Is your most secure content hiding behind your most insecure password?
Many of us, stung by hacking attempts or scared stiff by media reports, have thought up pretty secure passwords for our online banking -- and that’s as it should be. Your online banking passwords should be passwords that are impossible for a would-be attacker to guess from learning about you. Preferably, financial passwords should be passwords that are either constructed from nonsense words and phrases, mixed with numbers and punctuation and numbers, or are passwords that are random -- something that has been generated by a random password generation program, or a phrase that is chosen at random from a book close to hand, then obscured in some way with misspelling, numbers and punctuation and then memorized.
So we do this for the dramatic passwords -- the ones that get at our money or or important materials, but what happens if we forget our password (I’ve done it when I’ve come back to a system that I haven’t interacted with in a while)? We choose the “reset password” link -- and it sends a reset code to your email box.
And if you’re like many people, that email box has the most insecure password you have -- it’s probably the oldest one, it’s likely one that you have never thought about toughening up, and it’s possibly known by various programs on Facebook, Twitter or your personal computer. It’s also the password that’s most easily stolen when you’re using an unsecured wifi link in a hotel or a cafe -- because your phone or tablet is constantly checking email, and it may be transmitting your password in the clear.
Once your password to your email is stolen, thieves look through your email for your banking statements, reset those passwords, and send money all over. They also send out silly emails to your contacts, pretending to be you, with woebegone stories about how you’re stuck in a jail in Wales or are stranded in Paris after someone stole all your money.
So how do you work against this?
1. If you’re using Gmail or have a Google account, turn on two-step verification. This service puts an extra layer of security on your logins -- and it alone is worth changing to Gmail if you don’t use it. It requires that a potential thief have your phone to authorize your login -- they can have your password and without your phone, they can’t get in. It’s discussed at http://support.google.com/accounts/bin/topic.py?hl=en&topic=28786
Plus, don't use unsecured wifi, or if you do, only use it when communicating via https:.
2. Turn on whatever alerts and safeguards your bank allows. Set alerts for wire transfers, or if possible, prohibit wire transfers. Keep track of your checks and deposit slips, your credit cards and ATM cards. Set up every alert that they offer for balance alerts and set the numbers low. Thieves will try and get as much money as possible the first time out -- make it more difficult for them to get at it.
3. Get a credit monitoring service, and use it. All the big three credit report companies offer them, and many offer them through your bank, or your credit card company.
4. Use ATMs at your bank, not at some strange convenience store. Even then, inspect the ATM before you put your card in the slot -- sometimes thieves can make mini-card readers that look like they belong. If it looks odd, go somewhere else.
5. Don’t use your ATM card at gas pumps. Use a credit card, which offers you more security against fraud. With your ATM card number and your PIN, a thief can empty your bank account sooner than you can notice it, but with a credit card that you pay in full each month, you get safeguards against fraud, and if your credit card is issued by a paranoid company such as Capital One or American Express, they’ll catch the fraud long before you see it.
6. Keep your computer protected against spyware and viruses. Any computer can have viruses and spyware, but Macs are currently less likely to have them because PCs have a greater market share. One of the big vehicles for spyware intrusion is “free art” or “free music.” They can carry a payload that will give a thief a window into your business.
7. Watch what applications you install on your phone or tablet. Your phone or tablet may give a thief a window into your accounts, just by installing an application that monitors what you do while it makes annoying farting noises to amuse your friends. Apple says they watch the applications that they offer, while Android tells you before you install or update an application what it has access to. In either case, consider adding a third-party application to look for malware and keep track of your phone.
8. We all know the stupid Nigerian email scams, but many of the worst scams claim to be from your bank, your company, your credit card provider, or my favorite, the IT help desk. Don’t click on any link in any such email, no matter how innocuous it may appear. If you get a scary email from your bank, go to the bank’s website itself to check it out; don’t click on the link in the email. Don’t give anyone your login and password, no matter what kind of yarn they spin in their email to you. Be careful.
9. Be an advocate for better security. Ask your bank to toughen up their security on their banking site, if they seem too easy. Write your congressman and ask for tougher laws on credit fraud. Become a victor by taking on the people who would take you on instead.
10. Lastly, be aware of how you connect. Use https for logins like Facebook or Twitter. Log out when you’re done reading people’s posts, and playing Farmville. Tighten up your security, and for goodness sake, don’t spread your birthday all over the web. Be aware of where you are, what you’re doing, and who you’re doing it with. Keep just as aware as you would be if you were wandering around using an ATM in a bad part of town, at night!
Daryl R Gibson