Honesty is the best policy--unless you're dealing with someone you can't trust.
The sad fact is, you can't trust anyone on the Web. Just ask the millions of people who signed up for Sony's PlayStation Network and who now must protect against possible hack attacks on their bank accounts and other private data lost due the recent data breach. CNET News reporter Erica Ogg explains the company's response to its customers in herblog.
Sony claims the credit card information was encrypted and did not include the cards' security codes; the company also encrypted PSN users' passwords, but Sony still recommends that its PSN customers take precautions as an added level of safety.
Unfortunately, there's not much you can do to protect your personal information once you've volunteered it to some organization's Web servers. The key is to ensure whatever data you provide can't come back to haunt you.
Limiting the damage of a data breach
You might think the loss of your credit card number would be the most serious threat, but many analysts consider a hacked e-mail address and other lost personal information more dangerous in the long run. The Electronic Funds Transfer Act limits the damage of a lost credit card to $50 if the business is notified within two business days after you realize the number has been stolen and to $500 if it is notified within 60 business days.
The limit applies only to credit cards, not to ATM/debit cards. So be sure to use only credit cards when making online purchases. It's even safer to use a temporary credit card number for Web buys. Most major banks offer their customers temporary numbers that charge back to the account without disclosing the actual numbers. The temporary numbers expire after 30 days or some other relatively short period.
Bank of America's ShopSafe service is available to any of the company's online banking customers. Likewise, Discover Card lets you create a secure online account number. Note that the temporary numbers can't be used when purchasing event tickets or other times when the card itself will need to be presented.
Last September, PayPal discontinued its PayPal Plug-in for Internet Explorer and Firefox that automatically generated temporary account numbers. PayPal's purchase protection is described on the service's Security & Protection page.
Use throwaway e-mail addresses, alter egos
E-mail addresses are golden to malicious hackers because they offer nearly unfettered access to your attention. Even cautious people can sometimes be tricked by an authentic-looking message from what appears to be a trusted source. And once a hacker has induced you to click a bogus link, your machine and the information it holds belongs to them.
Gmail lets you create a temporary e-mail address simply by typing a plus sign after your sign-in name and then whatever identifying text you choose, such as "email@example.com". Of course, this isn't much protection against someone figuring out your real e-mail account name.
A better solution is to create an entirely new Gmail account to use only when signing up for Web services and then redirect mail sent to that account to your everyday account. To do so, open the mail settings for the temporary account, click the Forwarding and POP/IMAP tab, choose "Forward a copy if incoming mail to," and enter the address you wish to send the mail to.
You can create a filter that automatically sends the mail from that account to a separate folder (or label, in Gmail-speak). If the account is ever compromised, simply stop using it and undo the forwarding.
Another approach is to use a temporary e-mail address generated by a service such as Guerillamail.com, 10 Minute Mail, or Mailinator. All three services generate throwaway e-mail addresses automatically that last long enough for you to receive a confirmation e-mail from the service you're signing up for. No registration or password is required.
On Guerillamail.com and 10 Minute Mail, the address disappears in an hour or 10 minutes, respectively (you can ask 10 Minute Mail for an extra 10 minutes). Mailinator lets you access the account indefinitely, but since it is accessed without a password, anybody who knows the account name can get in.
In addition to your credit card number and e-mail address, Web services may require--or at least request--other personal information. Unless the company will be shipping something to you, there's no need to give out your street or mailing address.
You may need to use your real name to verify it's the same as appears on the credit card you're using, but you should be able to leave all other fields in the service's sign-up form blank, or if some entry is required, create an alter-ego. For example, when a service requires that I fill in my birth date, I use the earliest date it allows, such as January 1, 1905. I get a big kick out of seeing the geriatric-aid ads this generates.
Be careful not to violate the company's terms of service when you complete registration forms with less-than-honest information. Still, I avoid sharing any personal information with a site unless the company needs to know it. Apart from a name, credit card number, and e-mail address (and maybe shipping address), there's really not much more any site needs to know, is there?