Photo

Nicole Perlroth covers cybersecurity and privacy. Last week she wrote on Home Depot’s confirmation that hackers had broken into its in-store payments systems in what could be the largest-known breach of a retail company’s computer network. She shares her thoughts on security and personal data with Times Insiders.

Q.

You’ve written about Russian hackers, financial malware, attacks on J.P. Morgan’s bank-server security and on Middle East petrochemical plants. Does your reporting make you paranoid about your own data?

A.

Of course. I wrote about a cyberattack at the Chamber of Commerce a few years back. Six months after security teams and the F.B.I. cleaned up the Chamber’s systems, a printer in their Washington offices was still communicating with an I.P. address in China. So was the thermometer in one of the Chamber’s corporate apartments. There is a lot to be paranoid about.

I try to do as much as I can to protect my data, but so much depends on the security practices of the companies to which we have willingly handed our data and to those that took it without our knowledge.

At some point, I just sort of threw my hands up. If Chinese or Russian hackers want to read my texts with my fiancé, they’re going to do so. I’m just irritated that it’s slowing my Internet connection.



Q.

Before throwing up your hands, what do you do to safeguard your personal data?

A.

I don’t hand my email address or birthdate to retailers. I use my credit card to make purchases and try to abstain from using my debit card unless I’m at a bank. I do not use self-checkout systems at merchants, because those are often the first place hackers will scan.

For my own personal data, I use long, complex passwords. I also use two different web browsers — one for browsing to my email and bank account, the other for e-commerce and general web browsing.

I switch on two-factor authentication wherever I can. I try not to say anything in an email or text message that I wouldn’t mind a stranger reading. I am very careful about the ways in which I communicate with my sources. I use Wickr, a mobile app that encrypts and self-destructs messages. I also use Silent Circle, which allows me to place encrypted phone calls. There are some sources I will only meet in person, which is inconvenient to say the least, but that is the world we now live in.

Q.

Have you changed your computer security much since you started writing about hackers and computer security breaches?

A.

I get a lot of strange looks because I put masking tape over the webcam on my computer, but the last thing I need is a hacker watching me while I work.

Q.

What’s the biggest threat hackers pose to ordinary people and their personal data?

A.

If somebody steals your credit card number, your bank will reimburse any fraudulent charges. To me, the bigger threat is that someone will use my stolen data for identity theft and tank my credit score. Hackers are actively selling medical records on the black market. My worst fear is that someone would use my medical identity and pollute my lifetime medical records.

Q.

What can readers/all of us do to protect ourselves?

Be vigilant. Don’t give your personal data away willy-nilly. Use strong passwords. And by strong, I mean long and not a word from the dictionary. Don’t use the same password across multiple accounts. If one gets compromised, they all get compromised. Turn on two-factor authentication. Treat your email and text messages as if these are public conversations. Use your credit card when you can instead of your debit card. Ask companies why they need your data when they ask for it.

Q.

And what is the worst-case hacking scenario?

A.

A cyberattack with physical consequences, such as an attack on a watershed or petrochemical company that would poison our water systems or cause an explosion. The United States and Israel proved that kind of attack is possible when they took out the uranium supply at an Iranian facility with a computer virus. The good news is that those who have the abilities to pull off such an attack are sufficiently deterred from doing so.

Q.

Yikes. How imminent or likely is that?

A.

I don’t want to speculate because there are plenty of fear-mongers out there and I don’t want to do their bidding. But the reality is that cyberattacks will play a very prominent role in any real world conflict going forward.

Q.

What’s the next likely development on the cybersecurity beat — what are you watching for?

A.

Retail breaches will dominate my beat for some time. The Secret Service estimates that 1,000 United States companies have been hit with the same attack that compromised Target and Home Depot. Many of them don’t even know they’ve been breached. But many are hushing it up. Let’s just say I have my work cut out for me.