How well are you managing your online security?
Over the weekend I had an interesting exchange with a friend on the topic of bank fraud. She was the victim of bank fraud or bank theft–however you want to categorize it–where someone took several thousand dollars out of her bank account over a three month period. Technically, this is identity fraud because in order for someone to gain access to your account, they need your personally identifiable information, i.e. your social security number, your address, full name, drivers license, etc. And well, how do they obtain that?? A myriad of ways!
In my friends case it appears that whoever the culprit was, they had enough information to siphon off funds from her account systematically over that three month period without the account being closed. I’m not sure of the details but typically if this was caught early enough I would have just closed the account, but of course I don’t have the full details.
At some point in the following weeks she attempted to sue the bank but was only able to recover half of the money that she lost. Obviously upset, she said that she would never bank with this particular institution again. She blamed the bank, I blamed her. She didn’t like that.
She argued that someone at the bank–a bank employee perhaps–was responsible for taking the money out of her account. Upon further investigation she was able to see where and when the money was coming out but she couldn’t understand how it could have happened. Mind you she was on vacation.
In this scenario consumers typically make several bad and preventable mistakes.
Mistake #1 – Not monitoring and managing your bank account activity
Mistake #2 – Not reporting fraudulent or questionable activity on your account when it happens.
Banks are in the business of protecting themselves by minimizing their risk, maximizing their upside, and limiting or completely eliminating their exposure to loss. In this particular situation I can’t speak to the specifics on how the bank came to their conclusion, but I can tell you that they only returned half of the money that was taken out of my friends account. I would say they did this because they didn’t believe they were fully liable for the account being compromised. Of course as a consumer you can spend time in court trying to recover your losses, but you have to ask yourself if it’s really worth it.
I’ve seen this before, up close and personal. My mother was a victim of identity theft over a period of several weeks unbeknownst to her. With her situation she wasn’t even aware of what was going on as she had neglected to check her bank account regularly to even know where her money was going. I setup online banking for her on two separate occasions and she still failed to make use of the logins to manage her account. It wasn’t until I logged into her bank account that I was able to see multiple withdrawals from an ATM machine from a convenience store up the street from where we were living at the time.
My mother was older in age, obviously, and very averse to using technology to manage her finances. I get it, but in today’s very connected world everyone needs to understand that technology is not going away, and you’re going to have to learn how to use it. If you think it’s difficult to understand why your passwords should be complex, or why you should change your online passwords often, think how easy it is for someone to exploit the fact that you’re not doing those things and simply walk away with money that you earned because you didn’t take time to protect yourself.
This is a huge problem in today’s digital society and last year we saw a record number of online breaches of large organizations, both private and in government. One of the most notable was the Equifax breach where the personal data of 143 million people was stolen because of an un-patched vulnerability in one of their web applications.
Now wouldn’t you think that if hackers are smart enough to breach a large organization like Equifax that has millions of dollars to spend on Cyber Security that they would be smart enough to come after you and succeed?
I think the answer is yes.
What can you do to protect yourself?
So let me share with a few things that you all should be mindful of when it comes to protecting your online identity
1. Understand your attack surface
Your attack surface is the total sum of ways that your identity can be compromised. This within itself can be exhaustive, but when I think about myself and the number of ways that I may be vulnerable to hacking and identity theft here is what comes to mind:
- My home – Inside my home of course are all of my personal belongings, documents, mail, etc. Anything with personally identifiable information on it is a risk and makes me vulnerable.
- The devices that I use to access the Internet – Think of every device that you own that has the ability to access the internet. Every phone, every laptop, every desktop computer. Every time you access the internet that poses a risk if you aren’t protecting yourself.
- Documents that come to my home or mail I receive – I have a shredder here at my house and I’ve had this same shredding machine since 2004–sturdy and reliable device I must say–and it works wonders. Whenever I have documents that contain information that could potentially lead someone to compromising my identity I shred it before it leaves my house. People do have the ability to go through your garbage to search for documents and if they can find enough of YOU in the can they can do some serious damage.
- Other people or organizations that use my Information – Organizations, companies, banks, etc., hence the Equifax breach and why this is a very important consideration to understand. Your information is everywhere with just about every major organization that you do business with. At the end of the day you have to do you best to safeguard your own identify and online presence.
2. Manage your Internet access
Managing your Internet access means managing how you connect to the Internet, where you connect to the internet, as well as your login details and ensuring that you protect your login details from becoming compromised. This also means not giving your login details to anyone, transmitting your login details over any messaging platform that is not secure (WhatsApp is good for this), and not writing them down somewhere where it would be easy for someone to get to.
- Use a VPN connection – Accessing the internet from home is probably the safest way to access the Internet but you still have to be cautious. Most people, myself included, use a wireless connection to get out onto the Internet at home through a wireless router. I use what is called a Virtual Private Network connection (VPN), which is a term used to describe a network connection that is a direct (virtual) connection to another network where the connection is encrypted. A VPN’s job is to conceal your web browsing activity as well as encrypt–or secure– the traffic going from your computer to whatever destination you’re trying to reach. I won’t get off into all of the detailed specifics behind how this works but one thing to know is that, when you visit a website your computer uses the DNS settings of your Internet Service Provider. DNS is essentially the Internet Yellow pages which allows your browser to find out where a website is located. So let’s say you use AT&T as your ISP (Internet Service Provide) that you have your Internet service with. When you want to go to Facebook.com your browser talks to the DNS Server–Domain Name System or other referenced name depending on who you talk to–and looks up Facebook.com. That DNS server routes your request to Facebooks servers and returns the web page to your browser. A privacy concern here is that there are ways for hackers to snoop and listen in on your browsing activity, and even further, your ISP (Internet Service Provider) also has the ability to monitor what you’re doing. With a VPN, the VPN app alters the DNS IP address and causes your computer to use the DNS address of their network instead of your ISP’s DNS servers. So when you browse the web your web traffic goes out of the VPN network as opposed to your ISP network (Internet Service Provider). You’ll know this when you do a Google search for “What is my IP address”. If you are connected to a VPN server the Google search will return the IP of the VPN server instead of your ISP. This is because your public facing IP address is now the address of the VPN server instead of your ISP. Additionally VPN’s also encrypt your traffic as well. VPN applications are a requirement today if you do a lot of browsing at coffee shops like Starbucks. Open-ended and public wi-fi networks are one of the primary ways your identify can be stolen. There are a lot of free tools online that will allow me to sit at a coffee shop and capture your web traffic. I can capture your personal information on your computer or I can setup a dummy network where you won’t be able to tell the difference between the coffee shops network and my network, and capture your details as you try and connect to my dummy network. My advice, download a VPN client for all of your devices and start using it today.
- Use a Password Manager App – One of the latest and best inventions that have really made life so much easier are Password Vaults or Password Manager applications such as Dashlane, 1Password, or FastPass. Password Managers are truly amazing applications that I can’t rave about enough. If you’re anything like me you probably have 30, 40, or 50 or more online accounts for everything from your bank accounts to your e-mail. The standard is that all of these passwords should be different, they should all be complex, and they should be rotated often–every 2-3 months. Passwords are impossible for us to memorize and the coordination around changing them can also be a headache. This is where a Password Manager app comes in. You can read more about one particular password manager app that I recommend here. But in short, the app allows you to create complex passwords, rotate them on a regular basis, and the app also stores and syncs the passwords to all of your devices so you don’t have to. The idea here is to decrease the odds of someone being able to steal your identity and password management is hands down the one crucial area where most people fall short.
- Enable Two-Factor Authentication ON EVERYTHING – Two-Factor authentication is a feature that at one point was being recommended by NIST (the National Institute of Standards and Technology), which is an agency within the Federal government. Early in 2017 President Trump signed an executive order making NIST the security standard for the U.S. Government. Two-factor isn’t as high of a recommendation at this point as it first was but many security professionals and organizations still highly recommend two-factor authentication be used in conjunction with your password. This simply gives hackers another hurdle to cross in order to get access to your sensitive information. Most, if not all web apps, have two-factor as an option that you can now implement for your accounts. It simply requires that you have an additional code to login to your accounts alongside your password. The code is either generated by the app and sent to you via sms text, or you can download Google Authenticator which also provides codes as well.
3. Check your bank account activity daily
Checking your bank account on a daily basis is also one of the ways to catch fraudulent activity early. Banking apps allow you to customize alerts where you can be notified of direct deposits, withdrawals, bank balances, and anything else of the sort. These notifications come directly to your phone in an instant and give you up-to-date to the second updates on your account activity.
4. Check your credit at least once a month
Checking your credit is something most people don’t do especially if they don’t use it, but that’s a huge mistake. One of the very first places that you will be able to identify fraudulent activity is on your credit report. Each credit bureau–Experian, Transunion, Equifax–has their own website where you can check your credit report but you can also use other platforms such as CreditCheckTotal to check all 3 credit bureau’s for fraudulent activity. I suggest pulling a 3-bureau report at least every 2-3 months, this way you can stay up-to-date on any changes to your report. The bureau’s also allow you to setup alerts whenever a copy of your credit report and score is requested. In the case that someone does this and that someone is not you, you’ll be notified.
5. Setup two checking accounts
The primary reason why I’m telling you to do this is because in the event one of your accounts is compromised, you can quickly and easily move funds from one account to the other. I also recommend that you not use this other account as much as you use your primary account for these exact reasons. We want it to serve as a backup so when we do catch something we can respond quickly.
6. Use third party payment apps and credit cards to make transactions online and out in public
Payment apps such as CashApp, Paypal, and Apple Pay work well just like credit cards do because they allow you to place the liability of loss on the vendors. These companies have guarantees in place that allow you to recoup any funds that are loss to identity theft or any loss associated with making a purchase and not getting what you paid for. In the financial world mitigating and eliminating your exposure to risk is the name of the game! That’s why you have car insurance, auto insurance, and life insurance. You are placing the financial risk and liability of loss on another entity or company to handle on your behalf. You also can’t control what happens at your local store either and if someone is peeking over your shoulder at the checkout counter, you want to be covered for that. Apple Pay is now accepted a many retailers as well as online and you can be sure that will expand in the years to come, or if not, Paypal is also an excellent way to go.
7. Change your debit cards every 3 months
This is something that I do on a regular basis for a few reasons. First, I make a lot of purchases and it’s hard for me to keep up with all of the auto-renewals that I tend to fall into every month. So a quick way to solve this is to call my bank and have them cancel my card and send me a new one with a new number. Of course as many of you know, banks will do this for you when you call and tell them that you’ve lost your card. This won’t help if you have payments attached to your bank account number specifically, but if someone has gotten hold to your debit card number this can guarantee that they won’t be able to use it. I do this as a precaution for myself every few months.
8. Use your banks online bill pay feature
This is again an exercise that gives you the ability to shift the risk and responsibility of transferring funds to another company on your bank. In this case, we are telling the bank to send funds to another merchant on our behalf. If you think about it, instead of us sending a check through the mail or going online to the merchant’s website, we are telling the bank to deal directly with the merchant through their secure processes. Banks, just like most companies or at least we hope, use all of the latest security best practices, encryption, and methods to ensure that their platforms are secure and that our transactions are handled without fault. For example, some banks won’t allow you to use a VPN connection to login to online banking. If you’ve ever tried to use a VPN app and received a blank screen on your web browser, it’s because the banks firewall has probably blocked the IP address of the VPN server that you’re using. They do this because they want to keep anonymous traffic from coming into their network and if you remember earlier I said that VPN’s encrypt traffic from your computer to your destination.
9. Ensure that you are using an HTTPS connection when you visit a website
Your web browser talks to web servers over the Internet using HTTP–or Hyper Text Transfer Protocol. The secure version of HTTP is HTTPS where the “s” means secure. You can see this in the address bar of your web browser in the upper right corner. Whenever you see “https” that’s a good sign that you connection to that website is secure. If you don’t see that proceed with caution. One way to ensure you see this every time you browse the web is by using an extension I use for Google Chrome called https everywhere.
Https everywhere automatically forces the browser to connect securely to every website you visit without your having to type in “https” manually in the address bar.
10. Change the default Network ID’s and Passwords listed on your wireless router
Everyone knows or at least has the ability to Google the admin password for the wireless router that you have in your home. Again, almost everything I need to mount an attack on your network can be Googled. Your ISP sends you a wireless router with a default admin ID and password for logging into the router. You really want to change this as it is common knowledge to most people, especially hackers. You also want to change the network ID’s (SSID) and the passwords on your 2.4 GHZ and 5 GHZ networks. Your SSID is the Service Set Identifier that identifies your wireless network, it’s essentially the name of your wireless network. Most, if not all wireless routers, now come with two networks. You can login and change the name as well as the password of these networks for better security.
To do this you need the default gateway IP of your wireless router, which you can get from your ISP. You can also pull up a command prompt in Windows or a terminal window on a Mac and type in ipconfig /all (Windows) or ifconfig (Mac). The simplest way to do this would be to contact your ISP if you aren’t familiar with command line syntax.
Again, we want to do everything in our power to mitigate our risk and lessen any loss due to our exposure online. Keep in mind that it’s possible for hackers to get ahold of your private information, such as social security numbers, drivers license information, etc. and still use this information later down the road. In fact, your information has probably already been compromised and sold on the dark web without your knowing. Going back to my the young lady I mentioned earlier as well as my mothers example, we want to cover ourselves from every angle possible. The one thing you can have as a defense if you are a victim of identity theft at your bank are the safeguards I mentioned above if put in place and executed correctly.
If you are the average or below average consumer when it comes to technology I would recommend that you take time to educate yourself on all of the tip’s I’ve listed here.