The other night I got an email from the vampire-like health insurance company Anthem telling me that (in exchange for the large amount of money I pay them every month) they were hacked and tens of millions of people’s records were ransacked.
Every aspect and level of vampire Anthem was compromised: Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink, and DeCare….
Names, birth dates, social security numbers, addresses, member IDs….
Scary.
Lots of people are going to have to be more attentive now. One story says that the hackers now have all the information they need to submit fraudulent tax returns.
What do you do to keep your identity safe? Do you use strong passwords? Do you change your passwords? How often?
I am looking for new strategies for handling passwords and I bet there are some pretty well-informed readers out there.
You might check the page that vampire Anthem set up. HERE
Also, for a while now I have used the service LifeLock. I have an affiliate program with Lifelock. If you are thinking about using it, click below.
The link will remain on my sidebar.
I would hate to hear that any of you have a problem with this. We all have to be vigilant. Semper parati.
So, what is your SOP to handle your online identity?
Loading ...
I’ve been a user and big fan of LastPass for several years now. There are a few others out there and Lifehacker has a pretty good set of reviews and comparison, but I started with LastPass a while ago and have had no reason to switch.
One master password that is easy for me to remember but very hard to crack gets me access to my PW vault. LP includes a PW generator where I can specify length and types of characters to include (numeric, letters, caps, punctuation, etc.).
And for $12 a year, I have the premium version which provides access via my mobile device to auto-login to sites and apps. It even works with TouchID on Apple and has two-factor authentication – another great tool that you should enable on every site that allows for it.
I have 371 unique sites and PWs in my vault and can also store CC info and secure notes (e.g. global traveler number, secure photos (e.g. passport), etc.).
Another benefit – you can run its audit feature and it will notify you of any sites with weak passwords as well as check any email address you are using on different sites against a database of known breached emails.
I remember getting my first laptop: watershed moment of mobility.
I remember getting my first mobile phone: watershed moment of mobility.
I remember getting my first smartphone: watershed moment of mobility and portability.
About one month ago, I got LastPass. Clearly it is: a watershed moment of portability (across devices) and security.
LastPass is amazing. I logged in here just now with it, and my CC accounts earlier today. You just need one very strong password for the master account, and it generates super-strong passwords as you want for sites when you fill them out or as you revisit them after you install LastPass. Or you can use your own passwords in the system. It will generate ones if you want, which is recommended.
Whether it’s LastPass or other viable competitors, this type of system is a must, short of eyeball-dna-brain-wave-pattern scanners that are probably coming :)
I had Anthem with my previous employer, and how DID you know I came here earlier today looking for your LifeLock affiliate link? =-p Got the best plan for now, but I’ll probably ramp it down later.
For my password safety, I try to use a unique password for each site I use. This is especially important with any financial sites I use and for my own website. In the event of a data breach with one company, the hackers cannot then plug my information and password into other sites to gain access. I also do not log into anything important when I’m using a public network.
To formulate my passwords, I use a combination of numbers and very misspelled words (to slow down any bots). Using a series of random numbers and letters would be too difficult for me to remember. I choose some unique words, intentionally misspell the heck out of them and I pepper it with numbers.
The last thing I now do (as a result of having been hacked from this) is to use a strategy with password recovery processes. When setting up an account, you are asked some security questions in the event that you need to reset your password. They are usually something like “the name of your first grade teacher”, “model of your first car”, and the very worst is “mothers maiden name”. Most of these kinds of questions are found in public records, may be gathered from you in daily conversation, or common knowledge to the people who know you. So the technique I use is to NEVER EVER EVER answer the question with an honest answer. Again, I choose a random word, misspell it, add numbers, and try not to forget it.
Passwords are a pain in the neck and it’s so tempting to make it easy to remember and repeat it on each site you use. However it only takes getting hacked once to learn how important it is. When it happened to me, the person hacked my email and permanently deleted everything to hide what they had been doing with it. In doing that, they deleted years worth of correspondence with my grandmother who is now deceased. I would cherish the ability to go back to read her loving words and messages to me. That for me was the biggest loss of being hacked.
I have an idea: let’s trust even more personal information with the least competent organization in the country – the US government.
Seriously, even neglecting the more serious and flagrant violation of the 4th and 5th amendments, the NSA domestic spying creates a massive centralized vulnerability of our personal information.
I’m not convinced Lastpass is a great idea. It also is a centralized vulnerability. Theoretically, one that is hard to crack, but that’s what we were told about Target and Home Depot holding our credit card numbers in their systems, and insurance companies holding other personal information.
The only real way to be secure is with site-to-site encryption. That way, everything, including passwords, are encrypted. Some companies are slowly transitioning to that, but not many of the large ones do it, yet. If Anthem had site-to-site encryption, then all the thieves would have gotten is gibberish. The thing is, STS encryption is hard to implement. There are easy ways to do it (especially on Unix-like systems), but why should I tell anyone and either become a millionaire or vanished by men in black trench coats. I say, bring back little old ladies and paper forms. I know that sounds retro, but how many digital Medieval manuscripts do you think we would have, if the computer had existed in 1150 A. D.?
Wow, who’s glad, now, that they don’t have health insurance :)
The Chicken
I have been researching password managers; it’s time everyone used one. LastPass is the one to use. Steve Gibson has done an in-depth evaluation and recommends them.
https://www.grc.com/sn/sn-256.htm
So the way this works is, the reason I’m using it, is I now understand how it works and why it’s absolutely trustable, is that very much like Jungle Disk, which we’ve talked about in the past, all the encryption is done locally. That is, at no point does LastPass receive anything other than what looks like a block of pseudorandom noise.
So the idea is that when you log in, when you give your system your LastPass username and password, the first thing it does is it runs it through this SHA – it lowercases the email address, removes the white space, adds the password, and then it does this hash to it, turning it into a 256-bit blob which tells the blob holder nothing about your username and password. It’s just like it’s been digested into this thing. In fact, hashes are called “digests,” also, for that reason.
What that is, is that is your cryptographic key. That’s the key which your system will use, both to encrypt your data which is being shared with LastPass Corporate, and also to decrypt it when LastPass Corporate sends this back to you. They’re holding the encrypted results of your own personal database, just because that’s what they do. That’s the service they provide, essentially, that and creating all these amazing plug-ins for everything anyone’s ever heard of. So but what they’re holding, they have no ability to decrypt. They never get the key. That never leaves your system.
A wit suggested that the Anthem records were hacked so they could find out who has died and register them to vote.
At the moment, we are “virtually” helpless. One can have the strongest password for your personal online bank accounts, credit cards, personal computers, smart phones, etc. but it would NOT have helped in the case of Anthem because their website and servers were hacked. We can hope that the personally identifiable information (PII) was encrypted on Anthem’s servers but according to news reports it was not. It should be a crime if PII is NOT encrypted on corporate servers so that if it is stolen it cannot be decrypted. Congress needs to act now!
Given the number of times that corporate sites have been breached, it seems to me that any organization that is not taking affirmative steps to safeguard the personal data of their clients or customers should be held accountable for negligence. Perhaps a few good sized judgments would result in an enhanced level of care.
Anthem, being a covered entity under HIPAA, is required to keep data encrypted. They are subject to a substantial fine over this, of course that’s no real help to the folks who have been victimized.
I use 1Password mostly because it can transfer your passwords to your phone, iPad, etc. Apple now offers a password system that also transfer to your Apple mobile device. I use them both, just in case one doesn’t catch the password when I set it up (that does happen.)
Be careful, Father. I’m hearing that Anthem is contacting people by regular mail and not email. Just make sure that what you got was really from them….
My employer informed me that this is a phishing scam. Careful!
Gregg the Obscure, current law encourages but does not require encryption of data. This must be addressed by Congress ASAP!
http://host.madison.com/news/national/government-and-politics/no-encryption-standard-raises-health-care-privacy-questions/article_208342dc-c015-5b7e-8136-7b1aaaeb7d93.html