My wife is deep into the true crime world of podcasts, documentaries, and tv shows. As such, I am used to hearing/watching shows about various murders, rapes, hate crimes, and other generally horrible/disgusting crimes.
The other day, we were watching the show, True Life Crime on MTV, when an episode called “The $5 Million Dollar Phone Hack” came on.
It immediately peaked my interest, because well $5 Million Dollars is a lot of money. If you are using any online service (which is everyone), then I highly recommend that you watch it. Here is a little taste:
The episode goes on to describe some serious financial crimes, mostly around SIM Swapping. Not murder. Not rape. Stealing your cell phone number, and then raiding your bank accounts!
Imagine logging into your bank account only to find all of your money has disappeared — vanished, without a trace. We take an inside look into a multi-million dollar phone hack which shows us just how dangerous it is to be online.MTV
The episode was a great reminder of the current financial risks associated with being online in general. And it doesn’t matter what your net worth is, there are so many scams, hacks, phishing schemes, and stolen passwords out there. We are all at risk.
Here is how hackers steal your money online:
Before I get into how we can protect ourselves, let’s start by going over some common hacks, scams, and nefarious plots to get your money:
SIM swapping occurs when someone contacts your wireless carrier and is able to convince the call center employee that they are, in fact, you, using your personal data.
They do this by using data that’s often exposed in hacks, data breaches, or information you publicly share on social networks to trick the call center employ into switching the SIM card linked to your phone number, and replace it with a SIM card in their possession.
Once your phone number is assigned to a new card, all of your incoming calls and text messages will be routed to whatever phone the new SIM card is in.SIM swap fraud: How to prevent your phone number from being stolen – CNET
So as you can imagine, once someone takes over YOUR phone number, they can easily get past any of your 2-factor authentication that you have setup with your bank, brokerage or cryptocurrency exchange.
- Hackers Hit Twitter C.E.O. Jack Dorsey in a ‘SIM Swap.’ You’re at Risk, Too.
- Another Bitcoin Investor Sues T-Mobile Over SIM Swap Attack
- Family loses $75,000 in cryptocurrency to SIM card thieves
Spear-phishing is a targeted attempt to steal sensitive information such as account credentials or financial information from a specific victim, often for malicious reasons. … This is the most successful form of acquiring confidential information on the internet, accounting for 91% of attacks.What is Spear-phishing? Defining and Differentiating Spear-phishing from Phishing – Data Insider
Spear Phishing is usually the precursor to the SIM Swap. Hackers can buy or harvest all the publicly available data on you, combined with getting your passwords off the dark web. The result is that they can infiltrate your email, and then wreak havoc.
- UC San Diego Health phishing attack exposes SSNs, financial info
- Average organization targeted by over 700 social engineering attacks each year: report
- Microsoft impersonation being utilized in 43% of Phishing attacks
Hack into your video doorbell, eReaders, router, wifi, etc.
It is all too easy for any of your devices to get hacked into these days. If you have a video doorbell, a router (we all do), cameras, etc – you’re vulnerable to being hacked.
The more devices, the more risk.
Once hackers have access to one of these devices, they can take over your home network and steal passwords, record video of you, and more.
- Amazon Ring Doorbell Hacked in Florida Swatting Incident
- Four New Video Doorbells and Home Security Cameras Are Vulnerable to Hacking
- Massive camera hack exposes the growing reach and intimacy of American surveillance
- Amazon Kindle Hack Needs Just One Evil Ebook To Take Over Your Ereader—And Maybe Your Amazon Account Too
9 steps to take to keep your money safe:
I want to preface all this by saying that even if you are doing everything correctly, there is still going to be some level of risk that you take simply by using the internet. This is similar to the type of risk that you take every time you get into a car. But nevertheless, the risk is still there.
So here is what you can and should be doing to protect yourself online:
- Use 2-factor authentication for every login
- Turn on all extra security measures offered by your bank or brokerage
- Add a PIN Lock or Port Freeze on your cell phone
- Use a Password Manager to store all of your highly secure and impossible to remember passwords
- Generate Strong, Secure Passwords
- Audit your passwords
- Freeze your credit
- Get Identity Theft Monitoring
- Avoid free public WiFi and use a VPN
Use 2-factor authentication for every login
One of the simplest things that you can do – and we are all familiar with in some fashion is 2-factor authentication.
This happens when you log in to an existing provider (email, phone, banking, etc.) and they send you that 6 or 8 digit code to type in.
- Turn on 2-factor for every login for any/all banking, brokerages, mortgage services, and cell phone provider.
- Turn it on for email, phone, identity theft protection, insurance, providers.
It may seem like overkill, but this is a simple safeguard to prevent someone who has stolen your passwords from accessing any of these services. They are dead on arrival if you have turned on 2-factor authentication.
Now, it won’t stop the SIM-swap hack, but it’ll prevent hackers from accessing your accounts even if they have your username and password.
To supercharge your security, you will want to see if your service can use an Authenticator App for your 2-Factor Authentication.
Authenticator Apps work like text message 2-Factor Authentication where you supply an additional code at the time of your login, but is more secure in that you have to have physical possession of your phone and app at the time of entering. This will prevent being SIM-swapped, as long as you can enable the Authenticator App, and turn off the phone.
So if any of your services offer this, opt it, and “turn off” text message authentication for an added layer of security.
Here is a list of the most popular Authenticator Apps:
Turn on all “extra security” measures offered by your bank or brokerage
There are likely some extra security measures that you can take depending on each individual bank or brokerage. These measures seem to vary widely, but appear to be more common now.
Coinbase and Vanguard for instance also have the ability to setup a Security Key
A security key is a small device you can purchase, like a flash drive, that plugs into your computer’s USB drive and provides another layer of security when you’re logging on to our website.
I did a quick Amazon search for “Fido U2F Specification security key” and found plenty of options depending on the type of USB port that you have (be sure to double check that).
Fidelity meanwhile offers extra login security via “2FA by Symantec VIP Access app.”
Through our partnership with Symantec, use Symantec’s free Validation and ID Protection (VIP) Access app, which generates a randomized 6-digit code on your Mac, PC, or mobile phone each time you attempt to log in. To complete your login, you‘ll then be prompted to enter the code from your VIP app, which is valid for 30 seconds.
Charles Schwab, also appears to use Symantec VIP as well.
If was a customer of any of these services, I would immediately get up and running with the extra security layer!
Check with your bank as well. Here is a list of banks/brokerages that offer an extra security layer:
- Bank of America
- Charles Schwab
- Citi Bank
- J.P. Morgan
- Wells Fargo
For any banks/brokerages that I haven’t looked up, I would certainly do some searches on their website for extra security, security keys, Symantec VIP, or by simply contacting their customer service department.
Add a PIN Lock or Port Freeze on your cell phone
The first thing I did after watching “The $5 Million Dollar Phone Hack” was call my cell phone provider to see what I could do about locking up my phone. Here is what CNET says for how to secure your phone with the major providers:
- “AT&T subscribers: Go to your account profile, sign in, and then click Sign-in info. Select your wireless account if you have multiple AT&T accounts, then go to Manage extra security under the Wireless passcode section. Make your changes, then enter your password when prompted to save.
- T-Mobile users: Set up a PIN or passcode the first time you sign in to your My T-Mobile account. Pick Text messages or Security question and follow the prompts.
- Verizon Wireless customers: Call *611 and ask for a Port Freeze on your account, and visit this webpage to learn more about enabling Enhanced Authentication on your account.”
If you don’t utilize one of the major providers, I would call up see what options they provide. I am sure they will have one or the other.
Use a Password Manager to store all of your highly secure and impossible to remember passwords
Next up, you’ll want to start to use a Password Manager. Chances are you may already be using one. All of the major browsers already have them:
- Chrome Password Manager
- Safari Password Manager
- Firefox Password Manager
- Internet Explorer Password Manager
However, using your password manager in your browser is not enough.
You want to have safe and secure access to your passwords on your phone as well as the ability to store credit freeze pins and other important information securely.
For this, I recommend a Password Manager App. Here are the ones that I recommend you take a look at:
- Free Plan – 1 Device
- Family Plan (6 licenses) for $3 a month via “Back to school 25% off discount”
- Keeper Security
- Personal Plan – $2.91 a month – $4.87 with file storage and dark web monitoring.
- Family Plan (5 vaults) – $6.24 a month – $8.62 including dark web monitoring
- Free Plan – 1 Device, 50 Passwords
- $3.99 – Unlimited Passwords
- $6.49 – + Dark Web Monitoring
- $8.99 – Family Plan w/ 6 Accounts
- Dropbox Passwords
- Basic plans can store up to 50 logins and payment cards and use Dropbox Passwords on up to 3 devices.
- Plus, Professional, Family, or Business plan can store unlimited logins and payment cards and use Dropbox Passwords on unlimited devices.
For more on password managers, check out this excellent breakdown of the best password managers from PC Mag.
The main reason that you want to use a Password Manager, is because you will want to begin to generate really secure passwords. There is no way for you to remember these, or write them down.
Don’t shoot yourself in the foot by utilizing a Password Manager only to forget to use strong passwords. Just don’t.
Generate Strong, Secure Passwords
The worst thing that you can do on the internet is use the same password, or a variation of the same password over and over again.
For this reason, it is really important this day in age to generate strong, secure passwords.
I do this by utilizing the browsers “suggest a strong password” tool. This comes in the form of a prompt when you are signing up for a new service. You’ll want to do this 100% of the time.
Audit your passwords
Next up, you need to audit your passwords.
Now that you are using stronger passwords and saving them in your Password Manager, you need to go back and audit/fix all of your critical accounts.
I cannot highlight how critical this is.
Here is an example from of the “Check Password Tool” from Chrome:
For all of the browsers:
- How to check your passwords in Chrome
- How to check your passwords in Safari
- Firefox and Internet Explorer don’t appear to have a tool yet.
For Password Managers:
- Lastpass Security Dashboard
- Dashlane Password Health
- Keeper and Dropbox don’t appear to have a tool to check password security yet, but I also could just not be seeing any information on them.
Let’s face it. This part will suck.
Yet, even if it takes you days, it will be worth it to prevent your bank, email, phone or who knows what account from being hijacked by hackers.
Freeze your Credit
One of the most important things you can do to help with identity theft and prevent scammers from opening new accounts in your name is to freeze your credit.
The good news is that all of the credit bureaus are making this really easy these days. With your Password Manager setup, this should be a breeze:
- Go freeze your credit at Equifax
- Go freeze your credit at Experian
- Go freeze your credit at TransUnion
Do this for yourself, your spouse, and your kids.
Just remember, that you will need to temporarily unfreeze your credit when applying to open up a new bank account, credit card, mortgage, etc.
Get Identity Theft Monitoring
Once you are using a Password Manager, 2-factor authentication, have switched to using secure passwords, and frozen your credit – you’ve now put yourself in great shape.
The next step will be to add identity theft monitoring. For this I personally use LifeLock. The reason why I like LifeLock, is because they offer “Stolen Fund Reimbursement:”
Reimbursement and Expense Compensation, each with limits of up to $1 million for Ultimate Plus, up to $100,000 for Advantage and up to $25,000 for Junior and Select, when purchased in Norton 360 with LifeLock plans. And up to $1 million for coverage for lawyers and experts if needed, for all plans. Benefits under the Master Policy are issued and covered by United Specialty Insurance Company (State National Insurance Company, Inc. for NY State members).Lifelock
Bank accounts are FDIC insured for up to $250,000 per bank account. But…
So while identity monitoring isn’t the cheapest service out there, if you chose one with reimbursement, you can hopefully sleep a tad better at night.
Besides LifeLock, there are other services doing identity theft monitoring. Here are some:
Avoid free public WiFi, and use a VPN
Well we have thoroughly covered a lot today. But there are a few more things to ponder…
Avoid free public WiFi
There is no such thing as FREE, especially when it comes to WiFi.
So you head over to Starbucks, or a local hotel, sit down and start to browse the web, do some work, etc. You are safe right? Wrong! You just got hacked:
When you are on a public Wi-Fi network, like those in Starbucks, everyone connected to that Wi-Fi network has access to all internet traffic of everyone else on the network… Did you hear that? EVERYONE!
What an attacker could do is wait for you to enter your password on a website that isn’t secure, then try using that same password on Chase.com to gain access to your bank account.Why browsing on Starbucks Wi-Fi is dangerous and how you can best play it safe – Medium
These are very easy places for hackers to penetrate your computer via unsecured WiFi networks and websites.
I am guilty of this as well in the past, but there is a solution and that is to only use secure websites with the little lock in the corner (like this one), combined with using a VPN.
Use a VPN when connected to public WiFi
A virtual private network (VPN) gives you online privacy and anonymity by creating a private network from a public internet connection.
I have used several of these services, they all generally work the same. I would follow CNET’s advice and avoid the free services. It’s not worth any potential risks or having to deal with advertising.
The Ideal Security Setup
For services that allow you to turn off authentication via a phone number, the combination of a hardware key and a smartphone-based authenticator app, with a set of backup codes locked in a file drawer, is the ideal solution.ZDNet.com
Yep that is right. Here is the ideal secutiy solution:
- Use a password manager and strong passwords
- Turn off authentication via phone and use a security key and authenticator app instead.
- Put backup codes, and/or an additional security key in a safe (or safe place)
Did I miss anything?
If I missed any security practices or there are any other major concerns to be aware of, please let me know in the comments.
Look folks, it is scary out there.
I recommend that you follow all of my advice to secure your accounts.
Even with today’s top notch security, hackers are always one step ahead.
So be careful and be smart.
Make sure that you are as secure as you possibly can be, especially if sharing any financial information online.
Good luck out there! Use secure passwords!