My 9-year-old son was recently devastated to find out someone had hacked his Roblox account. Not only was he locked out, this person had logged in and changed how his character looked, spent all his ‘Robux’ and was just generally being a jerk to all his friends while they all thought it was him. Eventually we were able to recover his account, but it was difficult to undo all the damage that was done.

You’ll see the same sort of thing happen on Facebook, someone’s account will get hacked or an imposter profile is created with their picture to confuse their friends and family. Maybe it’s even happened to you or to someone you care about, and if that’s the case you know how violated that makes you feel.

Facebook and Roblox accounts being hacked is awful, but it’s also become fairly common place. A much scarier thought to consider is hackers can use similar tricks and tools to gain access to other online accounts, such as your bank, credit card and even your retirement account. If someone gains access to those accounts, it will likely not be as easy to detect as a FB or Roblox hack. You may not know about it until it’s too late, and the repercussions could be devastating.

Security’s definitely not what I would consider a fun topic. It’s not something I would typically choose to write about, but after that incident happened with my son, I had a friend share a very similar story. They asked me for some advice on how to protect themselves, so after doing a little research I put together a few defensive measures I thought might also be useful to other folks.

Please be aware, this is not intended to be a comprehensive list, and is based primarily on my own experiences. My intent is not to sow fear, but it’s important to recognize that being hacked is becoming more and more common. We need to stay vigilant, but that can be difficult within this complex and ever-changing technological landscape. It’s not always clear what actions you should take to protect yourself and your family online, so I’ve compiled the list below of some helpful actions to get you started.

1) Enable Multi-Factor Identification (MFA) on your online accounts
If you do nothing else, this is the biggest and best security tip on this list. I can’t stress enough how important this is to protecting your account. If you’re not yet familiar with MFA, you should think about about it as adding another independent verification step when you login to your account (usually through your mobile device).

As an example, when you log into your online bank account you’re prompted to enter your username and password. Once those have been entered correctly, but before you gain access your account your bank will send you a text message or email verification with an Activation Code. This adds an extra step to the login process, which may slow you down, but it definitely makes it much harder for anyone who is not you to access your account. At the very least, if you do nothing else, I recommend you have MFA authentication enabled on your bank, credit and other critical financial accounts.

MFA authentication is not a magic bullet, though. There are still ways to hack around it and potentially access your account, but it makes that process much more difficult and time consuming, so much so that hackers are typically not going to deem that worth the effort.

2) Install an Authenticator app on your mobile device
Closely related to the first tip, you should consider installing an ‘Authenticator’ app on your mobile device. Both Google and Microsoft make a version of these that you can find it the App store, and many online sites are embracing them for MFA authentication. These replace the SMS/email verification messages, as those requests are instead sent to your Authenticator app over an encrypted connection. A unique identifier from your device is sent back along with the verification code which makes it very difficult to mimic. Not only is this method of MFA more secure than SMS/email, it’s arguably easier. In most cases you just approve the request directly in the application itself.

3) Sign up for a personal Virtual Private Network (VPN)
Many of us are familiar with using a VPN for work or school, and the idea here is very similar. The goal of using a personal VPN is to protect your browsing history and any other information you share online from being ‘sniffed’ by hackers on wi-fi and tracked and sold by corporations such as your internet provider (or other upstream companies). Just because you’re using ‘In Private’ mode on your browser doesn’t mean that request is not going to be collected and used by your internet service provider and then sold to the highest bidder. ‘In Private’ really just prevents the website from accessing your local cache (aka cookies), and also prevents your browsing history from being collected locally on the device itself.

With a personal VPN configured, your device will create a secure connection with a remote server (in any part of the world) which receives and handles the requests and messages discretely to preserve your privacy. That may sound complicated or something that will degrade your online experience, but it’s really not. These are fairly easy to setup, and after the initially connection you will forget it’s even there working to protect you in the background. An additional bonus to using a VPN is you can get around some of the regional content restrictions Netflix and other companies use to screen content. If Die Hard is only playing in Germany, for example, select a server in Germany and it’s ‘Yippie Kai-Yay, mother farters!’

You’ll need to be a bit careful when you pick the right VPN company, though, as there are some not great ones out there. Stay away from any’free’ ones because it’s likely that company is planning to collect and sell your information for a profit, which is exactly what you were trying to avoid in the first place. The good ones charge a small monthly fee (typically 5 to 10 bucks), but it’s well worth it for the protection they provide. Personally, I use Nord VPN, which is one of the industry leaders but there are plenty of other options out there.

4) Install a Password Manager app
Of all the things I learned during my recent research, this one surprised me the most. The traditional advice is to use different passwords for each account and never cache or store those on your machine where someone can get to them. Unfortunately we’ve moved to a place where we each have 50 accounts and remembering all those passwords is nearly impossible. Most people tend to use the same password for every site (which is bad) and it’s typically some combination of their kid/pet names and birthdates (also bad). Hackers know this, of course, and they have tools readily available on the dark web which will hammer an online site requests until one gets through. There’s also a list of all the password ever found in a security breach that’s available on the dark web, so if you use the same password for everything and that for more than a year there’s a good chance they already have it. Even if they don’t, they have the capability to combine all your socially media posts and publicly available information and blitz through every combination of those in minutes.

All that sounds very scary, and it is, but these Password Manager apps offer a one-stop solution to securely store all your passwords. There are several companion apps so your password list is shared across your computers and mobile devices. They also often offer a web browser ‘Add-In’ that recognizes the site you’re on and can auto-fill the password. The added bonus is they look across accounts to help you identify and fix any vulnerabilities, such as those easy to guess or reused passwords, and they can randomly generate a stronger password for you. ‘Strong’ passwords are essentially a string of random characters that you will never remember, and luckily enough you won’t have to. I’m using an app called ‘Nord Pass’ which is through the same company that provides my VPN, but you can do this through Microsoft’s Authenticator app and other tools.

For those that are cost conscious, an alternative, free, low-tech approach is to create your own random passwords, write them in a notebook and lock that in a safe or lockbox, etc. Please don’t keep that right next to your computer, but you’ll need it in a place you have access to it and reference it when you’re online. Be sure to make each sites password random and unique, and stay away from the easily guessed text like pet names and anniversary / birth dates.

5) Change your login from an email address to a funky-fresh username
Similar to the password advice, create a strong username to go along with you strong password whenever you have the chance. You may have noticed some sites are moving away from using email as a login, and back to the username / password combo. Email addresses and phone numbers are unique to each person, which makes them a great identifier to use for an account, but they have the distinct disadvantage of making the first value in the account login process too easily guessable. A custom username that’s strong adds an additional variable which makes your account more difficult for these automated tools to hack.

As a side note, it’s recommended when you’re prompted to set up personal security questions like mother’s maiden name that you ‘strategically lie’. For example, the value you enter for ‘Mother’s Maiden Name’ question could be ‘DolfinsRule2021’, etc. The company doesn’t care that your not sharing the correct value, they just want to have a way an additional way to verify you are you. The downside to this approach is you either have to make is super memorable, record those somewhere, or follow some other pattern you will remember. This may seem like overkill, but if you’ve ever entered the name of your first pet, your elementary school of your mother’s maiden name it may have been leaked and already be out there on the dark web, so to prevent those from being used as a backdoor some experts recommend this added security measure.

6) Install the latest OS updates ASAP
Yeah, I know. These updates always seem to pop-up at the worst time, but it’s critical to make sure your computers and phones have the latest OS updates. Whether your device’s OS is made by Apple or Microsoft or Google, hackers are always looking for vulnerabilities to exploit. Once those have been identified, a security patch is created and released as an update. For your protection, I recommend you install updates as soon as they come out, or shortly thereafter. If you can’t do it immediately, then try to at least do it that same day. Scheduling it to run overnight is probably fine, but you’ll need to remember to leave your machine on.

Please don’t rely on virus scanning software like MacAfee or Norton to protect you. Nothing against that as an extra layer, but virus scanning software is less necessary if you stay diligent about keeping your OS patched and up to date. In fact, in my personal experience it’s often these ‘anti-virus’ programs running in the background that will slow your computer down, especially if it’s a bit older (your mileage may vary).

Most devices check for updates automatically, but it’s a good idea to manually ‘Check For Updates’ every few days, especially if you’re noticing any weirdness like pop-ups or command windows mysteriously opening. If you run into the situation where your computer is not able to connect to the update service or install the updates, that’s really not a great sign. You should try running the Troubleshooter, restarting your computer or try an offline update or anti-virus scan. If you’re still unable to fix it, this is not something you should ignore. Disabling the update service is fairly standard for malware these days, so this most likely means your machine has been compromised. I would strongly consider making sure your local files have been backed up and then reinstalling your operating system.

7) Upload pictures and other critical files to a cloud storage account
If you’ve used a device in the last ten years chances are you already have a OneDrive or iCloud storage account (or both). Many devices are already integrated with these ‘cloud storage’ services and are potentially already syncing some of your files to the cloud (iPhone pics to the Apple cloud, etc). There are also third party services like Dropbox you can consider which may have different features or a better price point.

Files stored in the cloud can sync across your devices, and you can even send a link to your friends and family members to share a photo archive, for example. Each of the cloud storage services is built with redundancy, which makes them a great insurance policy for preserving your most important information. Another advantage is you don’t have to stress about losing anything in the unlucky event your device is lost or stolen or hopelessly polluted with malware.

8) Don’t be afraid to ‘Reset To Factory Settings’
Reinstalling you operating system or resetting a device to the factory settings is definitely the nuclear option for addressing security and performance issues, but it’s one you should keep in your arsenal. Just like you should get in the habit of changing your password every few months, it’s not a bad idea to refresh your device configuration every so often as there may be malware there that hasn’t been detected.

This is not something you should take on lightly, and I understand many people may not be comfortable with it. The important thing to remember is your device is not a magical treasure chest of information. Not anymore, at least. Most of our games and software is digitally licensed so it can be downloaded and installed again. Chances are the apps you most use follow this pattern, but you should consider that before you reinstall. Even if you don’t have any malware, there’s likely apps on your device that you used once and then forgot about that could be mining for your personal information or habits (more on that below).

An alternative (and less severe) approach to this is to set a ‘Restore Point’, which is essentially a snapshot (or image) of the configuration of your device at that point in time that serves as an insurance policy. You can create these snapshots at anytime, but the best time I’ve found is right after you’ve reset your machine and installed and configured those critical apps and services. This does take time to do and requires a bit of forethought, so if you don’t have a restore point don’t worry about it. Just make sure your files are backed up to the cloud (or an external thumb drive) and then reset the machine.

9) Cover your webcam with a piece of masking tape
Yes, those cameras can be hacked. Just because the light isn’t on doesn’t mean it isn’t on. Mark Zuckerberg covers his, which is a good indication that you should as well. If you think tape looks tacky, you can go on Amazon and buy a fancy cover that fits over it and flips open when you need it. The bottom line is if you’re not using your camera then it shouldn’t need to see you. Unless of course you really want to impress hackers with the dancing and singing abilities you display when you get out of the shower. Hey, whatever works man. You do you.

10) Don’t get weird on the inter-webs
Hopefully this is common sense by now, but it still happens to the best of us so it bears repeating. Don’t visit any sites or install or open anything that’s not from a trusted and verified source. Consider the context before you download of is publisher of the app and the web site legit. If the site has a bunch of noisy banner adds and makes the download link small and hard to find, you should abort or you’re going to have to spend the next couple day trying to figure out what’s going on before having to reinstall your machine. Keep in mind that malware usually comes disguised in the form of app you really want like Meme Maker 3000. This is also true for sketchy emails, avoid clicking any links or opening them unless you’re confident of the source.

11) Build Your Own Circle Of Trust
Who can trust, though? How do you know? That can tough, admittedly… Internet baddies don’t go around wearing black hats or ski masks. We all have brands and companies we trust and are loyal to so I won’t provide a list here, but a good rule of thumb is you’re probably okay if you’re downloading from a major corporation like your bank or through the Google/Apple/Microsoft’s online app stores. Those apps have at least been put through some level of scrutiny.

Important caveat to remember is that even legit apps can operate in the background and collect information about you in a way that you might not be aware or approve of. Remember that user agreement everyone just clicks ‘okay’ to but never reads so they can get on with their lives? Well, that’s you giving up your privacy and legally providing them with permission to do that.

There are companies like Microsoft that operate with integrity and do a great job respecting and protecting privacy, but I recommend you do your own research to find out who those are. Sharing usage data will help help improve the product or service and customize your experience, so I wouldn’t rule it out completely, but you should make a habit of understanding just how much information each company collects and how they intend to eventually use it.

Corporations operate with the overriding goal of making money, and your data is very valuable to them. So much so. that some companies reach outside of the scope of your usage of their app and collect seemingly unrelated data about you so they can sell that in-turn to other companies or use it to otherwise monetize you on their platform. Perhaps you’re cool with that, but everyone draws their own privacy line somewhere. For me it’s the shower thing.

For better or worse, our devices have become integral parts of our lives. They have ability to affect our mood and make us happy or sad or frustrated, but for all the emotion we ascribe to them or derive from them in the end each of them is just a tool. They are little more than the interface we use to connect to the larger digital world. Today we rely primarily on our phones and PCs for that purpose, but in the next 20 years we’ll see a full spectrum of new device types coming online. We can see that happening already with our streaming TVs and smart watches and robot vacuums.

The paradigm shift we’re witnessing of connected devices is called the ‘Internet-Of-Things’ (aka IoT). There’s amazing promise and potential for improving our lives by making things safer and more convenient, but increasing our dependency on technology also has a downside (as I think we can all attest). Widespread automation and integration adds tons of additional complexity and potential risk. We’re in the early days so there’s bound to be some growing pains, so it’s up to each of us to be diligent and vigilant about protecting ourselves and our loved ones in this bold new world of connected devices.

Thanks for reading all this fraught and somewhat mind-numbing information! Remember, just because you’re paranoid doesn’t mean everyone is not out to get you. Now quit worrying and get back to those cat videos. 😛