Mobile Provider Data Breaches: Know Your Risks

Last week, AT&T reported the latest in a series of high-profile data breaches. The company announced that approximately 9 million customer records, including names, email addresses, phone numbers and account numbers, were stolen from a third-party marketing firm that had been given access to the data by AT&T.

How do these large-scale data breaches happen?

In several recent cases, criminals targeted marketing firms that provide advertising to mobile carriers or that develop campaigns for mobile users. In the AT&T case, it was noted that the stolen data included eligibility for phone upgrades, making it reasonable to assume that the data breach was related to customer marketing. AT&T gave its customer data to a marketing firm to sell upgrades. The marketing firm was breached.

In other cases, companies that display ads on mobile devices have suffered significant data breaches exposing millions of customer records. In all of these cases, criminals did not target the mobile provider itself, but the third-party agency. Mobile providers typically have strong cyber security practices; the third parties they share your data with may not, making you vulnerable.

What are the risks from mobile data breaches?

Mobile data breaches can carry a particular risk for customers. As reported by Axios, criminals can use personal data from these breaches to launch SIM-swapping attacks, where a criminal clones a SIM card and then uses it to steal multifactor authentication codes. Ordinarily, a criminal who steals your username and password cannot access your accounts if you have two-factor authentication that sends a confirmation code to your phone. If the criminal can clone your phone number with information stolen from a data breach, they can then get the code and access your accounts.

In other words, criminals can defeat two-factor authentication, log in to your accounts and steal or wreak havoc at will. If you see authentication code requests that you did not initiate, log in to the affected accounts immediately and change your password, because it could mean someone is trying to gain access.

A lower level of risk comes from the exposure of phone numbers and email addresses. These will be sold to criminals for spam emails and phishing attempts. If you are a high-value target for hackers, you need to change your passwords and your multifactor authentication method.

What should I do to protect myself from criminal misuse of my data?

Assume that some of your personal data has been compromised. More than 74 million personal records have been posted to the Dark Web so far in 2023, according to Cyble. Next, think like a criminal.

Criminals gather several types of personal information to carry out hacks and phishing attacks. They need your name, address, email and phone number to start. Any additional information they can gather, including passwords or usernames, makes it easier for them to launch an attack.

The best defense is to change your passwords frequently and to be vigilant. Set up two-factor authentication with immediate alerts to your mobile device. The safest way to do this is to have a separate email that you use only for authentication that you never share or use for any other purpose. Have alerts sent to you whenever there is an authentication request sent, rather than having text alerts sent directly to your phone. In many cases, this thwarts SIM swapping.

If you have significant concerns, you may need to get a new phone number, which renders information stolen from data breaches useless. This poses a significant challenge for most people. Acquiring a low-cost second phone that you use solely for authentication can solve the problem without requiring you to change your primary number.

Whenever you can, opt out of data-sharing programs with your mobile provider. They will attempt to discourage this, but doing so removes one avenue that criminals can use to compromise your cyber security.

Are you vigilant with your personal data? Are you vigilant with data on the job? Would you be able to stop a phishing attack launched by a phone call from a criminal? Explore our CSI Protection Certification to develop the skills you need to stop cyber criminals at home and on the job.

DoorDash Admits 4.9 Million Affected by Data Breach

DoorDash has admitted that it has been the victim of a data breach, which has affected about 4.9 million merchants and people.

In a recent blog post, DoorDash announced that it noticed some odd activity early in September from a third-party service. After looking into it, the company found that an unauthorized third party was accessing user data from DoorDash on May 4, 2019. DoorDash immediately took steps to stop any future access and to improve security.

Those who were affected by this breach joined DoorDash on April 5, 2018 or before. Those who joined after that specific date were not part of this breach. The company said it will contact those customers who were affected.

This breach involved data including email addresses, names, order history, delivery addresses, phone numbers, and encrypted passwords. In some situations, bank account numbers and the last four digits of payment cards were also released. Additionally, the driver’s license numbers of approximately 100,000 delivery people were accessed. Bank account information and full payment card numbers were not compromised.

This data is called PII or Personal Identifying Information that could be used to open new accounts, take over existing or “socially engineer” you. Going forward, as with all data breaches be on the lookout for scammy emails and phone calls. Be suspect every time the phone rings and make sure unless you are 100% sure, you aren’t clicking links in emails even if you recognize the sender.

DoorDash also said that it has added additional layers of security in order to protect the data of its customers, and it has improved the protocols that are used to get access to this data. The company has also told customers that it is a smart idea to change their passwords, even if they were not affected.

ROBERT SICILIANO CSP, is a #1 Best Selling Amazon author, CEO of CreditParent.com, the architect of the CSI Protection certification; a Cyber Social and Identity Protection security awareness training program.

The “Mother of All Data Breaches?” It Could Be Here…

You have probably heard of one data breach after another these days, but this is one that you should really pay attention to: more than 772 million unique emails, along with more than 21 million unique passwords, have been exposed.

data breach

Troy Hunt, who runs the website “Have I Been Pwned,” first reported this breach, and he says that a huge file (87 GB) was uploaded to MEGA, a cloud service. This data was then sent to a popular hacking site, and now hackers have access to all of these passwords and email addresses.

This data breach, known as “Collection #1,” is very serious. However, it could just be the tip of the iceberg. There are claims that there are several more “collections” out there, and it could be as much as one full terabyte worth of data. This could be the newest “mother of all data breaches” if this is found to be true.

So, what does all of this mean for you? It not only means that your information could be part of this breach, but it also could mean that these password and email combinations could be used in a practice known as “credential stuffing.” What is this? It’s when a hacker uses known email and password combinations to hack into accounts. Basically, this could have an impact on anyone who has used an email/password combination on more than one site.

This, of course, is concerning because this particular breach has about 2.7 billion email/password combinations. On top of that, around 140 million of the emails, and 10 million of the passwords, were brand new to the hacking database, which gives the hackers even more ammunition to wreak havoc. The big lesson to be learned here is that you should always use good security practices when you create accounts online. You should never use passwords from one account to another, and you should definitely use two-factor authentication if it is available. If you don’t have a password manager, you might want to set that up, too.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video

Second Hand USB’s Could Have Personal Info Still Inside

An unsurprising study was recently released that found even when a portable USB drive is erased, not all of the documents and images are always removed. That, of course, is frightening.

Here’s how the research was done:

Researchers went online to sites like eBay, to second-hand shops, and even auction stores. They bought 200 used USB drives, half from the US and half from the UK. Almost 2/3 of the devices had data on them! This data was, for the most part, personal data, and it can also be used by cybercriminals to steal someone’s identity. On top of that, these USB drives can contain malware.

Removing All Data is Difficult

When someone tries to delete or remove data from a USB device, they rarely have success. In fact, of the 100 USB devices the researchers bought in the US, only 18 of them were totally wiped clean. The rest of them had data that had been deleted, but someone could certainly recover it. The UK devices were similar. What’s so surprising about this is that it is extremely easy…and free…for someone to fully delete their device. But most people just don’t put in the effort, and that could definitely hurt them in the future.

USB Devices Can Be Risky

Using these devices can be risky, not only for average people, but also for businesses. In 2017, for example, a USB device was lost, and it contained sensitive information about Heathrow Airport. The government investigated, and eventually fined the company. The information was not encrypted, nor password protected, and it was found on the street by a random passerby.

Because of these risks, some companies, like IBM, have banned the use of USB devices. Instead, employees must use the company’s cloud. Other companies still allow them, of course, but they could be going down a dangerous road. These devices are really cheap to buy, and people can save almost anything on them, but they are also very easy to lose.

There are other issues with USB devices too. First, of course, you have the data on these drives to deal with, but there is also the fact that potential malware could be on the devices. Most companies don’t have the same rules that IBM has, and most consumers don’t think of this at all. This makes people and small businesses very vulnerable. So, if you use USB drives, there is one very important step that you need to take: encrypt it.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

The Top Cyber Security Threats to Real Estate Companies

Gone are the days when hackers would only target retailers. These days, the bad guys an target businesses in any industry, especially those that aren’t quite up on cyber security.

The real estate industry is one such group, and according to a recent survey, about half of businesses in the real estate industry are not prepared to handle a cyberattack. Federal law requires some industries, like hospitals and banks, to have some type of security in place for things like that, but the real estate industry is quite vulnerable. Here are some of the security threats you should look out for if you’re in the real estate industry:

Business Email Compromise (BEC)

A BEC, or business email compromise, is a type of cyberattack that tricks a business into wiring money to a criminal’s bank account. The hackers do this by spoofing email addresses and sending fake messages that seem like they are from a trusted business professional, such as the CEO or a company attorney. The FBI has found that multi-billions in business losses can be attributed to BEC.

That’s scary enough, but the FBI also says that real estate companies are specially targeted in these attacks and every participant in the real estate transaction is a possible victim.

Mortgage Closing Wire Scam
Prior to closing on the sale of a home, the buyer receives an email from their real estate agent, title attorney or other trusted service professional with specific details of the time, date and location of the closing. In this same email, there are detailed and urgent instructions on how to wire money for the down payment but to a criminal’s bank account. Within moments of the wire transfer, the money is withdrawn, and the cash disappears.

A report by the FBI's Internet Crime Complaint Center totals the number of victims of the mortgage closing wire scam ballooned to 10,000 victims, an 1,110 percent increase in the years 2015 to 2017 with financial losses totaling over $56 million, which is a 2,200 percent increase.

Ransomware

Another threat to real estate companies is ransomware. This is the type of malware that makes the data on your device or network unavailable until you pay a ransom. This is very profitable for hackers, of course, and it is becoming more and more popular. All it takes is one member of your team clicking on a link in an email, and all of your data could be locked.

Ransomware doesn’t just target computers though. It can target any device that is connected to the internet including smart locks, smart thermostats and even smart lights, which are gaining a lot of popularity in American homes. When digital devices get infected with ransomware, they will fail to work.

Generic Malware

Though most people hear about ransomware these days, there are other types of malware out there that hackers use, too. For instance, you have probably heard of Trojans a.k.a. Spyware or Malware, which is very much still around. These can be used by cybercriminals to spy on their victims and get a person’s banking information or even wipe out their accounts. Malware can also be used to steal personal information and even employee information, such as client data, credit card numbers and Social Security numbers. Again, real estate companies are not exempt from this type of attack and are now even bigger targets.

Cloud Computing Providers

If you are part of the real estate industry, your business is also at risk of becoming a victim thanks to cloud computing, which is more economical these days. A cyber thief doesn’t have to hack into a company to get its data; all they need to do instead is target the company’s cloud provider.

It might seem that by using a cloud company you are lowering the risk of your business becoming a target, but the truth is, the risk still lies with your company, how secure your own devices are and how effective passwords are managed. In most contracts with cloud computing companies, the customer, which would be your business, is not well-protected in the case of a cyberattack.

Protecting Your Real Estate Company from Becoming a Victim of a Cyberattack

Now that you know your real estate company is a potential target of cybercriminals, you might be wondering what you can do to mitigate this risk. Here are some tips:

  • Create New Policies – One of the things you can do is to develop new policies
    in your agency. For example, in the case of BEC scams, if you have a policy that
    you never wire money to someone based only on information given via email,
    you won’t have to worry about becoming victimized in this type of scam. Instead,
    you should talk to the person sending the email in person or via a phone call just
    to confirm. Make sure, however, that you don’t call a number from the suspicious
    email, as this could put you right in touch with the scammer.
  • Train Your Staff – Another thing that you should consider is better staff training.
    Most hacking attempts come via email, so by training your staff not to blindly
    open attachments or click on any links in emails, you could certainly save your
    staff from these scams. Check out our S.A.F.E. Secure Agent for Everyone
    Certification Designation course, which is a marketing differentiator that offers
    ideas and methods to promote proactive strategies to ensure incident-free
    results. Learn how to develop client-centered procedures customized for safety
    and security.
  • Train Your Clients – Mortgage closing wire fraud scams can be manageable if
    not preventable. Inform your clients that in the process of buying or selling a
    home, there will be many emails to and from your real estate agent and other
    service professionals including your attorney, mortgage broker, insurance
    companies and home inspector. Tell them: Call Your Agent: Under no
    circumstances and at no time in this process should the client or service
    professional engage in a money wire transfer unless the client specifically speaks
    to the real estate agent in person or over the phone to confirm the legitimacy of
    the money wire transaction. Email Disclosure: Clients should always look for
    language in the real estate agent’s email communications stating the above or a
    similar facsimile.
  • Back Up Your Systems – It is also very important that you always back up
    everything. This way, if your system does get hacked, you won’t have to pay a
    ransom, and you will be able to quickly restore everything that you need.
  • Better Your Cloud Computing Contracts – Since you know that cloud
    providers don’t really like to take on the responsibility in the case of a
    cyberattack, you might want to start negotiating with the company in question
    about what you can do about that. This might include getting better security or
    adding some type of notification requirements.
  • Consider Cyber-Liability Insurance – You also have the ability to get cyber-
    liability insurance. This could really help you to cut the risk to your real estate
    business. There are all types of policies out there so make sure to do your
    research, or better yet, speak to a pro about what you might need.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

How to Protect Fortnite Accounts

If you have tweens or teens, you are probably aware of the popular game Fortnite. Though it might say that it’s free, playing Fortnite can actually be quite expensive, and it could put player’s accounts at risk due to a security flaw.

A bug was recently discovered that allows hackers to obtain the login credentials of Fortnite users if they clicked on a link in a fake email. The company responsible for Fortnite, Epic Games, has acknowledged the bug but won’t say how many people were affected.

Not only could a hacker access a user’s Fortnite account, they could make in-game purchases using the person’s credit card, which is connected to the account. Hackers could also listen in to private chats!

How it Happens

You might wonder how players would actually click on these fake email links. Well, it happens all of the time. In this case, the users clicked on a link that took them to a site that promised to give them “V-Bucks,” which are the in-game currency for Fortnite. Once the players enter their information in, sometimes even asking for credit card information, the hackers have all they need.

Most games like this have an in-game currency, and Fortnite is no exception. Players can buy things like outfits for their players, better weapons, and even bonus items. So, even kids who don’t have their own credit cards will often sweet talk their parents into giving their credit cards, and once that info is in the game, you can use it whenever you want to make purchases.

Fortnite for Money Laundering

Hackers also known as “carders,” who specialize in stealing and selling stolen credit card numbers, are using Fortnite as a bank. They are using stolen credit card numbers to make V-Buck purchases and selling them to other players at a discount. When playing Fortnite in Battle Royale mode and earning “Photons” (a new form of cryptocurrency), it seems the hackers can set up a crypto wallet connected to their account to withdraw the stolen funds.

Protecting Your Card

 If you have given your kids permission to use your credit card for Fortnite, you are not alone, but you should take steps to protect it.

safr.me

Do your kids make digital purchases with you money?

The first thing you should do is set up a passcode, one that your kids can’t guess. This means they cannot buy anything in the game unless you approve it. You will have to do this on the gaming console you use. Xbox, for instance, allows you to set a code for the following actions:

  • Signing in when the console is turned on
  • Updating device settings
  • Making a purchase

Microsoft also advises its users against putting a credit card into the Xbox account of any child or other family member who you don’t want making any in-game purchases. This way, you can keep your family safe, and keep your money safe.

Beware of Phishing

Make sure your kid isn’t providing email addresses (theirs or yours) to anyone on Fortnite. If they do, there’s a strong possibility they might provide it to a criminal phisher. Once this happens, tricky phishing emails that look like they are coming from Fortnite designed to steal passwords are likely to hit your inbox.

Set up Two-Factor Authentication

Any and every account that is considered “critical,” which means it contains personal or sensitive information, should have two-step or two-factor authentication.

Fortnite provides this, and parents MUST enable it. Go to Logins, and open account settings at your username in the top right corner. Then, select password security. At the bottom, click on “two-factor” sign in.

The Master List of 2018 Breaches

The Master List of 2018 Breaches

2017 was a record setting year for data breaches, but we might have to call 2018 “The Year of the Breach.”

According to Verizon, there have been more than 2200 data breaches across the globe, and about 68 percent of these breaches were not detected for months. This is not good news for any business or organization.

Here are some of the major breaches of 2018:

Facebook

Facebook is part of the list of 2018 breaches but NOT because of the Cambridge Analytica scandal. Instead, it’s because of the breach that occurred in late September, when about 50 million people had their data exposed. This hack took advantage of vulnerabilities in Facebook’s code, and hackers were able to control the accounts of
users.

Department Store Hacks

Several department stores were also hacked this year including Saks Fifth Avenue and Lord & Taylor, which were hacked in April. These stores had their customer payment cards compromised. Macy’s also was hacked. This time, it was the names and passwords of its customers that hackers obtained.

The Master List of 2018 Data Breaches Hacks Robert Siciliano Safr.me

Fitness Hacks

There were also hacks against fitness companies like Adidas and Under Armour. In the case of Adidas, hackers accessed the data of several million customers. In the case of Under Armour, the hackers targeted the brand’s app, MyFitnessPal, and were able to access the information from about 150 million users. In neither case were Social Security numbers, payment information, nor driver’s license numbers accessed.

Exactis Hack

The biggest hack of the year was also the one that most people don’t even know about. You probably don’t even recognize the name Exactis, but it is a marketing and data aggregation firm. In June, the company leaked the data of more than 340 million Americans. In this case, the company did not secure its database, and this left records
open to anyone who wanted them. Not only were people affected here, but so were businesses. Phone numbers, emails, addresses, and even interests of these people were exposed.

Marriott

Marriott also makes the list of the major breaches of 2018 (but it originated as early as 2014), and in this case, about 500 million people were affected. This hack was done through the Starwood Hotels guest database. It was later realized that the hackers who did this were very likely working for the Chinese government, which was trying to gather intelligence. China has denied being involved in the hack, but experts claim that the methods used in the hack and evidence found all point towards the Chinese government.

Google

There were a few other hacks that are worth mentioning too. Google, for instance, though not technically hacked, did expose data of its users thanks to a security bug. In this case, about 50 million accounts were compromised.

We hope, of course, that lessons were learned in 2018 so that 2019 looks a bit more promising, but as most security professionals know, hackers like to stay one step ahead. So keep your data as safe as possible.

What can you do? Move to Montana, find a cave, live in it. Toss your mobile, PC and credit cards and eat off the land.

Or…

Problems for Quora Keep Building

Quora, the popular question-and-answer website, is the latest entity to be affected by a massive data breach. This time, it is estimated that 100 million people could be affected.

Adam D’Angelo, CEO of Quora, released a blog post that explained user account information (like email addresses and user names) as well as encrypted passwords and other data were accessed by the hackers. Additionally, he wrote that comments, public questions-and-answers and even direct messages could have been accessed.

D’Angelo stated that Quora is working quickly to get more information on the breach and that it is taking important steps to ensure that it prevents a breach from happening again.

Quora is a privately held company based in California. Users of the site can ask questions about almost anything, and other users answer these questions. The company claims that it has more than 300 million unique visitors per month. Although this data breach is not as devastating as others, such as the other recent breach announced by Marriott International, it is still concerning. The Marriott breach went on for several years, and more than 500 million people were affected. For about 327million, their passport numbers, birth dates and more were accessed.

The Quora breach was not as serious. The biggest concern for people affected by this breach is the possibility of falling for a phishing scam. Basically, these scams work by tricking people into clicking email links that allow the scammer to get personal info or installing malware onto the victim’s computer. This could be significant, however, as some of the data has come from networks like Facebook, which users can connect to their Quora accounts.

This is a really good reminder to anyone with social media accounts, or other online accounts, to consider a throwaway email account. This is an account that is neither connected to work nor your primary email account. This way, if it gets hacked, you can simply delete it.

To add some insult to injury, Quora also just announced that a “malicious third party”has accessed one of its systems. The company is currently investigating the issue, and it’s working with a security firm to get to the bottom of it. Quora is also in the process of notifying any users who might have been affected by this breach. They are also logging these people out of the site and forcing them to change their passwords.

Last thing: I’m a fan of Quora, and yes, this breach sucks, but it’s less sucky than others. Feel free to ask me a question on my Quora.

2017 Was the Worst year for Data Breaches EVER!

It seems like 2017 broke records for all the wrong reasons…one of them being the worst year for data breaches in history.

According to reports, hacking was the most common way to collect this data, but almost 70% of exposures occurred due to accidental leaks or human error. This came down to more than 5 billion records. There were several well-known public leaks, too, including the Amazon Web Services misconfiguration. More than half of the businesses using this service were affected, including companies like Verizon, Accenture, and Booz Allen Hamilton. The scariest part of this, however, is the fact that the number of breaches and the number of exposed records were both more than 24% higher than in 2016.

Big Breaches of Big Data

Another interesting thing to note is that eight of the big breaches that occurred in 2017 were in the Top 20 list of the largest breaches of all time. The top five biggest breaches in 2017 exposed almost 6 billion records.

Part of the reason for the big numbers is because huge amounts of data were exposed from huge companies, like Equifax. There was also a huge breach at Sabre, a travel systems provider, and the full extent of the breach isn’t even known at this point. All we do know is that it was big.

When looking at all of the known 2017 data breaches, almost 40% of the breaches involved businesses. About 8% involved medical companies, 7.2% involved government entities, and just over 5% were educational entities. In the US, there were more than 2,300 breaches. The UK had only 184, while Canada had only 116. However, until now, companies in Europe were not forced to report breaches, so things could change now that reporting is mandatory.

What were the biggest breaches of all time?  Here they are, in order:

  • Yahoo (US company) – 3 billion records
  • DU Caller Group (Chinese company) – 2 billion records
  • River City Media (US company) – 1.3 billion records
  • NetEase (Chinese company) – 1.2 billion records
  • Undisclosed Dutch company – 711 million records

Though none of this is great news, there is a silver lining here: none of the breaches of 2017 were more severe than any other breach in history, and overall, the occurrence of breaches dropped in the fourth quarter.

Because of so many breaches occurring due to human error, it’s very important that businesses of all sizes enact security awareness training, including helping staff understand what makes a business a target and what type of info the hackers want.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

Protecting Yourself from a Data Breach requires Two Step Authentication

Have you ever thought about how a data breach could affect you personally? What about your business? Either way, it can be devastating. Fortunately, there are ways that you can protect your personal or business data, and it’s easier than you think. Don’t assume that protecting yourself is impossible just because big corporations get hit with data breaches all of the time. There are things you can do to get protected.

  • All of your important accounts should use two-factor authentication. This helps to eliminate the exposure of passwords. Once one of the bad guys gets access to your password, and that’s all they need to access your account, they are already in.
  • When using two-factor authentication, you must first enter your password. However, you also have to do a second step. The website sends the owner of the account a unique code to their phone also known as a “one time password”. The only way to access the account, even if you put the password in, is to enter that code. The code changes each time. So, unless a hacker has your password AND your mobile phone, they can’t get into your account.

All of the major websites that we most commonly use have some type of two-factor authentication. They are spelled out, below:

Facebook

The two-factor authentication that Facebook has is called “Login Approvals.” You can find this in the blue menu bar at the top right side of your screen. Click the arrow that you see, which opens a menu. Choose the Settings option, and look for a gold colored badge. You then see “Security,” which you should click. To the right of that, you should see Login Approvals and near that, a box that says “Require a security code.” Put a check mark there and then follow the instructions. The Facebook Code Generator might require a person to use the mobile application on their phone to get their code. Alternatively, Facebook sends a text.

Google

Google also has two-factor authentication. To do this, go to Google.com/2step, and then look for the blue “get started’ button. You can find it on the upper right of the screen. Click this, and then follow the directions. You can also opt for a text or a phone call to get a code. This also sets you up for other Google services, including YouTube.

Twitter

Twitter also has a form of two-factor authentication. It is called “Login Verification.” To use it, log in to Twitter and click on the gear icon at the top right of the screen. You should see “Security and Privacy.” Click that, and then look for “Login Verification” under the Security heading. You can then choose how to get your code and then follow the prompts.

PayPal

PayPal has a feature known as “Security Key.” To use this, look for the Security and Protection section on the upper right corner of the screen. You should see PayPal Security Key on the bottom left. Click the option to “Go to register your mobile phone.” On the following page, you can add your phone number. Then, you get a text from PayPal with your code.

Yahoo

Yahoo uses “Two-step Verification.” To use it, hover over your Yahoo avatar, which brings up a menu. Click on Account Settings and then on Account Info. Then, scroll until you see Sign-In and Security. There, you will see a link labeled “Set up your second sign-in verification.” Click that and enter your phone number. You should get a code via text.

Microsoft

The system that Microsoft has is called “Two-step Verification.” To use it, go to the website login.live.com. Look for the link on the left. It goes to Security Info. Click that link. On the right side, click Set Up Two-Step Verification, and then follow the prompts.

Apple

Apple also has something called “Two-Step Verification.” To use it, go to applied.apple.com. On the right is a blue box labeled Manage Your Apple ID. Hit that, and then use you Apple ID to log in. You should then see a link for Passwords and Security. You have to answer two questions to access the Security Settings area of the site. There, you should see another link labeled “Get Started.” Click that, and then enter your phone number. Wait for your code on your mobile phone, and then enter it.

LinkedIn

LinkedIn also has “Two-Step Verification.” On the LinkedIn site, hover your mouse over your avatar and a drop-down menu should appear. Click on Privacy and Settings, and then click on Account. You should then see Security Settings, which you should also click. Finally, you should see the option to turn on Two-Step Verification for Sign-In. Turn that on to get your code.

These are only a few of the major sites that have two-step verification. Many others do, too, so always check to see if your accounts have this option. If they don’t, see if there is another option that you can use in addition to your password to log in. This could be an email or a telephone call, for instance. This will help to keep you safe.

Amazon

Amazon’s Two-Step Verification adds an additional layer of security to your account. Instead of simply entering your password, Two-Step Verification requires you to enter a unique security code in addition to your password during sign in.

Without setting up Two Step authentication for your most critical accounts, all a criminal needs is access to your username, which is often your email address and then access data breach files containing billions of passwords that are posted all over the web. Once they search your username/email for the associated password, they are in.

Two factor locks them out.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.