than not using a password manager and dealing with breaches…

      The idea also of having it setup in your computer's add ons also seems somewhat risky to me, albeit i don't quite understand the 'security' behind that.

      I presume best to keep your email addresses off by heart and out of the password manager, given those are the next most important places for password resets?

  • AncientWisdom on 20/10/2022 - 03:03

    For creating masked emails, IronVest (previously Blur) is an awesome free extension that I've been using for years.

    • DoctorCalculon on 20/10/2022 - 20:15

      The free version only offers "3 Customized masked email addresses".

      If you are an iOS/mac user, iCloud+ is the way to go.

  • Ave Maria on 29/07/2023 - 14:02

    I just used https://10minutemail.net/ so to change my email address in the Whirlpool forum as they refuse to delete my account.
    At least this way they only have a fake name as well as fake/inactive email address in their records

Login or Join to leave a comment
Login Join