The internet is full of outdated cybersecurity advice that just won’t die but should, like “public WiFi is unsafe” and “you should change your passwords regularly.” For the more pedantic in the crowd, yes, these pieces of “advice” do have tiny grains of truth under the layers of logical fallacies – public WiFi does come with some small risks (mostly in the privacy department, for the average individual) and changing your passwords regularly can have some potential benefits (mostly for companies). But generally speaking these are outdated pieces of advice from a different era. I’ve written before about how technology changes and those idioms are prime examples: back before the nearly-ubiquitous adoption of TLS, public WiFi presented considerably more risks. But the times have changed and that advice is no longer applicable. So on that note: let’s talk about antivirus.

If you’re like me, you’ve had more than your fair share of Windows computers that come bloated with all kinds of crap you didn’t ask for and will absolutely never use – I’m looking at you, OneDrive and Candy Crush. Antivirus is a frequent offender. Sometimes it’s AVG, sometimes it’s McAfee, sometimes it's someone else, but there’s always a universal constant: nobody really uses it. Even if you do believe in antivirus, there’s almost always a different service you’d rather use so the defaults end up just sitting there, cluttering up your device and swindling the less tech savvy out of their money for an – at best – inferior product.

The more I think about those dark days, the more I realize how much antivirus seems to be one of those outdated zombies. I never see YouTubers shilling antivirus, and the only time I see it pop up online is when people are making memes about it. In fact, I’m fairly sure we did use some of those inferior products back when I was in high school on the family computer and I’m pretty sure that still never stopped me from putting viruses on there like crazy because I was a stupid teenager who didn’t know how to be safe online. I also never read any stories about ransomware or hacks that could’ve been prevented if only the company in question had updated their Norton subscription. So that begs the question: is antivirus even relevant anymore?

Veteran readers already know my stance on this. My answer is “no, I don’t think you really need antivirus anymore.” There’s a lot of reasons I feel this way. For starters, modern security measures taken by manufacturers have come a very long way. Macs, for example, are notoriously secure, so much so that there’s a misconception that you can’t get malware on a Mac. That’s not true, but it is quite rare because of the immense number and quality of security measures that are baked into modern Mac devices. Windows has long trailed behind on security but has been making strides in recent years. The built-in Windows defense tool – appropriately called Windows Defender – has gone from being virtually useless to pretty robust and experts agree that it’s adequate for most users. Additionally, Windows 11 has made huge improvements in the security department and has learned from many of the mistakes that made past Windows editions the butt of many security jokes. That’s to say nothing of mobile devices, which have especially avoided many of the shortcomings of computers. Most mobile devices are incredibly hard to infect, instead having to resort to tricking users into downloading a malicious app. Even if infected, the vast majority of such malware can be easily removed by simply removing said app and rebooting the phone.

I also pointed to the news and the existing landscape as further evidence. As I said before, I have never once read a story that said that a company was compromised because they didn’t renew their antivirus subscription. The closest I’ve seen is companies who fail to update their software, but that can happen regardless of what the software is or how current the license is. Instead, the vast majority of compromises occur through phishing, social engineering, and other methods that convince the targeted user to hand over their own credentials or download malicious software or otherwise convince the target to somehow give the attacker access. If I convinced you to unlock your door and then I forced my way inside the house, that’s hardly the same as arguing that the door (or walls or windows) failed or that you should’ve renewed your ADT subscription. That’s basically what happens most of the time.

Now, in the interest of fairness, cybersecurity is a complex topic and this is no exception. I stated earlier that sometimes outdated “best practices” like the dangers of public WiFi and commonly rotating passwords do have some exceptions, and antivirus is no different. For starters, if you’re already infected, antivirus may be the best (or only) way to find and remove the infection. Additionally, if you’re in a high risk situation – being a public figure who gets targeted often or your work requires you to frequently download files – then I could see the value there. But for the average user who sticks to the same handful of trusted sites and programs, I don’t think they have much to gain from antivirus. Readers considering antivirus software should also be aware that such software – ironically – presents a risk just by its very nature. Antivirus software has to have full access to every part of your system so it can scan and remove things. Should the software become compromised, it can become the entry point to allow full access into every sensitive part of your device – and we’ve already seen at least one instance of antivirus companies abusing this kind of access by selling user data to advertisers. There are some niche cases where I could see the value of antivirus, but I would caution users to remember that these are powerful programs with a lot of privileged access. Don’t make that decision lightly.

So for the average user who (according to me) doesn’t need antivirus, what do I recommend instead?

1. Keep everything updated. Make sure you enable automatic updates wherever possible, and keep everything updated – not just the device itself but the apps, too.

2. Remove things you don’t need. If there are programs you don’t use on your device – whether bloatware that came with it or stuff you simply stopped using – be sure to remove them. Every app and program could have a vulnerability in it, and as soon as cybercriminals find that vulnerability you’re now at risk. Keeping things updated helps, but if it’s a program you don’t use then the better solution is to simply remove it. They can’t exploit something that was never on your device to begin with.

3. Use wisely. As I said earlier, the top two ways I see people get malware is by not updating (which I addressed first) or by getting phished in some way. Even as an individual, this remains true. Unless you’re in some sort of high-value role (like being a CEO or working on an important government project) most of these efforts will usually be relatively easy to spot and avoid. This means implementing practices in your life like only using trusted, official websites for online purchases or downloading software and not downloading attachments or clicking links in email unless you were expecting it and verified that it is indeed legitimate. Of course, even official, reputable sites can sometimes be compromised, so for maximum protection I of course recommend checking out some of the pages on my website, but doing some basic due diligence will, in most situations, protect you from the lowest of low-hanging fruit.

4. If you must... If you’ve read all this and still decided that antivirus software is right for you, be sure to pick one wisely. Objective-See is a non-profit who specializes in open source security software for Mac devices, and iVerify is my recommendation for iPhones. For Android, the Divested Computing Group (the makers of DivestOS) have released Hypatia, a malware scanner which has since been added by default to CalyxOS. For Windows there’s no clear winner I’ve been made aware of from a highly trusted organization, however Malwarebytes offers a free tool that will scan and remove malware for you on demand (but not 24/7 in realtime). If you’re a Linux user, really the only option is Clam AV, which is unfortunately extremely limited compared to some of the more robust offerings on other devices, but there are a number of other actions Linux users can take to help defend their system on top of this.

Again, to be clear, I’m only listing recommendations for people who would prefer to have antivirus, but remember that there are a number of other factors – both things you control (like your habits and actions) and things behind-the-scenes (like your device’s built-in security measures) – that are already helping to protect you (in my opinion) more effectively. For the vast majority of users, I believe that antivirus is no longer a “must have” tool. Antivirus software is a lot like VPNs: there’s a lot of shady companies out there exaggerating the risks and benefits to line their pockets. While they do offer additional protection, for most users you can save the money and protect yourself just as well with a few basic best practices. Whatever you decide is right for you, I hope this post has been helpful in making that decision.

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...

This weekend in the United States, taxes are due. For the more responsible readers – aka “everyone but me” – this was probably already done weeks – if not months – ago. But don’t worry. Taxes will roll around again the same time next year, as inevitable as death itself as the famous philosopher noted, and our financial lives are year-round. So in other words, this is merely a good excuse to discuss some ways that you can protect your financial life – both online and off – and keep your funds, identity, and credit safe.

Protecting the Digital

Protecting the digital side of your financial life works much the same as protecting any other account. There are some universal constants, such as using a password manager to generate and safely store strong, unique passwords and enabling the strongest form of two-factor authentication your various accounts and apps offer. On the topic of apps, I strongly advocate for digital minimalism. Do you really need Venmo and CashApp and Zelle and PayPal and so on? Try to cut down on the number of apps and services you use to the fewest number possible. Not only will this be less to keep up with, it’ll be safer. The more services you’re signed up for, the more opportunity for your data to get exposed in a data breach.

Be sure to take a few minutes to do a quick threat assessment of the risks of your setup. For example, do you use apps like Google Wallet or Apple Pay for quick payments? They may be convenient, but they also present a very real threat of theft. Do you really save enough time to make it worth having those services on your device? If so, how can you make sure to protect them against such threats? In some cases, the device may offer extra protection – Apple recently rolled out Stolen Device Protection, for example, while some custom Android operating systems like Calyx and Graphene allow you to scramble your unlock PIN pad, making it harder for an on-looker to learn your PIN just based on where you tap (the drawback there is that neither of those operating systems support NFC “tap to pay” natively, but such tricks can protect other sensitive apps and information). Taking actions such as these – and others – can help keep your accounts and devices safer.

Finally, be sure to tackle the low-hanging fruit: keep your apps and devices updated, enable automatic updates wherever possible to make that easier, and beware of phishing attempts – where people call, text, or email you attempting to get you to click a link, open an attachment, go to a website, or otherwise hand over personal data. Never do it. Go to the official website directly, or hang up and call back no matter how official or legitimate it seems. It may be annoying but those few seconds can save you a lot of grief down the road.

Protecting the Other-Than-Digital

I would’ve called this section “Protecting the Offline,” except that a lot of it involves digital services, so rather this is about protecting things that expand beyond apps, accounts, and devices.

I believe that every American (and probably many other people in other countries, too) should freeze their credit. In America, it’s free, and even the most active reward-hacking personal finance nerd probably isn’t applying for new credit cards so often that the annoyance of logging in to temporarily unfreeze their credit is going to outweigh the security benefit.

Credit reports have also become free on a weekly basis until further notice – surprisingly not by law, but because it became normalized during lockdown. You probably don’t need to be checking your credit reports every week, but you should probably check at least every few months for any unfamiliar charges or mistakes. In addition to having the chance to correct them and fix your credit score, it also offers you the opportunity to detect any possible fraud or leaks in your security early before the damage gets out of control.

I also strongly encourage the use of cash and masked payment options wherever possible. The benefits of cash have been well-known for ages: you can’t skim cash, and it helps you stick to your budget because once the wallet (or envelope) is empty, you’re done (there's also a psychological component that makes spending cash harder than swiping a card for most people). Masked payments can help if your card ever gets stolen online: you still have access to your normal card to withdraw cash and go about your daily life while the digital one can be easily replaced. My personal favorite is Privacy.com as it comes with extra features like the ability to lock a card to a vendor (so if your Netflix card gets stolen it can’t be used for an Amazon shopping spree, for example) and the ability to set limits (so your phone company can’t overcharge you) but really anything that helps provide that layer of protection is an improvement.

Finally, don’t forget that when you do file taxes each year, you can request an Identity Protection PIN from the IRS that will help make it harder for someone to file taxes in your name and steal your refund. You’ll need to request one each year, but they’re worth it since it only takes a few minutes and offers yet another layer of protection.

Conclusion

It’s important to remember that nothing is unhackable. Doing these things will make your financial life and identity a lot more secure, but I don’t want to lull anyone into a false sense of security. The goal is not to be perfectly secure, but rather to create just enough obstacles that the attackers give up and go somewhere else. Following these tips will create a strong, reasonable layer of security around your financial life and make you a less appealing target.

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...

Identity theft is a common cause of anxiety in modern society, and it's pretty justifiable. According to a recent survey from US News, almost three quarters of adults have experienced at least one case of identity theft, and 27% have experienced more than one. In 2022 there were more than 1.1 million reports of identity theft, costing Americans a total of $8.8 billion dollars with a median of $650. One-in-five respondents reported that they continue to suffer financial consequences to this day. It's no wonder that a multi-billion-dollar industry has sprung up around protecting against identity theft. But does it make sense to pay for an identity theft protection service? Or is it just snake oil?

A Quick Note About Identity Theft

Before diving in, I want to clear up a common misconception I see a lot. Many people I talk to seem to have the idea that “identity theft” means “a stranger walking into a bank, pretending to be you, and withdrawing all your funds.” While that certainly does happen, what's far more common is someone stealing your credit card online and using it fraudulently, or trying open new accounts in your name. Despite the half-joking replies people give me, no matter how bad your credit is or how little money you have, I guarantee you I can find some shady payday loan service or sketchy rent-to-own shop willing to open a line of credit in your name, which I can then use to buy a bunch of high-ticket items and sell them. Now you have to take the time, headache, effort, and stress of filing a police report, gathering the necessary evidence to prove it wasn't you, and fighting to get it off your credit report. This goes hand-in-hand with the false belief that cybercriminals target individuals to be their victims. In reality, cybercriminals target companies because there's more opportunity to get lucky and a bigger payload if they do. Why try to hack one random person who probably doesn't have a lot of money when I can target a company with poor security practices who collects more data than they should on their thousands of customers, which I can then resell or use for other ends? No matter who you are or your financial situation, you are never safe from the risk of being caught up in a data breach and your sensitive data landing in the hands of a cybercriminal. These breaches are unbelievably common, with over 7 million records per day in 2020 and and average of 3 breaches per day in Australia alone.

What is an Identity Protection Service?

With so much sensitive data being leaked constantly, it's pretty easy to see where the market for identity theft protection services came from. Where there's a need, some industry will always rise to fill it. Identity theft protection services are – as the name implies – services who promise to help protect you from becoming a victim of identity theft. They do this in a number of ways such as alerting you of any suspicious financial activity on your accounts, any new accounts being opened up in your name, and scanning the dark web to see if your data pops up.

Are They Worth Paying For?

Point blank: no, in my opinion most people don't need to pay for an identity theft protection service. First off, identity protection services are reactive instead of proactive. They'll only let you know after someone has stolen your identity and tried to abuse it. There are much better ways to be proactive that are – in my opinion – more effective (which I'll talk about in a moment). Second, “dark web scanning” is something that makes no sense to me. Maybe I'm misunderstanding it, but the whole point of the dark web is that it can't be indexed. It's not like a Google Alert where you can just make a bot that says “let me know if this shows up anywhere on the web.” Instead, they have to be monitoring known dark web marketplaces, and your information may not surface on the known ones. Think of it like having an account in a chat room or on a social media account and hoping they see your name pop up. Even then, it may be hidden behind a paywall since most cybercriminals want to sell the data they've stolen rather than just share it publicly. And if one of their strategies is to scan the regular web for companies announcing data breaches, not all companies admit to that, even when the evidence is overwhelmingly against them (and some companies even block such announcements from showing up on search engines).

To be clear, I said “most people.” I've heard from some people in unique situations who value the peace of mind or extra protection behind an identity theft protection service. But most people can get the same protections as an identity theft protection service – and arguably better – for a fraction of the cost. (You could even use some of the money you saved to help support this project and still have money left over.)

What to Do Instead

The first step is to freeze your credit. In America, this is free by federal law. In other countries, your results may vary but I've been told that the credit agencies in other countries also offer credit freezes, so you should have some recourse even outside the US. A credit freeze doesn't affect your credit score (so if you're trying to fix your credit this won't affect that), but it does prevent people from being able to open new accounts in your name without additional verification, and they can be easily temporarily lifted if you ever need to open a new account (such as to apply to for a new credit card or a loan). This is – in my opinion – far more effective than the reactive methods of identity theft protection services, who basically say “let's wait til someone tries to open a new account and then do something about it.” This way they never even get the chance to open said account, and it costs you nothing. (How often do you really open new accounts without warning that freezing your credit would be such a huge hassle?)

The second concrete step I recommend is to try to use digital payment methods less. From the real world to the digital one, card skimming is incredibly common, and it's one form of identity theft. When in person, try to pay with cash as often as possible. Online, I strongly recommend gift cards or masked payment options. Even cryptocurrency could be helpful here if it's something that you're familiar with and it's offered. By doing this, you'll reduce the amount of sensitive financial data – such as credit card numbers – sitting in a server somewhere waiting to be stolen by a lucky crook. They can't steal what isn't in the database in the first place.

Finally, if you really want to have maximum effect... well, to be frank, this is a privacy project. We have lots of advice on this front. Taking your privacy a little more seriously can pay off in droves when it comes to identity theft. The answers to many common identity-based security questions can be found easily with a quick Google search, questions like “what is your father's middle name?” or “where did you go to high school?” You can scrub much of this information from the internet by using a data removal service, making it much harder (if not impossible) for attackers to find those answers. It also helps to start being defensive with your online identity. This starts with good cybersecurity practices such as using strong passwords and multifactor authentication which can make your accounts harder to hack into (even after a breach), but it also extends into simply trying to hand out less information. Not every field on a website or form needs to be filled out, and not all of them need to be accurate. Don't be afraid to use a fake phone number for services that should never have a valid reason to call you, or a fake name when signing up on a website. Use different usernames on your accounts to make them both harder to hack and harder to find for would-be attackers. You can set your accounts to be friends-only or other similar settings that reduce what outsiders can see about you – or better yet, simply delete the services you don't use very often and post less on the ones you do. You can switch to encrypted services like email, messaging, and cloud storage so that data breaches become almost impossible in the first place.

Conclusion

There's a lot you can do to protect your identity for less than what the big guys cost (in some cases for free), and in my opinion it's far more effective. And for the record, you don't have to to do it all or even all at once. “There's a lot you can do” is mean to be encouraging: you're not powerless. You have a lot of tools at your disposal to help protect your identity. I recommend you be proactive and find the ones that work best for you. With a little bit of research and preemptive effort, you can save yourself tons of money and time. Privacy isn't as hard as it sounds. It may be convenient to shrug off the effort of identity theft protection onto someone else, but if you're willing to put in just the tiniest little bit of elbow grease now, you can keep that money in your pocket and get even more protection than those services can offer.

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...