How to Protect Your Private Information Online

Everything you do online is generating data about you – from personal information to your activities and interests. Here’s what you need to know about keeping your online information secure.

Sharing Data
Your data is valuable, which makes it important to be selective about the companies and apps with whom you choose to do business, and make informed decisions about who can receive your data.

There are different types of data collected about you:

• Personal Information – which includes data like your social security number or driver's license number.
• Data About You – that can include your health data, activities, behaviors, and interests.

Many accounts ask for access to personal information, such as your geographic location, contact list, and photos – sometimes before you even use a business’ services. While some services require access to this type of information, others may be collecting data they don’t actually need.

Before sharing information, consider how much personal information a business or app is requesting – is giving out the information going to provide benefits to you? Be aware some apps or services may request access to information not relevant or needed for the services they offer.

Apps on Devices
When deciding to download a new app, or use a new service, it’s a good idea to check the privacy and security settings. You can adjust these settings to only share information necessary to completing the service. Keep in mind that each device, app, or website browser can have different settings which limit sharing information. It’s a good idea to evaluate the settings on your social media accounts and apps, to be sure you’re keeping your data private.

In addition, delete unused apps on your internet-connected devices, and keep apps secure by performing updates.

Strong Passwords and Using a Password Manager
Compromised passwords are one of the most common ways fraudsters can get your data, identity, or money. According to research by NordPass, the average person has 100 passwords to remember. Since most of us can’t remember 100 passwords, it’s easy to reuse passwords across your different accounts. Even though you’ve likely heard how dangerous that is, the fact remains that many people continue to reuse passwords. The good news? There’s an easy solution – using a trusted password manager. By creating a long and unique password, and storing it in a password manager, your accounts are more secure from hackers. Password managers work by storing and managing online credentials in an encrypted database, and are secured by a master password. Once you enter your login information to the password manager, you’ll only need to remember your master password.

• No need to memorize all your passwords – you will only need to remember your master password.
• Auto-generates strong, unique passwords – anytime you create a new account, most password managers will ask if you’d like to use an auto-generated password. These passwords are long, random, alphanumeric, and basically impossible to guess.
• Saves time – Aside from keeping your passwords safe, password managers can automatically fill in your credentials so you can log in faster. Also, password managers can auto-fill your name, address, email, phone number, and card information for a faster checkout online.
• Protects against phishing – if you receive a spoofed email that looks like it’s coming from a legitimate source, but is actually a spam attempt, a password manager won’t auto-fill your login credentials since it doesn’t recognize the site as being tied to your password.
• Syncs with Operating Systems – many password managers are compatible with different operating systems, so if you use both Android and iOS, you’ll be able to access your passwords no matter which system you’re using. The same is true for popular website browsers – access your passwords whether you’re using Chrome, Safari, Edge, or FireFox.
• Helps protect your identity – by using a different, unique password for each website or account, you’re segmenting your data. If a criminal gets access to one of your accounts, it’s less likely they’ll be able to hack your other accounts. While it’s not a guarantee, the additional layer of security can protect you more than if you use the same password for every account.
• Safe and secure – Most password managers use military-grade encryption to keep your passwords safe.

There are different types of password managers – cloud-based, local network, and single sign-on (SSO).

• Cloud-based – stores your encrypted passwords on the service provider’s network. Storing on the cloud allows you to access your password manager from any device as long as you have an Internet connection. Some of the most popular types of cloud-based services come in the form of browser extensions, desktop applications, or mobile apps.
• Local network – stores your passwords locally on your device, not on a service provider’s network. Since your passwords are stored locally in an encrypted vault, it can be more private and secure. However, if you lose the device, the passwords are lost, too. Some locally-installed password managers have the option to create multiple password vaults across different devices, and sync when you’re connected to the Internet.
• Single Sign On (SSO) – is like a digital passport: instead of having multiple different passwords, SSO uses one main password to authenticate your credentials when logging into a service or application.
  Some reputable password managers include: LastPass, Dashlane, LogMeOnce, Bitwarden, RememBear, 1Password, and Keeper.

Multi-Factor Authentication (MFA)
Multi-factor authentication has been found to block 99.9% of automated attacks when enabled and can ensure your data is protected, even in the event of a data breach, according to the National Cybersecurity Alliance.

Anytime you log into an online account, whether it’s a food ordering app, shopping account, or social medica account, that process is call “authentication” or proving to the service you are who you claim to be. Typically, you authenticate with a username and password. However, this may not be the most secure way to keep your accounts safe. Usernames can be easy for fraudsters to guess, and oftentimes people use the same password for multiple accounts since passwords can be hard to remember.

That’s where Multi-factor Authentication comes into play. A ‘factor’ in authentication is a way of confirming your identity when you sign in. Multi-factor Authentication, sometimes called “Two-Step Verification,” adds a layer of protection when logging into your accounts for the first time by requiring two or more ways to identify a user. With multi-factor authentication, you’ll need your username and password, and one additional “factor” or way to confirm your identity.
Security experts classify the types of factors into three main groups:

• Something you Know: Often password-based (which is the most common) and typically includes letters, numbers, or special characters, like a password or code.
• Something you Have: These are physical objects you own, like a smartphone or smartwatch, device, or secure USB key.
• Something you Are: Also called “biometric authentication” and uses characteristics unique to the user to log in, such as scanning your fingerprint, facial recognition, eye scanners, or voice recognition.

It’s important to use different types of factors – having two passwords, or a password and code are the same type (something you know) – if a criminal compromises one password, they could get both passwords. Instead, use a combination of factors to make it more secure. For example, if you use a password and fingerprint, and a criminal steals your password, you’re still protected since they can’t easily steal your fingerprint.

How to Enable Multi-Factor Authentication
Almost every online service – from email and social media, to banking and shopping – have the ability to enable multi factor authentication. While most sites offer a SMS code option, this is not as secure as authenticator apps since text messages can be intercepted via a SIM swap attack. In addition, hackers can reroute your text messages to themselves, allowing them access to any account associated with your phone number.

Authenticator apps are far more secure than text message codes – be sure to choose a reputable app, such as Authy, Google Authenticator, Microsoft Authenticator, Duo Mobile, and LastPass Authenticator. Authenticator apps generate a code that does not travel through your mobile network, which helps minimize the risk of exposure and compromise.

So how does it all work and how do you get started?
Authenticator apps generate a time-based, one-time passcode. When logging in, you enter the code on the secure app or website to successfully log in. These codes are time-based, meaning it will only work for a certain amount of time before generating a new code. Most authenticator apps generate a new code every 30 seconds, so if a criminal manages to get the code you used yesterday, they won’t be able to sign into your account.

Most major services, like Amazon or Yahoo, allow you to set up multi-factor authentication on the site’s security settings page. Under your account settings, there is likely a section for multi-factor authentication or two-step verification – this is where you can enroll an authenticator app. Most of these apps follow the same procedure when you’re adding a new account: you’ll scan a QR code associated with the account. Then, the next time you log in to a site or app, it will ask for a verification code, which you can find by opening your authenticator app. Lastly, enter the information to complete the sign-in process on the site.

Generally, you won’t need to complete the extra step of verification every time you log in. Most multi-factor authentication only requires the additional factor the first time you sign into an app or device, or signing in the first time after changing a password.

Send Securely with Encryption
You’ve might have heard it’s more secure to send communications that are encrypted – but what does that mean? Encryption is a way of scrambling data so only the intended recipient can understand the message. Think about it like a postcard you’d get in the mail – the message is bare and anyone who holds the postcard can read it. With encryption, only the authorized person can understand the information. Encryption takes the readable information and changes it, so it appears like random characters to anyone who is not the intended recipient. So instead of a postcard, it’s more similar to a letter in a protected envelope – only the authorized person can open and read the information.

In order to understand and decode the information, encryption requires a cryptographic key. A cryptographic key is a set of mathematical values both the sender and receiver of the message agree on. The cryptographic key translates the seemingly random characters into readable text. In other words, the key “locks” the data by encrypting it, and only the person with the right key can “unlock” or decrypt it.

Financial Services and Your Information
While you might be concerned about protecting your personal information, it’s important to note there are federal privacy protections for consumers when it comes to banks and financial institutions.
One of these federal laws is called the “Gramm-Leach-Bliley Act ” (GLBA). According to the Federal Trade Commission, companies that offer consumers financial products or services like loans, financial or investment advice, or insurance, are required to explain their information-sharing practices to their customers and to safeguard sensitive data.

We’re here to help keep you informed, especially when it comes to spreading awareness about online privacy and how to protect yourself. For more topics about ways you can protect yourself – like common mortgage scams, and protecting your card security while shopping online – check out these Security topics on our Learning Center.