If you think your checkbook and paper statements keep you safe, think again
by Marc Saltzman, AARP, September 3, 2019 | Comments: 0
You log into your banking site and immediately notice something’s wrong, horribly wrong.
Somehow, your account has been compromised and money is missing. At the risk of fearmongering, this isn’t as uncommon as you might think.
Like many Americans, you might have become a victim of bank fraud. And it’s usually tied to a password that has been stolen, guessed or tricked into sharing with cybercriminals.
“Unfortunately, most people use the same credentials for their online bank accounts as they do for social media and online shopping sites,” says Georgia Weidman, author of the book Penetration Testing: A Hands-On Introduction to Hacking. “If one of those vendors is compromised and attackers gain access to the stored credentials, they may be able to reuse them on the online banking site.”
Skepticism is your friend
“Another common attack is phishing, or basically asking the user to attack themselves,” says Weidman, who also founded Bulb Security.
The cybersecurity company is devoted to device vulnerability assessment, training and penetration testing — essentially ethical hackers for hire.
“An attacker might send you an email or text message pretending to be your bank and asking that you validate a recent purchase,” she says. “When you click on the link in the text message, it takes you to what looks exactly like your online bank account, except it is actually a clone controlled by the attacker.”
You might think you’re at capitalone.com, for example, but if you look closely, it’s captial0ne.com.
Some scammers will even call you — yes, by telephone — and pretend they’re from Microsoft, the IRS, your bank, and so on to try to persuade you to give out your personal information to (ironically) protect you.
Don’t fall for it.
“Besides, your bank or other financial institution won’t ask you to confirm these credentials in an email or by an unsolicited phone call,” says global security evangelist Tony Anscombe at ESET, also a technology security company. “When in doubt, contact your bank to see if it was really them. Chances are it wasn’t.”
Don’t bank online? You’re still at risk
And here’s a discomforting fact: Even if you don’t opt for online banking through a website or app, identity theft could lead to a crook opening an online account in your name.
What to do?
Reduce the odds of becoming a victim of bank fraud with these five tips.
1. Use strong and unique passwords
Never use the same password for all of your online activity. As Weidman cautions, if a service is hacked and your password is exposed — if your bank suffers a data breach, for instance — cybercriminals may try it on another account.
“Even if the password is similar between online accounts, hackers use software tools to try to guess the stolen credentials,” Anscombe says.
A recent study revealed the most common password was 123456, followed by 123456789 and QWERTY.
Also, don’t use your kids’ or pets’ names, phone number, date of birth, or mother’s maiden name. All of this info could be easily attainable, especially in this era of social media.
Not only should you use different passwords for all accounts — and password manager apps are a handy way to remember them all — you also can use a passphrase instead of a password, a sequence of words and other characters including numbers and symbols.
Anscombe says a passphrase can be super easy to create, such as the phrase “my red Ford Mustang is No. 1” becoming the passphrase “myr3dFoMu#1!”
2. Enable two-factor authentication
Make it harder for the bad guys to access your data by adding a second layer of defense.
Two-factor authentication for Apple iCloud from a desktop and mobile device
Two-factor authentication means you not only need a password, passcode or biometrics logon such as a fingerprint or facial scan to confirm only you can access your accounts, but you also receive a one-time code to your mobile phone to type in.
In other words, two-factor authentication combines something you know, your password, with something you have, your smartphone.
“Like password managers, two-factor authentication isn’t 100 percent perfect, but it puts you many steps ahead of other users who have weak or the same passwords on all their accounts,” Weidman says.
3. Install good antimalware
Just as you wouldn’t leave the front door to your home unlocked, you shouldn’t let your tech be vulnerable to attacks, whether it’s a virus or other malicious software, called malware, that sneaks onto your device or happens because you were tricked into giving out sensitive information.
Reputable antimalware that’s updated often can identify, quarantine, delete and report any suspicious activity coming into your computer or flag sensitive information going out.
“Most people don’t think of protecting their smartphone, too, which is a big problem,” Anscombe says. “Make sure you have good cybersecurity protection. And don’t fall for phony texts.”
4. Opt for fraud detection; review your statements
Some, but not all, credit-card companies and banks can push notifications to your mobile device if something looks suspicious during a purchase — such as a large amount charged or a location in a different state than your usual address.
You may be asked to confirm it was really you who made a purchase with a simple Y or N.
On a related note, be sure to review your bank statements every so often to see if anything looks odd. If so, contact your bank or credit-card company immediately.
5. Watch out for Wi-Fi hotspots
Do not conduct any financial transactions such as online banking, trading or shopping when you’re using a public computer in an airport lounge, hotel or library or when you’re using a public Wi-Fi network, say, at your favorite coffee shop.
You never know if your information is being tracked and logged — so wait until you’re on a secured internet connection at home. Or use your smartphone as a personal hotspot, which is safer than free Wi-Fi.
“And make sure no one is looking over your shoulder at a coffee shop or on an airline,” Anscombe says.