Deep Dive
Shownotes Transcript
This message comes from Discover, accepted at 99% of places that take credit cards nationwide. If you don't think so, maybe it's time to face facts. You're stuck in the past. Based on the February 2024 Nielsen Report. More at discover.com slash credit card. You're listening to LifeKit from NPR.
Hey, it's Marielle. If you have ever used the internet, which given the fact that you're listening to a podcast right now, I think you have, then your data is up for grabs. Things like your full name, your date of birth, what websites you visit, and your location, among many other things.
There are people who are very interested in your data. I mean, it seems like every day another company is admitting to a data breach. Just a few examples from the past couple years, AT&T, Ticketmaster, Yahoo, Facebook, and the data broker National Public Data have all experienced breaches that compromised millions of private records. This has been very concerning for Samuel O'Horse-Kessler. He's a producer for the Planet Money podcast. Samuel O'Horse-Kessler
We worked on this episode about the illegal and legal markets for your data. And I've previously kind of had this stance of like, well, it's my data, but I'm not really using it. So like if somebody else wants to take it for a spin, you know, that's all fine with me. But the more I learned about what people are using my data for and how they can access it, the more just like nervous I became, like right in the pit of my stomach. Yeah.
On this episode of Life Kit, Sam is going to talk to experts about what kind of data about us lives on the internet, who wants it, why, and of course, what steps you can take to protect yourself.
This message comes from Progressive Insurance. Do you ever think about switching insurance companies to see if you could save some cash? Progressive makes it easy to see if you could save when you bundle your home and auto policies. Try it at Progressive.com. Progressive Casualty Insurance Company and Affiliates. Potential savings will vary. Not available in all states.
This message comes from Schwab. At Schwab, how you invest is your choice, not theirs. That's why when it comes to managing your wealth, Schwab gives you more choices. You can invest and trade on your own. Plus, get advice and more comprehensive wealth solutions to help meet your unique needs. With award-winning service, low costs, and transparent advice, you can manage your wealth your way at Schwab. Visit schwab.com to learn more.
This message comes from NPR sponsor, U.S. Bank. With U.S. Bank Business Essentials, you get more than just a bank. You get a dedicated partner that provides you a powerful combo of checking and card payment processing with quick access to the money you've earned, proving that there is nothing as powerful as the power of us. Visit usbank.com today to learn more. Member FDIC. Copyright 2025 U.S. Bank.
Support for NPR and the following message come from Edward Jones. What does it mean to live a rich life? It means brave first leaps, tearful goodbyes, and everything in between. With over 100 years of experience navigating the ups and downs of the market and of life, your Edward Jones financial advisor will be there to help you move ahead with confidence. Because with all you've done to find your rich, they'll do all they can to help you keep enjoying it.
Edward Jones, member SIPC. Support for NPR and the following message come from American Jewish World Service, committed to the fight for human rights, supporting advocates and grassroots organizations worldwide working towards democracy, equity, and justice at ajws.org.
So the more I learned about how my data lives online, the more anxious I found myself becoming. I wanted someone to help alleviate that. So I went and spoke with Rebecca Skeet, the COO of Black Girls Hack. It's a nonprofit focused on training in technology and cybersecurity.
I've existed on the internet for most of my life. And during that time, I've had many accounts. I've been on Twitter. I've been on Instagram. I've had a Neopets account. Club Penguin probably has my social security number at this point. Like, am I already screwed? Like, is everything already out there that could be out there? I'm not going to say everything. Is there a possibility or likelihood that you have been impacted in some way by some breach at some point? Then the short answer to that is yes, it's possible. Is it likely? Yeah.
Probably. Okay, so Rebecca, not exactly coming in hot with the silver lining. But she did help me understand better that even though the digital genie might already be out of the bottle, I do have some control over the situation. I think the first thing that you can do is take power in the ways and the opportunities that you have to take power in. I read this quote one time that said that action is the antidote to anxiety. So what action can you take?
What action can you take? How can you do things like protect your social security number and credit score? Strategies like these are what we're going to be going through in today's episode. But first, I wanted to understand, before I take any action, what's at stake here? Does my digital footprint really matter all that much?
Which brings us to our first takeaway. Understanding the risks and understanding your risks. Anyone is susceptible to identity theft, and the consequences can be dire. But it's also up to each individual to determine what exactly is at stake for them and what action they can take to best ensure their protection.
To better understand my digital risks, I spoke with staff attorney for the Federal Trade Commission, Megan Cox. She's helped prosecute cases relating to online privacy and data security. She helped me define some questions like, who should I be worried about getting their hands on my data?
When I hear about bad actors, people don't mean like Nick Cage, right? They mean like something else. Like what is a bad actor online? Like what do they do? When we're talking about bad actors, we're talking about identity thieves and fraudsters. I should say, no shade to Nick Cage. He's still my favorite Superman. So to take a step back, I think defining the term identity theft is helpful. It's when someone's using your personal or financial information without your permission. It can include stealing your name and address.
credit card, bank account or financial information, social security number, or even your medical insurance accounts and information. Identity thieves might buy expensive tech with your credit cards. They can open up new credit cards or new accounts in your name. They can also start utilities, electricity, phone, gas accounts using your identity. They can steal your tax refund if they file a tax return before you get to it. They can use health insurance to get medical care and let you foot the bills.
And importantly, in many cases, they can destroy your credit score and leave you unable to get a line of credit in the future. This is all if you lose a hold of your PII, your personally identifiable information. This means things like your social security number, your SSN.
You can take steps to protect your SSN by not carrying your card with you, destroying documents that have it written down, and calling the Social Security Administration and asking them to place a self-lock on your SSN, which would make it harder for anyone to access your Social Security records, but it also may make applying for a job harder, so make sure to unlock it before you begin a job hunt.
You should also take care to not share freely information like your full name, your date of birth, your address, or your financial information. But there are other numbers that might not immediately come to mind as ways to perpetuate fraud or create risk of identity theft to you, like a passport number or a lost driver's license. There are ways that those forms of identification can be misused and cause problems. So we urge everybody to try to keep as much as their information and these documents as
secure and in your possession. While protecting your most essential information, like your SSN, is crucial for everyone, our experts recommend doing a kind of personal risk assessment. What assets do you have? What's at risk for you? Do you have a high or low risk tolerance?
For someone who is an influencer, their risk profile is going to be different from me. I don't have to share the level of things that someone whose livelihood is derived from what they do online. They're going to have to share locations and things like that, but they can still be mindful of how they do it. We're going to discuss the ways to protect yourself and your data, but all of these may not be applicable or useful to every individual. Think of it like a toolkit, and you can pick and choose what tools you need.
Rebecca with Black Girls Hack does want to make sure everyone understands that even if you think you may not be a target for identity thieves, you may still be at risk. Because I've heard a lot of people say, ah, well, if they get into my bank account, they're not going to be able to get much or whatever else. But if there are 100 people who have a dollar, you still get $100 if you get those 100 people, you know? And so they're not looking at it as a, hey, I have, this person only has $1. It's look at all of this low-hanging fruit. And
And consider that you may not even be the main target. It could be your company or a family member. The data you've shared online can be leveraged to convince someone else of something that isn't true, like that you're being held for ransom, say. Rebecca says when it comes to theft, you may not have to take every effort, but employing some basic protection can at least make it difficult and expensive for identity thieves to get your information, which may be enough for them to look elsewhere for targets.
That brings us to our second takeaway. Don't be an easy target. You can adopt a healthy skepticism to every interaction online. Rebecca calls this polite paranoia. It's a term coined by Rachel Toback with Social Proof Security. This means asking questions about how your data is going to be used, pausing and thinking twice before you hand anyone your PII. And then...
Be cautious, you know, with what you share online. You mentioned all those different platforms and places where your information may lie. We can still be guarded and cautious with the information that we share. Like before you fill out an online quiz or before you jump on the hot new meme, pause and think twice.
I used to love the things of, what's your Bridgerton name? It's the street you live on and it's your dog's first name. While you can do that internally, you can play the game and maybe text it to your friends. Don't post that online because oftentimes those questions and things that folks ask are...
are portals into your personal information that people often leverage for their passwords and things like that. They had one of those for NPR. It was like your favorite pattern of clothing and then what you had for breakfast this morning. The answer has absolutely nothing to do with anything pertinent to me, but argyle pancakes sounds fantastic. Yeah.
So right there, you can hear Rebecca does a quick risk assessment. You know, am I asking her for any personal information that can be leveraged against her? And she says she did the same thing when I first reached out to interview her. She paused, considered if what I was asking from her was suspicious or crossed a line, and then made an informed decision. Ask questions. If something feels weird, fine.
Ask questions. And because usually if it feels weird, it kind of is, you know, and it's okay to say you need this information. Why? What are you doing with it? It might not be you, but what if someone is able to leverage you, leverage the connection of being you, acting like you, or saying that they know you to then infiltrate or take advantage of a family member or your work? A method Rebecca champions is called take nine, meaning take nine seconds at least to think over any requests for your data online. Take nine seconds to think over any requests for your data online.
Take9 is also the name of an initiative between several cyber organizations. They encourage web users to take basic internet safety measures to ensure we all experience a safer internet. Some of the methods they and other experts recommend include updating your software often because companies use updates to fight the latest malware. You should also restart your devices at least once a week to apply software updates and improve performance. And you should be using unique strong passwords.
You can also consider using a password manager. Some popular ones are 1Password, LastPass, or NordPass. One thing that I've been wondering for a minute now is when you use a password manager, you're giving them everything. You're giving them passwords to all of your stuff. Is there a risk? Not a high one because...
So password managers employ, you know, they have strong encryption and other security measures to protect your passwords. Rebecca says password managers are often built with zero-knowledge architecture, meaning the manager doesn't have access to your passwords, nor do they have the key to your passwords. You're the only one who can access it, even if they get infiltrated.
But she says if you're still worried, you can take things one step further. Say your password manager has an autofill function. You can also add a special character at the end that only you are aware of, like a punctuation mark or a favorite number. My password is password 32. Think, okay, why 32? Because in Love and Basketball, that was the number of Monica, the lead character. And now you can never use that. Right, no, and I wouldn't. You shouldn't.
You should also turn on multi-factor authentication or two-factor authentication. That's where, besides entering a password, the site sends you a code via another method to ensure you're really you. The benefit of having that two-factor authentication in place is that even if someone were to get your password, they don't have that second factor, and it can at least be a block for a potential intruder.
One of the preferred methods is through an authenticator app, like Duo or Google Authenticator. I should note Google is a financial supporter of NPR. You can also get a physical passkey which plugs into your computer and enters a code automatically. Those aren't free though, typically, and are susceptible to loss.
You can also get a code via SMS text, but experts feel this is less secure because identity thieves can SIM swap or take control of your phone number and intercept your messages. It is better than nothing because at least there's some secondary step in place, but it would be, of them, the least protective. So maybe try authenticator apps first.
Now, you've got multi-factor authentication set up, you've got a password manager, you're being politely paranoid, you're taking 9. Congratulations, you are no longer the easiest target out there. And fortunately, after you've taken these steps, you can mostly forget about them. They're passive. Which is why you should also take some time semi-regularly to be active when it comes to your data.
Which brings us to our third takeaway. Clean up your digital environment just like you would your living environment. I do a digital spring cleaning. So delete unused apps, remove extensions, go through your accounts and web browsers and review your data and privacy settings, and delete your browser history. Clear your cache. Double check your public accounts to make sure they are not sharing any unwanted information. People, delete those old tweets. It's a good opportunity that...
Ideally, we should do it more frequently or as frequently as possible. But realistically, it's not something that people can do once a month or once a quarter. So at the very least, if when you're doing your physical spring cleaning, you do a digital spring cleaning and clear out those applications, you know, check to see the different extensions that you have that you don't necessarily use anymore, see what information those things are gathering.
Back up your devices on an external hard drive and dispose of old devices securely. This is to make sure they don't fall into the hands of bad actors who can dredge up information from any drives they come into possession of. This would also be the time to change your passwords. But remember to use unique, strong passwords for every account.
You may also consider using a data removal service if you can afford it, like DeleteMe or Incogni. They can check for your personal information across different databases and remove them for you. You can also consider a credit freeze. A freeze blocks access to your credit report, so no one can open a credit card or get a loan in your name.
You can do this with any one of the big credit reporting agencies, like what Megan Cox at the FTC calls the Big Three, Equifax, TransUnion, and Experian. If you are able to, you can consider a credit freeze. And this keeps people from being able to access your credit report for creditors to open new accounts. So if somebody wants to check your credit before giving it,
a new credit card, a new mortgage, they would be checking your credit report. And if it's frozen, they can't see it. And so they're very much less likely going to extend credit. So in that case, a fraudster would be blocked from opening a new credit account or a new mortgage, for example. Credit freezes are free, take only a few minutes, and you can thaw them at any time. Like if you need to apply for a loan or an apartment, just make sure to give it a little bit of a window for the thaw to go into effect.
You might also consider using a credit monitoring service. These agencies offer them, and so do other companies like LifeLock.
Those can detect potential fraudulent activity, track your credit score, and give you access to your credit reports, and sometimes offer tools and tips to boost your credit score. Now, I should note that even these big credit reporting agencies experienced data breaches. In 2017, Equifax, one of the big three, fell victim to a data breach itself that exposed the personal information of 147 million people. Experian suffered a similar breach in 2015, though not as severe.
Also, when you sign up for credit monitoring, a company's terms and conditions may ask you to waive your rights to sue the agency and may ask your permission to use and share the information on the legal data market. I think it's an individual bargain that every consumer kind of has to determine for themselves if engaging with a credit monitoring service would be appropriate.
Yeah.
It's true. You can opt out from the big three selling and sharing your personal information. You just have to follow the steps on the website's privacy page. That's in regards to the legal sharing and selling of your data. But going back to your personal risk assessment, do you prefer to have credit reporting in case your data gets leaked, knowing that your data might be at risk of a leak with one of these big three credit reporting agencies? That's ultimately up to you to decide.
Another item for your digital spring cleaning? Consider using antivirus software, or what's known as a VPN. A VPN, or virtual private network, is like a tunnel you can use to protect your data from anyone who wants to access it, like identity thieves or data harvesting companies. Many people choose VPNs to provide more private browsing, but you should also be cautious about VPNs, since whatever company offers it will have access to that data. And just like all the other strategies we're talking about today, they're not bulletproof.
Experts recommend ProtonVPN or NordVPN for the best privacy at low or no cost. And if you are worried about cost, Rebecca says you don't always have to shell out on privacy products. A lot of products come native to your device. You can start there and see if it's doing the job you'd like it to. Just because it's free doesn't mean it's good, but just because it's free also doesn't mean that it's bad.
And on that note, one more practice to pick up during your digital spring cleaning. Talk to your friends and family about their digital environments. Encourage them to do their own personal risk assessment. Walk them through the different tools that are available to them. This goes for the less tech literate or, say, children learning how to interact on the internet for the first time. Make sure that you're not the only one who's having a hard time.
Megan recommends talking them through the digital best practices and understanding what information they shouldn't share online. She also recommends freezing their credit, at least until they're old enough to begin doing things like taking out a student loan or renting an apartment.
And then finally, locking down their social networks so that they're not sharing information more broadly than they are intended or communicating with individuals that parents might not be aware that they're communicating with when they're, you know, starting online as a new digital citizen, I should say. Similar to fighting infectious diseases, if each individual does their part to protect themselves, we all become a lot safer in the digital world.
And by the way, not all of this has to get done immediately. Any little bit helps. Maybe today you set up a VPN and a week from now you change five of your passwords. Or maybe you set aside an afternoon to do a total clean sweep, checking off all of the above. Remember, action is the antidote to anxiety. So if you're feeling anxious, combat it with some small action to take charge of your digital security. But what if the worst happens? What if we do end up having our data leaked in a breach?
Well, that brings us to our fourth and final takeaway. Don't panic. Megan Cox has been there before. I have received a lot of letters about different data breaches, exposures of information. And some, they range in the circumstances they provide about what might have happened or what information is exposed and different offers that you might get as the consumer who's impacted. This would be the time to see what offers the companies are giving you. They may offer you free credit monitoring, credit reports, or a credit freeze.
all of which you can consider with the caveats we mentioned before. So if you receive a letter in the mail saying your data has been exposed, we would urge you to go to identitytheft.gov and find out what you can do next to learn about steps to take to mitigate any potential harms.
If someone does attempt to use your personal information to impersonate you, you can file a report at identitytheft.gov, and they will walk you through the next steps there. It is important to begin a paper trail validating the identity theft. That may help you in the future, like if you have to go to court.
Rebecca says you most likely will have to be vigilant after that point about suspicious activity. If you have been compromised, there are websites like haveibeenpwned.com where you can enter your email address and see what breach has potentially been involved in. And it'll also say what information might have been compromised. This would also be the time to go back to our previous takeaways. And if you haven't taken action, start now. Do a digital cleaning, lock down your accounts, set up two-factor authentication, and delete apps and accounts you no longer need.
And then from a financial credit card account standpoint, make sure that you're watching your charges or new accounts opening your name. And if you see something that looks anomalous, place, you know, a fraud alert or a credit freeze with major credit bureaus. Don't waste time berating yourself. Pivot. OK, if it's something if it's a personal email, you think your email has been your password has been compromised. Change your password.
And if your information has not been misused yet, you don't necessarily need to make an FTC identity theft report, but you can still go to the website to learn about all those next steps.
So I know this all can be overwhelming, but it doesn't have to be. Think of this like your home security. Not everyone needs round-the-clock guards and watchdogs. For most people, just taking common-sense precautions can make you less of a target, and you can always reassess and pivot. Our experts recommended just a skeptical disposition and to always be aware of your risks.
Consumers should be vigilant. I think that there's a lot of data that's circulating in our ecosystems, whether it's on social media or your device or on the different Wi-Fi networks you're navigating to. You know, there are vulnerabilities in these systems. And so understanding that your data is circulating out there and taking steps that make sense for you
On that note, it's time to recap our takeaways. Takeaway one, understand the risks and understand your risks. Assess your personal stakes. What assets do you have that are vulnerable and how can you protect them? Do you have family members or company information that bad actors may be interested in? What tools are available to you to help address those? Takeaway two.
Don't be an easy target. Make it slow and expensive for someone to get your data. You can do this by using a password manager, turning on automatic updates, and using multi-factor authentication for your accounts. And remember, if someone asks for your personal information, be politely paranoid and take nine seconds to pause and evaluate your risks.
Takeaway three, do your digital spring cleaning. Clean out apps, extensions, and update your public-facing accounts. Consider products like credit reports, VPNs, or antivirus software, but understand the risks associated with those and know you can always begin with free software before investing in paid products. And talk to your family about their risks and best practices. Takeaway four, if your data gets leaked, don't
Don't panic. Change your passwords and stay updated on the situation using either a credit reporting agency or Have I Been Pwned? or both to know if your information is out there. You can visit identitytheft.gov to go through your options. That was producer Sam Yellow Horse Kessler.
For more Life Kit, check out our other episodes. We have one on avoiding scams and another on how to spend less time on your phone. You can find those at npr.org slash life kit. And if you love Life Kit and you just cannot get enough, subscribe to our newsletter at npr.org slash life kit newsletter. Also, we love hearing from you. So if you have episode ideas or feedback you want to share, email us at lifekit at npr.org.
This episode of Life Kit was produced and reported by Sam Yellow Horse Kessler. Our visuals editor is Beck Harlan, and our digital editor is Malika Gharib. Megan Cain is our senior supervising editor, and Beth Donovan is our executive producer. Our production team also includes Andy Tegel, Claire Marie Schneider, Sylvie Douglas, and Margaret Serino, who also provided production help for this episode. Engineering support comes from Zoe Wangenhoven. Special thanks to Amanda Aronchik, Keith Romer, and Meg Kramer.
I'm Mariel Cigarra. Thank you for listening. This message comes from NPR sponsor, Shopify, the commerce platform behind millions of businesses around the world and 10% of all e-commerce in the U.S. Get started with your own design studio. Sign up for your $1 per month trial at shopify.com slash NPR.
Support for this podcast and the following message come from Thrive Market, built for those who value transparency in their food. Organic first, clean label groceries, all delivered. Get 30% off and a $60 gift at thrivemarket.com slash podcast.
This message comes from NPR sponsor, Viore, featuring the Performance Jogger. Visit viore.com slash NPR for 20% off your first purchase on any U.S. orders over $75 and free returns. Exclusions apply. Visit the website for full terms and conditions.