If you haven't thought much about how to stay safe online, it's high time -- especially after the massive hack of the consumer credit reporting agency Equifax, which may have compromised 143 million people’s Social Security numbers and other personal data. Many experts say identity-theft services such as LifeLock, with their pricey monthly fees, aren't worth the money and do little to help prevent data theft in the first place. But many online safety steps are common-sense and free, or nearly so, whether they guard against opportunistic thieves hoping to make off with a credit-card number or sophisticated cybercriminals holding your files for ransom.
Home Wi-Fi that isn't locked down leaves untold amounts of personal data vulnerable, and a quick, two-step checkup can go a long way toward minimizing risk. For starters, home Wi-Fi should be accessible only with a password -- otherwise cybercriminals can see any information sent or received. Another vital security check: What kind of data encryption is used by the network? Most experts recommend Wi-Fi Protected Access 2, or WPA2. If it's not listed as an option, consider upgrading to a new router.
Antivirus software protects against malware, which can range from the merely annoying (constant pop-up ads) to potentially harmful (viruses that can damage or delete data, or allow others access to it). Protection doesn't have to be pricey: PCMag's top picks start at just $20. One common question is whether Apple users need an antivirus program. In short, it's still a good idea -- while Macs are less susceptible than PCs to viruses and other malware, they aren't bulletproof. At least try a free option.
The basics bear repeating: Passwords don't belong on easy-to-find sticky notes, and they should be different for different sites, so one cracked password doesn't allow access to everything from email to bank accounts to a Facebook profile. Strengthen weak, easily guessed passwords using a combination of letters, numbers, and characters that would make little sense to anyone else. (To make it easier to remember, try condensing something like "My grandson Max was born in June 2010" to "GsMxb610!") Some experts even recommend using entire phrases -- "passphrases" up to 64 characters long -- where permitted. They can foil hackers as easily as nonsensical passwords, researchers at Carnegie Mellon University say.
Many websites require just a username and password to log in. Two-factor authentication, also called two-step authentication, requires another step before granting access. A user might need to answer a security question such as, "What was your high school mascot?" Other sites or services might send an email or text message with a PIN or code. A list of websites using support two-step authentication is at Two Factor Auth.
Smartphone and tablets need to be secure too. Make sure they're protected by a PIN or passcode that's hard for a stranger to guess -- don't use "1111" or the like. Some recommend making the passcode as long as possible and using a mix of letters, numbers, and characters if possible. It's also a good idea to enable built-in tracking services, such as "Find My iPhone" for Apple devices. They can help figure out whether a device has been lost or stolen, and even lock it or wipe it clean remotely to prevent strangers from accessing your information.
Fraudsters "phish" for information such as credit card or bank account numbers by posing as legitimate institutions such banks, employers, or Internet service providers. Some may impersonate friends or family members having an emergency and needing money urgently. The best defense against phishing is skepticism. Most legitimate institutions will never request personal information over email. Instead of clicking any links in those messages, call and verify that the request is legitimate. The same goes for suspect messages from "family" or "friends" -- use your own contact information to get in touch or, as the Federal Trade Commission recommends, ask questions to which a cybercriminal wouldn't know the answer.
It's annoying to be surfing the web or working on a document and see a box pop up to warn of software updates -- but those updates are important. Developers are constantly finding new vulnerabilities in computer hardware and software, and cybercriminals are always looking for ways to exploit them. Checking for updates regularly instead of relying on the annoying prompts reduces the risk of falling for a phishing scheme designed as a legitimate update. Mac users can check the "Updates" tab in the App Store, and PC users can do the same in the Windows store.
A website requiring sensitive data such as credit card numbers should use an encrypted connection, which scrambles information during transmission so it's useless to hackers. More websites than ever are using these encrypted connections -- Google says it's seen a 70 percent rise in server requests from encrypted connections in the past couple of years -- but not everyone's aboard. The easiest way to check for an encrypted connection: Look at a site's URL in your browser's address bar. If it begins with "https" instead of "http," that's good. A closed padlock is also a good sign.
Sharing every detail of our lives on social media has become the norm, but that doesn't mean it's wise. The information can enable identity theft, and also be used to commit offline crimes including stalking, according to the National Cyber Security Alliance. Use a little common sense: Make profiles visible only to family members and true friends. Don't accept requests from anyone you don't know well. And reconsider posting anything potentially sensitive, such as your birthday, address, or employer. Sharing vacation photos before coming home can be an invitation for a burglar, who now knows there's time to ransack a home undisturbed.
That wireless hotspot at the local coffee shop is convenient, but it's also a prime spot for hackers to gain access and plant malware, or even steal data to see whether there's anything useful. Verify that networks are legit before connecting, and make sure computer and smartphone settings don't let them connect to unknown networks without permission. But the easiest way to stay safe is not to do anything remotely sensitive over public Wi-Fi, including banking and online shopping -- and maybe even using social networks and email. If that seems impossible, experts recommend using a virtual private network. Some VPN data encryption services are free, although they may be ad-supported or limit the amount of data that can be used.