Advertiser Disclosure

You’ve Heard About the “Heartbleed” Bug. How Else Are We Vulnerable Online?

April 25, 2014
Personal Finance
Many or all of the products featured here are from our partners who compensate us. This may influence which products we write about and where and how the product appears on a page. However, this does not influence our evaluations. Our opinions are our own.

By Tracy Becker

Learn more about Tracy on NerdWallet’s Ask an Advisor

With the Internet opening up so many avenues for people all over the planet to connect and massive amounts of data available to us in an instant, we are definitely in the age of information. This can be wonderful, but as with many positive developments there is also a negative aspect. After learning recently that for two years we have been vulnerable to the hacking of sensitive information we assumed was encrypted and safe, it is time to take a better look at how to protect ourselves. Some 70% of a billion websites used security software called OpenSSL, and it was a flaw recently discovered in OpenSSL—dubbed “Heartbleed”—that could have allowed hackers access to our usernames, passwords and much more.

The bug exploited an error in the software that normally would send a “heartbeat” notification between servers and clients, including PCs and mobile devices. The flaw allowed attackers to randomly disguise the heartbeat and pick up samplings of whatever data happened to be sitting in the memory of the computer. It allowed attackers to steal certificate keys for servers, giving them the ability to impersonate a legitimate server and trick users into giving up their usernames and passwords. Vulnerable sites included Google, LinkedIn, Facebook and Twitter. Most of them have by now patched the flaw, but you check at There, enter the name of the site and wait for the OK. Only then should you change your username and password to ensure nothing further is hacked.

Most of us don’t think twice about the information we post on LinkedIn, Facebook, dating sites and other social media, but we really should. How many of us share our hobbies, information about our family, pet’s names, date of birth, the year we were born, spouse’s name, high school, college, hometown, our career position, personal email and more? This allows the public access to personal information that can be used against us. A criminal can learn a lot about us from these social media sites, and using that knowledge they can decide if we are a good mark based on the potential profits they might make and how much easier their job will be due to what they have learned about us through public sites.

When we set up online accounts for our credit card, bank accounts, credit reports, social media presence and more, we establish security questions and passwords. Most of us make these passwords and answers publicly available, in effect, through social media. From my time in the credit-repair business, I have learned a lot about passwords, and I can’t tell you how many people use a pet’s, child’s, spouse’s or even their own name with some combination of numbers for their password. Many also make their username obvious because in most cases it’s the email they use publicly. All it would take is a good guess and a thief would be able to access information that could put you in jeopardy. How many of us answer truthfully security questions like “What town did you grow up in?” or “What is your pet’s name?” Those questions would be so hard to answer after visiting your Facebook page, right? Even if thieves couldn’t hack into your credit card directly but accessed your account on social media, how many sites list our credit cards on the auto-pay section with the name of the creditor and some, if not all, of the account number visible to the viewer? They can also see the billing address once they make the right guess of your password and get into your account. Now they know your credit card provider, billing address and a password you use.

How many of us use the same password for everything? The answer is probably around 70%. The other 30% are probably past victims of identity theft who know better from experience. With all of the information easily available, a criminal can begin the process of using existing accounts and opening new accounts in your name. They will be building wealth for themselves at your expense.

So how can we be popular online and still protect ourselves?

If we are going to list important info, a lot of it can be left invisible to the public by controlling our settings. We can also leave out certain facts like the town we live in or grew up in and our birth date. Why give others the opportunity to use our information? Is it that important to have hundreds of people wishing you a happy birthday on Facebook that you would be willing to put your identity at risk? You may even think someone from the past is a friend trying to reconnect, but we do not know what others’ intentions are, and if you give them information along with your data presented on social media it could be an equation for disaster. Never use the email address associated with any of your usernames or passwords on credit card, bank and social media sites. Pick a different email address to offer as your contact point if you are going to display it publicly. Use a password that has nothing to do with any personal info that one might gather from social media.

At this point in our Internet-driven environment, everyone (with good credit) should be using a credit monitoring product. Try to find one with the option to alert you when third parties have viewed your credit. If you find your credit has been viewed by a mysterious party, you can find out if fraud has occurred. Credit monitoring products also give you quick access to balance increases, the opening of new credit and more. This knowledge can save an enormous amount of energy and frustration since the problem can be sorted out before it becomes a catastrophe. The better credit monitoring products will offer an identity theft insurance policy as well. It is important to remember that most of these policies cover only the cost of time lost at work to deal with the issue of theft, outlay of funds to hire a service to help with credit and expenses involved in reporting the crime to the proper authorities. They normally do not cover cash lost that was directly stolen by thieves. Spending $10 to $40 a month on credit monitoring can be a small price to pay for peace of mind and the ability to have a clear view of your credit health and security.

Always be aware that in the majority of instances, anyone can connect to our information and use it against us. As tempting as it may be, please refrain from posting personal information that you use for security purposes online. It’s for your own protection.