How to protect yourself against data leaks
In a world ever-reliant on the connectivity between our physical and digital identities, how can you ensure your personal information is safe from hackers and data breaches? Here are Casa’s top tips for optimal protection.
It’s a situation that no one wants to find themselves in. More and more in our modern, digital times, we find ourselves faced with the fear and uncertainty surrounding the news of a personal data breach. From our names to home addresses, phone numbers, and emails, it’s never been more crucial to protect our digital identities.
Recently, a hacked Ledger database containing 272,853 personal records including customer names, physical mailing addresses, phone numbers, and over 1 million email addresses was publicly leaked.
While the data breach itself took place in July 2020, the data was recently released on a hacker forum specifically geared towards selling database and personal information dumps. These markets operate by selling and reselling information obtained in hacks and social engineering engagements performed against companies and third parties such as resellers. Ledger has published information about the leak, including the details of the incident, and updates via Twitter and email.
How to know if you’ve been impacted?
If you’ve purchased a device from the Ledger store, it’s possible you’ve been impacted. Ledger has sent communications to affected customers and you may have an email indicating such.
If you’ve procured your Ledger though Casa or the Casa Store you should NOT be impacted. No parts of Casa’s infrastructure touched the Ledger databases impacted by this breach.
What can I do to stop this? How can I better protect my personal information?
While the answer to the first question requires lots of technical controls and engineering by the companies that are storing your valuable data, the second question can be solved with the following operational security tips.
If you’ve been victimized in a hack - here’s what we recommend:
- Don’t keep crypto in the house - if you’re using a Ledger, move the device to another physical location.
- If you’re a Casa customer, don’t have more than one key at your house (usually your mobile phone).
- Consider checking out Lopp’s "Home Defense Primer" and other resources below.
To minimize the data you share with third parties and protect yourself going forward - check out these suggestions from our security team:
Use a pseudonym
Stan Lee, George Orwell, Lana Del Rey, and Satoshi Nakamoto. The one thing that they all have in common is that these are fictitious names used to disguise real-world personal identities. An attacker wouldn’t be able to find a Social Security Number (SSN) or physical address associated with these names if they were so inclined. While authors may use pseudonyms so that their works are not associated with the real person, others use them to protect their identity. Many Casa clients do this already. A strong alias will have no direct link to your name, profession, location, or interests.
Just as we are protecting your first and last name, it’s imperative to protect your mailing and home addresses. In the United States, CMRAs (Commercial Mail Receiving Agency) are private businesses that offer services which filter, forward, and scan images of mail to the intended recipient.
While there can be issues and delays with products and large shipments, services such as these help to provide more anonymity for physical mail and correspondence. To shield your mailing address, consider a remailing service like Earth Class Mail.
Another option that can be used (especially in the case of shipments), are personal and private P.O. and mailboxes. These can be rented as a service at local post offices and UPS shipping locations.
Protecting your personal or mobile phone number when making purchases is easy with Voice Over IP (VoIP) and number forwarding and privacy services. The easiest and cheapest solution is to sign up for a Google Voice account, which comes with its own free telephone number. Using this number for online orders, shipments, and site registration will ensure that your personal telephone number stays safe and protected.
In situations where a permanent number is not needed, a variety of apps and services exist to provide disposable one-time-use burner phone numbers.
Multiple email accounts
Even the best pseudonym will only go so far if your email is FirstName.LastName.YearofBirth@gmail.com. Setting up multiple email accounts with your pseudonym helps to mitigate the risk and damage when an email account is hacked or exposed as a result of a data leak. I personally have multiple bucketed email accounts that are not tied to my identity specifically for sites like banking, social media, forums, and purchases.
Virtual payment cards
Some credit card providers offer the ability to use virtual or temporary account numbers for purchases. Pseudo account numbers can also have the added benefit of setting maximum limits and authorization to specific merchant(s).
In our article “How to use Casa pseudonymously” we recommend using a VPN to help protect your internet IP address. VPNs help to shield your IP when interacting with the greater Internet and help protect your identity when sites and services are logging this information.
Delete your information
Not all websites and companies support it, but some do allow a user to delete their information and account. This may be a feature in the account settings section on the site, or may require a support request.
Removing information from websites, suppliers, and companies you are no longer using helps to limit the risk of exposure should any of those services ever be hacked. For those in the EU, the GDPR can be referenced to help facilitate this type of request.
If you are not able to delete your data or the site is unwilling, the next best step is to change your data to something that is not related to your personal identity.
Thankfully user passwords were not included in the Ledger database leak. In prior data leaks, user passwords were captured and retried against thousands of websites hoping that a user re-used their password elsewhere. This practice is called Password Re-use and is prevented by using a Password Manager.
Password managers (preferably one secured by hardware second-factor authentication (2FA) such as a Yubikey) generate random and unique passwords for every service. This stops other accounts from being compromised due to password re-use.
Two-factor authentication (2FA)
Using 2FA is a great way to improve your digital security. However, you should never use SMS text messages for your 2FA. SMS-based 2FA authentication is an extremely insecure method of securing your accounts due to an attack called Simjacking.
Instead of SMS-based 2FA, use Google Authenticator (iOS/Android) or Authy apps for iOS or Android. For the highest level of security, one should consider using hardware devices such as a Yubikey, which stores 2FA seeds and secrets more securely.
Using a multisignature, multi-location solution like Casa ensures that your funds cannot be compromised from a single hardware wallet or location. Protecting your funds with multiple keys is the surest way to mitigate “$5 wrench attacks” and means that if someone were to gain access to your home - as scary as this sounds - they would still be unable to access your bitcoin.
In the majority of data breaches, home and office addresses are often exposed causing an increased risk for those present at those locations.
Our CTO, Jameson Lopp, wrote an extensive post regarding physical security and the hardening of one's home.
Loose lips sink ships
Following the tips listed above should help you to protect your identity and privacy, but it is all for naught should one expose too much information about their personal operational security setup.
- New York Times | "How a Bitcoin Evangelist Made Himself Vanish, in 15 (Not So Easy) Steps"
- Casa Blog | "How to use Casa pseudonomously"
- Casa Blog | "How to Protect Your Bitcoin from $5 Wrench Attacks"
- Casa Blog | "A Home Defense Primer"
Need peace of mind about your Bitcoin security?
If you're looking for a consultation on your Bitcoin security setup, Casa is ready to help. Our Platinum and Diamond memberships include dedicated Client Advisors, who will work with you to design a custom setup to your specific needs.
Stay in the know
Casa regularly reports and analyzes the newest hardware wallet vulnerabilities, as well as larger changes in the Bitcoin, security, and personal privacy landscape. Sign up for our weekly security newsletter to get the most up-to-date information.