Nary a week goes by anymore without this website (and every other news source out there) publishing yet another article on the theme “Hackers access database; steal umpty-million peoples' confidential information.”
But for all these stories, at least, there are some people who can say “I needn't worry, since I don't carry this credit card, shop at that store or drive in the state over there.”
Worse are the security failures affecting – well, pretty much everybody. For example: are you one of the 200 million Americans whose personal information was on the database Experian made accessible to Vietnamese identity thieves? There's no way yet of knowing for certain, but some quick number-crunching suggests five out of six American adults potentially had their data compromised.
And if you're wondering “Am I at risk due to the recent 'heartbleed' flaw in the 'Heartbeat' software which, in theory, was supposed to make websites secure enough to handle my super-sensitive confidential information?', the answer appears to be “Not sure but probably, if you've engaged in any sort of 'secure' online activity (possibly except via Google; some experts say that 'heartbleed' isn't leaking data out of any Google servers, although others differ. Even so, it's not remotely synonymous with saying “Google is guaranteed secure, now and forever”; it only means “Google's safe for now — so far as anyone knows”).”
What to do
Meanwhile — assuming you're just an everyday computer user, rather than some brilliant IT-security computer genius — what should you do to protect yourself and your data from heartbleed, which has been dubbed “the most dangerous security flaw on the web”?
For starters, take a break from any potentially affected online activities—don't do anything requiring a sign-in through “secure” SSL/TSL encryption, until the security hole is patched.
What else? Hackers might have your passwords — should you change them now? Experts disagree; for every tech writer urging you in good faith to change your passwords right away (alongside advice on how to create a “strong” password), there's others who say “No, wait, don't change anything until after the flaw has been patched; otherwise identity thieves will just be able to get your new passwords, too.”
Face it: if you participate in modern mainstream American life, you're at risk of being hacked because it's just not possible to keep your info out of every hackable database out there. If you have email, you're at risk of it being hacked. Pay taxes, and you're listed in city, state and federal government taxpayer databases in addition to Social Security.
If you're a legally licensed driver or registered car owner, there's databases for each one. Your bank accounts, insurance policies, current or former student or mortgage loans … hackable, hackable, hackable. If you've so much as bought over-the-counter cold medicine containing pseudoephedrine, you had to register with the federal government (and you'd better hope their stuffy-nose database isn't on one of the federal computers still using the old Microsoft XP operating system, no longer protected against new malware or hacker threats).
Avoid unnecessary risk
That said, while you can't keep yourself out of every database, you can avoid many unnecessary ones. For example: a couple of days ago I wrote an article offering tips on how to dig your way out of credit card debt and build up an emergency savings fund, and recommended buying things with cash rather than credit, primarily to save money on interest charges, finance fees and the like, but also because credit cards make it too easy to spend more than you'd intended.
What I didn't mention is that I personally kept right on spending cash, even after paying off my debts and piling up a security cushion, partly for temptation-avoidance reasons but mainly because I don't trust my personal financial security to the combined IT competence of every single business I patronize. That policy's paid off for me numerous times already: I've shopped at many stores mentioned in various “stolen customer credit card info” articles; I just never had to care because I always paid in cash.
Some transactions do require credit cards, though; if you need to rent a car or a hotel room, they'll likely want your credit card number first. You can't stay out of all databases.
On a related note, I've never signed up for online banking, partly because spending cash entails periodic bank visits to deposit rolled coins anyway (Coinstar-type machines take a percentage of your coins' total value; depositing coins in a savings account lets you keep the full 100%). But also (as I explain to the tellers every time I visit and they urge me to sign up for online banking), though I'm pretty sure my home computer is free of keylogging software and other malware infections, I'm not willing to bet my life's savings on it.
That said: I do manage my infinitesimal stock portfolio online, since I've no equally good offline options available. I also engage in online shopping —with accounts set up exclusively for that, and completely unconnected to my bank savings or any other assets.
But I'll admit: keeping out of optional databases puts you at risk of being called a Luddite, or even annoying people around you. I learned this one day in 2010, while visiting my local Target to buy some nicotine patches (don't smoke, kids; it's a stupid stinking waste of money). I paid cash, of course, but when the cashier asked to see my driver's license for proof-of-age, she tried taking the license out of my hands in order to scan it.
“No need for that,” I said, gripping the license more firmly. “My birth date's right here.”
She told me if she couldn't scan my license, she'd have to get her supervisor to punch in some special code or other, which would take time. I told her that's fine, and I understood the law required her to verify my age, but in light of all the other personal information on the license, I did not see any need for my name, age, address, legal driving restrictions, organ-donor status or whatever the hell else is on my ID to be scanned into Target's corporate database.
So she left to get her supervisor, the people waiting in line behind me made annoyed little sounds and, although I cannot swear to this, I'm pretty sure one of them mumbled the word “paranoid.”
If so, I surely do hope that guy wasn't counted among the many whose finances were compromised after the Target data breach last Christmas — and if you think I'm being insincere in my good wishes, you may very well be right.
UPDATE (3:20 p.m. ET): Well, this article turned obsolete pretty quickly! The latest available information says that yeah, Google has been affected and you will need to change your password. The good news is: some sites (including Google) have already instituted the necessary security patches, which means you can update your passwords for them. Here's a partial listing of known affected and unaffected websites to date; now if you'll excuse me, I need to go change a few passwords myself.