Protect your Financial Information in an Increasingly Dangerous Digital World

zero day finance secure your financial information increasingly insecure dangerous digital world

The Internet makes banking and investing extremely easy. All you need to do is go online, make an account, and you’re done. The ubiquity of online portals to interact with your financial institutions has made it much easier for you. It has also made it much easier for hackers to steal your hard earned money. So how do you protect your financial information in an increasingly dangerous digital world?

After I finished my bachelor’s degree in Computer Science, I decided to complete a master’s degree in Cyber Security. I took several classes involving cryptography, information privacy, and practical labs that simulate networking attacks in real time. After I graduated, I spent 4 years working for a defense contractor in cyber security.

I’ve seen a ton of different attack techniques, and I’m here to show you how to best secure your financial assets. Let’s begin.

Step 1: Protect Your Account Credentials

When it comes to online banking, we all have accounts. Accounts contain both personal and financial information, and are very important to protect. To quote Saruman from The Lord of the Rings,

“if the wall [your account login] is breached, Helms Deep [your account] will fall [criminals will steal all your money]”

Your account credentials are one of the most important lines of defense that protect your information and money. What’s scary is that we don’t just have one online account. Each of us has multiple bank accounts, loan accounts, and investment accounts. All of these need to be securely protected and hardened against hackers. But how do you do this?

Choose a Strong Password

Everyone is constantly telling you this, and it’s still very important. Choose a strong password for your accounts, and choose a different password for each account. Don’t know how to easily create a strong password? Let’s do it quickly.

  1. Pick 2 words you can remember: computer fan
  2. Add punctuation at the beginning, between, and end of the two words: *computer#fan&
  3. Throw in a number: *computer#fan92&
  4. Capitalize 2 letters: *Computer#faN92&

That’s it, now you have a password. This may not look like a particularly strong password, but consider this. There are 52 characters (uppercase and lowercase combined), 10 digits, and 26 special characters. This means each “character” of your password will be one of 88 possibilities. In our example, the password we picked is 16 characters long, meaning a  hacker will need to try all 88^{16} = 1.29 * 10^{31} different combinations. If a hacker can guess 1 billion passwords a second (HINT: they can’t), it will only take 1,476,449,700,000,000,000 years to crack your password. Piece of cake, right?

Enable 2-Factor Authentication

Most accounts are secured using 1-factor, or 1 piece of “secret” information (your password). This type of secret information is referred to “something you know.” However, most applications provide 2-factor, or 2 pieces of “secret” information. This combination will include “something you know” and “something you have.” This is significantly more secure, because somebody will need to crack your password and take ownership of something that is yours.

2-factor authentication requires you to authenticate using a password as usual. Then, you need to prove that you have access to the account. Your institution may text you a temporary authentication code. You may have a hardware token or software token that randomly generates 6-digit pins that are valid for 60 seconds. Whatever the scheme, this type of authentication significantly increases the security of your financial accounts.

For example, let’s say that I have a really strong password. Unfortunately, my financial institution is hacked, and my password is leaked. A criminal purchases my password on the dark web for $1, and tries to login to my brokerage account. They get in, but then greeted with an additional login screen. My brokerage firm texts me a temporary password, and I have 60 seconds to enter it. In this scenario, they can’t get in, and my account is secure. In addition, I’ll receive a text message, realize that I didn’t try to login, and then I can go into my account and change my password because the credentials have been compromised.

Software tokens are generally more secure than text message one-time access code. However, one-time access codes delivered via text are more secure than nothing.

Step 2: Subscribe to Account Alerts

This one is a no-brainer, yet most financial institutions make it difficult. Go into your account, search for configuration settings or “alerts,” and turn everything on.

Most institutions will let you turn on notifications for deposits, withdrawals, logins, personal information changes (email, phone number, password), and daily balance summaries. Every single day, you will get a digest summary of all actions on your account. This information is extremely powerful. If somebody happens to access your account, you will know immediately. Here’s an example.

On all of my credit cards, I turn on transaction alerts. Any time there is a transaction valued at $0.01 or more, I receive a text message. If my credit card was stolen and somebody made a purchase, I would know immediately.

My brokerage account sends me alerts when configuration options are changed. So if somebody were to crack open my account and try to change the email, I get an alert of this activity, so I can call my brokerage firm and lock down my account.

I can tell you that these alerts are annoying. However, I would rather receive 5 text messages a day telling me that everything is okay, than not knowing that a thief stole $20,000 from my 401(k).

zero day finance 2-factor authentication

We’re always on our phones, what harm is an extra text message?

Step 3: Be Wary of Account Aggregators

This one may come as a shock, but be wary of services like Personal Capital and Mint. With these applications, you can “link” your financial accounts, and then you get an informative dashboard showing your portfolio performance. They are incredibly powerful tools that will help improve your financial situation.

But they can also make your accounts less secure.

Let’s say that you invest with Fidelity. If Fidelity is hacked, then you are hacked, and your account may be insecure. But that’s it. What happens if you link your Fidelity account with Personal Capital? Now if Fidelity or Personal Capital are hacked, then your Fidelity account is hacked.

And it’s worse than that. Since you usually link all of your financial accounts with these services, if somebody hacks Personal Capital, they now have access to all of your financial accounts.

Financial institutions are getting better at providing read-only access to your accounts. That means they may give you a 1-time token to access your account, and it only grants read access. So if Personal Capital is hacked, hackers get to see your account balances, but that is it.

Unfortunately, most institutions (including Fidelity!) do not provide read-only access tokens. Maybe in 2018? Who knows.

Step 4: Limit your Financial Exposure

This one may surprise you. Have you ever thought about whose money you use on a daily basis? Well, if you use your debit card for purchases, that’s your money. If you use cash, that’s your money. If you use your credit card? That’s Visa’s or American Express’s money.

Let’s think about this for a second. Let’s say that I buy something for $2,000, and my payment method ends up getting hacked.

If it was cash? I’m out of luck, sorry.

If it was a debit card? That was my money, and it is gone. I can file a police report and inform my bank. Then they’ll drag their feet for 2-3 months, take awhile to change your account numbers and issue a new debit card. Finally, you will hopefully get your money back. But they don’t have an incentive to work hard to correct the fraud, because your money was stolen.

If it was a credit card? Well, Visa’s money was just stolen. I can tell you, they don’t **** around. Seriously. If their money is stolen, they will use their full power to recoup the money. Your compromised account will be closed within a few minutes of calling them, and you’ll be given a new account number. They will FedEx you a new credit card, and you’ll receive it the next day. You won’t be liable for any of the charges. They will use their supreme power to get all of the money back. Seriously.

So when you go through your daily life and purchase things, think about how you actually perform your purchases. Do you use cash, debit, or credit? Because I guarantee that your debit or credit card will be compromised at one point. If it is your debit card and you’re out $2,000, can you last 8-12 weeks to get your money back? Hopefully you have an emergency fund to soften the blow, or you’re in trouble.

Or if you used a credit card, you’re safe. Because Visa is ruthless. They will not tolerate theft of their money. You won’t be responsible for the charge, and they will get their money back.

So please, never ever ever ever ever ever EVER pay with anything using your debit card if you don’t have to. Just use your credit card. Hey, you’ll even get 1-2% cashback for doing so.

zero day finance limit your financial exposure

Debit cards are scary, use your credit cards instead

Step 5: Secure your Primary Email Account

This one is pretty similar to Steps 1 and 2. Most likely, you use a single email account to manage all of your financial accounts. If this email account is compromised, hackers can start changing your logins and emails in your financial accounts, and they have full control. What do I mean?

Let’s say a hacker gets into my Fidelity account. I subscribe to alerts, so I find out immediately. That hacker has a few minutes to change my account credentials, specifically my email address, before I take control back. So they go to change my email address. But wait! When you change an email address, you need to verify the change… by signing into the old email address. Since my personal email is secure, they can’t do it. But if my personal email address was insecure, well, I’m done.

So make sure you pick a strong password for your personal email account, AND 2-factor authentication. That way, you know exactly when somebody is trying to access your account.

In addition, use a reputable email provider. For example, use Gmail. Why? Gmail will contact you every single time somebody else logs into your account. Every single time. The odds of somebody successfully logging into your Gmail account when it is properly secured are very low.

You are Still Vulnerable

If you take the previous steps, your accounts will be more secure than 99% of everyone else. Right now, I can guarantee that some of your account credentials are already on sale on the dark web. And these credentials are cheap, often $1 a pop (or cheaper). When criminals are trying to hack an account, if yours contain significant security measures, they will just skip you and move on to the next person.

Unfortunately, you are still vulnerable.

The most effective type of attack is not against technology, but the people. There are so many types of social engineering attacks, and people fall for them every time. Think of it like the “guy wearing a vest with a clipboard.” This guy can go wherever he wants, because he “belongs.” Well, social engineering attacks are like this, but on steroids. Check out this short video which shows how a hacker is able to compromise a cell phone account in 2 minutes.

Minimize your Risks

Unfortunately, there isn’t much we can do to protect ourselves against this type of attack. However, the more you harden your financial accounts, the easier it will be to detect malicious activity. Never click on a link in an email, even if your mom sent it. Seriously, never click on any links in emails. I can easily spoof a link and redirect to a website that looks legitimate. This is how a lot of corporate espionage occurs.

Next, always make sure your connection is using SSL/TLS. What does that mean? When you connect to a website using your web browser, look to the left of the website address. You should see a green lock, with the word “Secure” next to it. That means the website you are connecting to is the right one. It is “legit.” If you don’t see this, never share any type of personal information on that website, ever.

Next, never provide any type of personal information to anyone if they call you. If you get a phone call from a “Verizon” support technician, that says there is unusual activity on your account, hang up. Then google Verizon’s support number, and call back. The first call is probably a phishing attack. Always call back, especially now with tax season approaching. You’ll get calls from “the IRS” about past due taxes. If you are concerned, google the IRS phone number, and call them that way.

Finally, never ever ever ever ever ever EVER login to your financial accounts when not on a secure network. What do I mean? If you are enjoying your morning coffee at Starbucks and hop on their WiFi, don’t check your bank account balance. Just don’t. Why not?

Who setup their WiFi network? What is their name? Do they work for Starbucks, or a contractor? Or did you accidentally connect to the wrong network?

When I was in college doing my cyber security master’s degree, I ran an experiment where I successfully masqueraded as my university’s guest network. I was able to boot users off the official encrypted network, force them onto my unencrypted pirate network (that looked legit!), and steal all of their login information. It took me about 2 hours to accomplish with $200 in gear, and no industry experience. Now imagine what an experienced hacker can do.

This may sound like a bleak picture. This is the world we live in. We need to take all necessary steps to protect our financial assets. This means being a little crazy at times. But I would rather spend 10 minutes a day securing my financial information and be safe, than not secure anything and have to deal with theft.

If you have any questions about how to effectively secure your financial information online, leave me a comment, I’ll get back to you.

Good Hunting,
David

You may also like...

6 Responses

  1. I have 2 factor set up on all my Important accounts except for one that doesn’t offer it 😡 but I do try to minimize risks. I don’t have everything hooked up to aggregators.

    I can’t believe that hacker in the video! That is incredible. Definitely going to watch more of those videos now.

    • David says:

      The first time I saw it, I was flabbergasted. If you are nice to the reps and seem stressed, you can trick them into doing what you want. Something I didn’t mention in the article (but alluded to) is that text message-based 2FA isn’t that great. It’s because of this video, a common scam is to try and transfer a phone number to a new device. It usually takes several tries, but you can get Verizon/T-Mobile/Sprint/AT&T to transfer your number to a new phone. Once a hacker does that, they can auth with your 2FA, and you’re done.

      Some cell providers won’t even text you, saying that your phone has been deactivated, you just won’t be able to make calls at some point.

  2. Mrs Groovy says:

    We’ve had credit freezes with the three credit bureaus for years. It helps to insure that no one takes out a loan or opens a credit card in our name. It’s not 100% foolproof, but nothing is.

    • David says:

      I put an initial 90 day fraud alert on my account after the Equifax breach. Having freezes is the most effective way to protect your credit, but the credit agencies have shown they have neither the discipline nor competence to protect any personal information, so I just can’t trust them.

      Do you subscribe to any type of credit monitoring software?

  3. Wow, I thought that all financial institutions granted read-only access to the account aggregators. How do we find out who does and does not?

Leave a Reply

© 2017 · Zero Day Finance

%d bloggers like this: