In my previous post, You're Responsible for Your Own Online Security, I noted that online fraud protections from banks, credit unions, investment companies, and other financial services companies are significantly weaker than consumer protections for credit cards, debit cards, ATMs, and EFTs. The "100% online fraud guarantees" advertised by financial services companies can have a lot of fine print and they are backed by the companies, not by consumer protection laws.
You may be thinking, "That's a lot of trouble. In the unlikely event that my account is hacked, the financial services company will reimburse me." I think that's a mistake for a few reasons. First, even if the company covers your losses, recovering from the fraud is unlikely to be a pleasant experience. Second, if you don't meet the company's security requirements spelled out clearly on their websites, you might not be covered by their online fraud guarantee, at all. Do you want to take that risk with your savings?
My goals for this post don't include boring you to tears, though that is certainly a risk when one explains technology to people who just want things to work. The truth is that Internet passwords don't work. We need a very different solution for securing online access but unless and until we get that, we have to work with what's available.
One of my goals is to help you avoid losing your hard-earned wealth to online fraud. A second goal is to help you avoid the long, painful process of recovering from online fraud when recovery is possible — you'll find it much easier to stop fraud before it happens than to tidy up afterward. And, my third goal is to keep you from running afoul of requirements that might preclude those "100% online fraud guarantees" offered by financial services companies. I used to refer to them as "online financial services companies" but now almost all of them are.
I warn you up front that some of these measures can be complicated to implement and that they will complicate your financial life a bit. It won't be as easy for you to access your online financial services but it should be a lot more difficult for a thief to do so.
And finally, before diving into security measures, be aware that many online services offer different levels of security that you can implement depending on how much set-up work you are willing to do and how much inconvenience you will tolerate to achieve greater security. You can improve security significantly with stronger passwords, for example. With more work and complexity, you can greatly improve on long-password security by adding two-factor authentication. You will need to decide if the extra security is worth the effort.
You might also think, "This is way too difficult. I'm just going to avoid online access to my accounts altogether."
While this might be achievable in some limited way, it will preclude most investment opportunities. I asked Fidelity Investments if it is possible to open an account with no online access. They thought I had lost my mind. And, should you decide to simply not set up the online access, a thief might well do it for you.
Wade Pfau and the gang at RetirementResearcher.com are seeking volunteers for a research project called the Retirement Income Style Awareness,™ (RISA™). Please consider following this link to the survey. Participants will be able to get results from the survey in the fall.
First, if your computer, smartphone, or tablet is compromised, no other security process can be trusted. If someone installs a keylogger on your computer, for example, that person can watch you type in your log-in credentials from half a world away and it won't matter what other security measures you take, they're looking over your shoulder. Run anti-malware software on your computer and only download smartphone apps from your apps store. This step is essential. There are several excellent free anti-malware products for computers. I like Avast for Mac[1]. Windows Defender[2] generally gets high marks, as well.
Next, you probably have a lot of sensitive information on your smartphone. Many services will use your phone to reset your password, for example. A thief doesn't need to learn your password if she can more easily reset it. Actually, a thief doesn't need to physically steal your phone. He may be able to illegally "port-out" your phone number and receive all your phone calls and text messages. Your smartphone is a key to your online security whether or not you intended it to be.
You need to keep that key beyond the grasp of hackers. Bite the bullet and change your lock-screen passcode to at least 8-digits.[3] (Are you still using four digits?) This step is also essential. I'd recommend avoiding lock-screen patterns on Android phones.
For many financial services companies, the use of "third-party aggregators" like Mint.com, Fidelity Fullview and Vanguard Portfolio Watch will violate your guarantee of fraud protection. Charles Schwab explicitly states next to the button to enable these services that they invalidate your guarantee. Stop using them. This is an essential step. You can go to the aggregator websites and turn off the feature but you can also change the passwords on all your financial services accounts (which you probably should do, anyway) and simply not update them at the aggregator website. If your financial data still shows up at your aggregator site, you know you're not finished. The aggregators will no longer have access to your data and you will no longer be in violation of the terms of your guarantee.
Creating strong passwords is an essential step. Make passwords to all your sensitive online accounts at least 12 random characters long. Use upper and lower case letters, numbers and special characters as allowed by the website. Here's an example: Wt4e-7B13^qS. As the saying goes, the best password is the one you can't remember. It has been estimated that an 8-character password can be cracked in hours, nine characters in months, and 12-character passwords in hundreds of years with a brute force attack. If your password contains recognizable words, a dictionary attack can be even faster.
Don't reuse passwords. This is essential because cracking one of your passwords compromises every other account using that password. Every sensitive account should have its own.
Never share your password with anyone other than a spouse on a joint account. That will almost certainly invalidate your online fraud protection. If you want an advisor or a spouse to have access to your individual accounts, grant that authority explicitly by filing the appropriate paperwork with your financial services companies instead of going through the "back door" of sharing your passwords. Recognize the risk you're taking by doing this and consider sharing "read-only" access and not authority to transact in your account.
If you write them down, store the list of passwords in a secure location and hide a backup in a different physical location. The next step isn't essential but I find it helpful. I use a password manager to both create random passwords and store them. LastPass, Dashlane, and 1Password are perhaps the best known and you can access passwords from your computer, smartphone, and tablet.
The next level of security (and complexity to implement and use) beyond strong passwords is two-factor authentication. 2FA is perhaps not as essential as strong passwords but many experts would disagree. I consider it mandatory for my accounts but I also recognize that it is complicated for a "non-techie" to understand and implement. I can imagine that most will consider it too complex and that's a shame because it is a huge step up in security.
In essence, 2FA provides a second password that changes every minute and can only be read from an app on your smartphone (or a dedicated hardware token[4]). Unless a thief has access to your smartphone, she can't log in to your account even if she knows your password.
2FA is now offered by most, though not all, financial services websites. I even use 2FA at social media websites and on my email accounts. Two Factor Auth[5] provides a list of websites that support 2FA and PCMag.com[6] explains how to use many of them.
I have found that customer service departments of financial services companies will walk you through implementing 2FA over the phone if you ask and it only takes a few minutes. This is far and away the easiest way to implement 2FA on your account.
There are several ways in which 2FA can be implemented. The passcode can be sent to you in an email, sent to your phone in a text message (SMS), delivered by a voice phone call, or created by an app on your phone. If your financial services company offers a choice, the app approach (or a hardware token) is the safest.[7]
Some websites, like TreasuryDirect®, will email a one-time password (OTP) as a second layer of authentication after you enter the correct password. A lot of people know I can be reached at [email protected] and that's the first place a hacker might search for my one-time password. It would be harder for a hacker to intercept my OTP if I have it sent to say, [email protected], which doesn't identify me.
If any of your accounts use 2FA by sending an email, consider setting up an email account with a random name solely to receive 2FA passcodes. Set up a notification in that email account to alert you anytime you receive an email.
Many websites have a "password recovery" process that will reset your password if you answer security questions like "What was your high school mascot?" It makes no sense to go to all this trouble to secure a password when someone can "recover" your password by answering these security questions after reading your social media posts or by Googling your name.[10]
(I checked my password recovery questions on an email account I use for junk and found that that a hacker would need to either spend hundreds of years guessing my password or simply guess the name of my favorite band to gain access to my account.)
I make up unrelated answers to these questions and store both the questions and the answers with my passwords. For example, I might choose the question "What was your school mascot?" ("Eagles" is a good guess for a hacker.) I might enter "bookbinder" as the answer.
Thieves can sometimes illegally "port-out" your mobile phone number to theiro phone and the only indication you will get that this has happened is that your phone will stop working. They'll receive your text messages and phone calls so they'll intercept any one-time passwords sent by either of those methods. Furthermore, many online accounts will allow you or a thief to recover your password by texting or calling your phone and the thief is now the recipient of both of those. You may have the physical phone in your hand but all of your voice calls and text messages will now go to the thief's phone.
To illegally port-out your phone number, a thief only needs some basic name and address information about you and a PIN that is set up at your wireless carrier's website. Better beef-up the security of wireless carrier passwords and PINS with your wireless carrier. Krebs on Security tells you how.
Log on to your wireless carrier online account and make sure your PIN isn't something obvious like "1234" or the last four digits of your social security number. Use a strong password on your wireless carrier's website. I added 2FA to mine. Otherwise, the fraudster can hack into your wireless carrier account and change that PIN. Your smartphone, one way or the other, is the key to much of your online security. If it is lost or stolen, take action immediately.[8,9]
Since this all began with a reader's comment regarding security at TreasuryDirect®, let's look at how we might secure accounts there.
To log on to a TreasuryDirect® account, a thief will need your account number, a password for that account, an email address to which TreasuryDirect® will send a one-time passcode each time we attempt to log on, and that one-time passcode.
First, create a random password at TreasuryDirect® that is at least 12 characters long. Then, create unrelated answers to password recovery security questions at TreasuryDirect®, as described above.
Create a new email address with a random name and direct TreasuryDirect® to send one-time passwords there instead of sending it to your public primary email address. Secure the email account with a long, random password.
Now, a hacker will need to learn your TreasuryDirect® account number, hack its long random password, figure out what e-mail account you have told TreasuryDirect® to send your one-time password, and hack that e-mail's long random password to learn your OTP. If he tries to hack your TreasuryDirect® account using password recovery, he will need to know that you told TreasuryDirect® that your father was born in the city of banjo.
I believe any web-based service is hackable but a thief could probably find an easier way to steal money than this.
If you only install anti-malware software on your computer and improve your passwords, you will greatly enhance your online security. If this seems overwhelming, start by improving all of your passwords on financial services company websites and do more later.
You can download a checklist in Word to organize your security enhancement project. I included a sample using a Charles Schwab account. Click the link to see the document, then click download to save a copy.
This is the world we live in. Practically all financial services companies have an online presence with fraud guarantees provided only if the company considers that you have adequately protected your login credentials.
I realize that most readers will find this all quite complicated even with the links I have provided but this is your retirement savings we're trying to protect here and i4 your security doesn't meet the standards of financial services companies, their "100% online fraud guarantee" might not be available to you. Follow these steps and you are far less likely to ever need to recover from online fraud or rely on a fraud protection guarantee.
Some readers are having problems posting comments anonymously. Please feel free to email comments to [email protected] and request that I post them anonymously.
REFERENCES
[1] Avast for Mac
[2] Windows Defender, Microsoft.
[3] Change Your IOS Passcode. or Change Your Android Passcode for Android.
[4] Some financial services companies will provide, often for free, a hardware "token" to generate the 2FA passcode instead of using your phone. See Protect Your Investment Accounts With A Security Token.
[5] Two Factor Auth list of 2FA supported websites.
[6] Two-Factor Authentication: Who Has It and How to Set It Up, PC magazine.
[7] This is why you shouldn’t use texts for two-factor authentication, TheVerge.com. Major SMS security lapse is a reminder to use authenticator apps instead, TheVerge.com.
[8] If your iPhone, iPad, or iPod touch is lost or stolen.
[9] Find, lock, or erase a lost Android device, Google Help.
[10] Time to Kill Security Questions—or Answer Them With Lies, Wired.
[11] This is why your six-digit iPhone passcode isn’t secure, BGR.com.
