My wife is deep into the true crime world of podcasts, documentaries, and tv shows. As such, I am used to hearing/watching shows about various murders, rapes, hate crimes, and other generally horrible/disgusting crimes.
The other day, we were watching the show, True Life Crime on MTV, when an episode called “The $5 Million Dollar Phone Hack” came on.
It immediately peaked my interest, because well $5 Million Dollars is a lot of money. If you are using any online service (which is everyone), then I highly recommend that you watch it. Here is a little taste:
The episode goes on to describe some serious financial crimes, mostly around SIM Swapping. Not murder. Not rape. Stealing your cell phone number, and then raiding your bank accounts!
Imagine logging into your bank account only to find all of your money has disappeared — vanished, without a trace. We take an inside look into a multi-million dollar phone hack which shows us just how dangerous it is to be online.
MTV
The episode was a great reminder of the current financial risks associated with being online in general. And it doesn’t matter what your net worth is, there are so many scams, hacks, phishing schemes, and stolen passwords out there. We are all at risk.
Here is how hackers steal your money online:
Before I get into how we can protect ourselves, let’s start by going over some common hacks, scams, and nefarious plots to get your money:
SIM Swapping
SIM swapping occurs when someone contacts your wireless carrier and is able to convince the call center employee that they are, in fact, you, using your personal data.
They do this by using data that’s often exposed in hacks, data breaches, or information you publicly share on social networks to trick the call center employ into switching the SIM card linked to your phone number, and replace it with a SIM card in their possession.
Once your phone number is assigned to a new card, all of your incoming calls and text messages will be routed to whatever phone the new SIM card is in.
SIM swap fraud: How to prevent your phone number from being stolen – CNET
So as you can imagine, once someone takes over YOUR phone number, they can easily get past any of your 2-factor authentication that you have setup with your bank, brokerage or cryptocurrency exchange.
Examples:
- Hackers Hit Twitter C.E.O. Jack Dorsey in a ‘SIM Swap.’ You’re at Risk, Too.
- Another Bitcoin Investor Sues T-Mobile Over SIM Swap Attack
- Family loses $75,000 in cryptocurrency to SIM card thieves
Spear Phishing
Spear-phishing is a targeted attempt to steal sensitive information such as account credentials or financial information from a specific victim, often for malicious reasons. … This is the most successful form of acquiring confidential information on the internet, accounting for 91% of attacks.
What is Spear-phishing? Defining and Differentiating Spear-phishing from Phishing – Data Insider
Spear Phishing is usually the precursor to the SIM Swap. Hackers can buy or harvest all the publicly available data on you, combined with getting your passwords off the dark web. The result is that they can infiltrate your email, and then wreak havoc.
Examples:
- The Booming Underground Market for Bots That Steal Your 2FA Codes
- UC San Diego Health phishing attack exposes SSNs, financial info
- Average organization targeted by over 700 social engineering attacks each year: report
- Microsoft impersonation being utilized in 43% of Phishing attacks
Hack into your video doorbell, eReaders, router, wifi, etc.
It is all too easy for any of your devices to get hacked into these days. If you have a video doorbell, a router (we all do), cameras, etc – you’re vulnerable to being hacked.
The more devices, the more risk.
Once hackers have access to one of these devices, they can take over your home network and steal passwords, record video of you, and more.
Examples:
- Amazon Ring Doorbell Hacked in Florida Swatting Incident
- Four New Video Doorbells and Home Security Cameras Are Vulnerable to Hacking
- Massive camera hack exposes the growing reach and intimacy of American surveillance
- Amazon Kindle Hack Needs Just One Evil Ebook To Take Over Your Ereader—And Maybe Your Amazon Account Too
9 steps to take to keep your money safe:
I want to preface all this by saying that even if you are doing everything correctly, there is still going to be some level of risk that you take simply by using the internet. This is similar to the type of risk that you take every time you get into a car. But nevertheless, the risk is still there.
So here is what you can and should be doing to protect yourself online:
- Use 2-factor authentication for every login
- Turn on all extra security measures offered by your bank or brokerage
- Add a PIN Lock or Port Freeze on your cell phone
- Use a Password Manager to store all of your highly secure and impossible to remember passwords
- Generate Strong, Secure Passwords
- Audit your passwords
- Freeze your credit
- Get Identity Theft Monitoring
- Avoid free public WiFi and use a VPN
Use 2-factor authentication for every login
One of the simplest things that you can do – and we are all familiar with in some fashion is 2-factor authentication.
This happens when you log in to an existing provider (email, phone, banking, etc.) and they send you that 6 or 8 digit code to type in.
My recommendation:
- Turn on 2-factor for every login for any/all banking, brokerages, mortgage services, and cell phone provider.
- Turn it on for email, phone, identity theft protection, insurance, providers.
It may seem like overkill, but this is a simple safeguard to prevent someone who has stolen your passwords from accessing any of these services. They are dead on arrival if you have turned on 2-factor authentication.
Now, it won’t stop the SIM-swap hack, but it’ll prevent hackers from accessing your accounts even if they have your username and password.
Authenticator Apps
To supercharge your security, you will want to see if your service can use an Authenticator App for your 2-Factor Authentication.
Authenticator Apps work like text message 2-Factor Authentication where you supply an additional code at the time of your login, but is more secure in that you have to have physical possession of your phone and app at the time of entering. This will prevent being SIM-swapped, as long as you can enable the Authenticator App, and turn off the phone.
So if any of your services offer this, opt it, and “turn off” text message authentication for an added layer of security.
Here is a list of the most popular Authenticator Apps:
Turn on all “extra security” measures offered by your bank or brokerage
There are likely some extra security measures that you can take depending on each individual bank or brokerage. These measures seem to vary widely, but appear to be more common now.
Coinbase and Vanguard for instance also have the ability to setup a Security Key
A security key is a small device you can purchase, like a flash drive, that plugs into your computer’s USB drive and provides another layer of security when you’re logging on to our website.
I did a quick Amazon search for “Fido U2F Specification security key” and found plenty of options depending on the type of USB port that you have (be sure to double check that).
Fidelity meanwhile offers extra login security via “2FA by Symantec VIP Access app.”
Through our partnership with Symantec, use Symantec’s free Validation and ID Protection (VIP) Access app, which generates a randomized 6-digit code on your Mac, PC, or mobile phone each time you attempt to log in. To complete your login, you‘ll then be prompted to enter the code from your VIP app, which is valid for 30 seconds.
Charles Schwab, also appears to use Symantec VIP as well.
If was a customer of any of these services, I would immediately get up and running with the extra security layer!
Check with your bank as well. Here is a list of banks/brokerages that offer an extra security layer:
- Bank of America
- Charles Schwab
- Citi Bank
- Coinbase
- Fidelity
- J.P. Morgan
- Vanguard
- Wells Fargo
For any banks/brokerages that I haven’t looked up, I would certainly do some searches on their website for extra security, security keys, Symantec VIP, or by simply contacting their customer service department.
Add a PIN Lock or Port Freeze on your cell phone
The first thing I did after watching “The $5 Million Dollar Phone Hack” was call my cell phone provider to see what I could do about locking up my phone. Here is what CNET says for how to secure your phone with the major providers:
- “AT&T subscribers: Go to your account profile, sign in, and then click Sign-in info. Select your wireless account if you have multiple AT&T accounts, then go to Manage extra security under the Wireless passcode section. Make your changes, then enter your password when prompted to save.
- T-Mobile users: Set up a PIN or passcode the first time you sign in to your My T-Mobile account. Pick Text messages or Security question and follow the prompts.
- Verizon Wireless customers: Call *611 and ask for a Port Freeze on your account, and visit this webpage to learn more about enabling Enhanced Authentication on your account.”
If you don’t utilize one of the major providers, I would call up see what options they provide. I am sure they will have one or the other.
Use a Password Manager to store all of your highly secure and impossible to remember passwords
Next up, you’ll want to start to use a Password Manager. Chances are you may already be using one. All of the major browsers already have them:
- Chrome Password Manager
- Safari Password Manager
- Firefox Password Manager
- Internet Explorer Password Manager
However, using your password manager in your browser is not enough.
You want to have safe and secure access to your passwords on your phone as well as the ability to store credit freeze pins and other important information securely.
For this, I recommend a Password Manager App. Here are the ones that I recommend you take a look at:
- Lastpass
- Free Plan – 1 Device
- Family Plan (6 licenses) for $3 a month via “Back to school 25% off discount”
- Keeper Security
- Personal Plan – $2.91 a month – $4.87 with file storage and dark web monitoring.
- Family Plan (5 vaults) – $6.24 a month – $8.62 including dark web monitoring
- Dashlane
- Free Plan – 1 Device, 50 Passwords
- $3.99 – Unlimited Passwords
- $6.49 – + Dark Web Monitoring
- $8.99 – Family Plan w/ 6 Accounts
- Dropbox Passwords
- Basic plans can store up to 50 logins and payment cards and use Dropbox Passwords on up to 3 devices.
- Plus, Professional, Family, or Business plan can store unlimited logins and payment cards and use Dropbox Passwords on unlimited devices.
For more on password managers, check out this excellent breakdown of the best password managers from PC Mag.
The main reason that you want to use a Password Manager, is because you will want to begin to generate really secure passwords. There is no way for you to remember these, or write them down.
Don’t shoot yourself in the foot by utilizing a Password Manager only to forget to use strong passwords. Just don’t.
Generate Strong, Secure Passwords
The worst thing that you can do on the internet is use the same password, or a variation of the same password over and over again.
For this reason, it is really important this day in age to generate strong, secure passwords.
I do this by utilizing the browsers “suggest a strong password” tool. This comes in the form of a prompt when you are signing up for a new service. You’ll want to do this 100% of the time.
For years, I also used tools like RandomKeyGen to generate a strong password. You can also use other free generators on net like Lastpass‘ or Keepers’.
Audit your passwords
Next up, you need to audit your passwords.
Now that you are using stronger passwords and saving them in your Password Manager, you need to go back and audit/fix all of your critical accounts.
I cannot highlight how critical this is.
Here is an example from of the “Check Password Tool” from Chrome:
For all of the browsers:
- How to check your passwords in Chrome
- How to check your passwords in Safari
- Firefox and Internet Explorer don’t appear to have a tool yet.
For Password Managers:
- Lastpass Security Dashboard
- Dashlane Password Health
- Keeper and Dropbox don’t appear to have a tool to check password security yet, but I also could just not be seeing any information on them.
Let’s face it. This part will suck.
Yet, even if it takes you days, it will be worth it to prevent your bank, email, phone or who knows what account from being hijacked by hackers.
Freeze your Credit
One of the most important things you can do to help with identity theft and prevent scammers from opening new accounts in your name is to freeze your credit.
The good news is that all of the credit bureaus are making this really easy these days. With your Password Manager setup, this should be a breeze:
- Go freeze your credit at Equifax
- Go freeze your credit at Experian
- Go freeze your credit at TransUnion
Do this for yourself, your spouse, and your kids.
Just remember, that you will need to temporarily unfreeze your credit when applying to open up a new bank account, credit card, mortgage, etc.
Get Identity Theft Monitoring
Once you are using a Password Manager, 2-factor authentication, have switched to using secure passwords, and frozen your credit – you’ve now put yourself in great shape.
The next step will be to add identity theft monitoring. For this I personally use LifeLock. The reason why I like LifeLock, is because they offer “Stolen Fund Reimbursement:”
Reimbursement and Expense Compensation, each with limits of up to $1 million for Ultimate Plus, up to $100,000 for Advantage and up to $25,000 for Junior and Select, when purchased in Norton 360 with LifeLock plans. And up to $1 million for coverage for lawyers and experts if needed, for all plans. Benefits under the Master Policy are issued and covered by United Specialty Insurance Company (State National Insurance Company, Inc. for NY State members).
Lifelock
So if hackers did get past my 2-factor authentication and strong passwords and into my bank accounts or brokerage accounts, I would have some level of recourse/insurance.
Bank accounts are FDIC insured for up to $250,000 per bank account. But…
So while identity monitoring isn’t the cheapest service out there, if you chose one with reimbursement, you can hopefully sleep a tad better at night.
Besides LifeLock, there are other services doing identity theft monitoring. Here are some:
Avoid free public WiFi, and use a VPN
Well we have thoroughly covered a lot today. But there are a few more things to ponder…
Avoid free public WiFi
There is no such thing as FREE, especially when it comes to WiFi.
So you head over to Starbucks, or a local hotel, sit down and start to browse the web, do some work, etc. You are safe right? Wrong! You just got hacked:
When you are on a public Wi-Fi network, like those in Starbucks, everyone connected to that Wi-Fi network has access to all internet traffic of everyone else on the network… Did you hear that? EVERYONE!
[…]
What an attacker could do is wait for you to enter your password on a website that isn’t secure, then try using that same password on Chase.com to gain access to your bank account.
Why browsing on Starbucks Wi-Fi is dangerous and how you can best play it safe – Medium
These are very easy places for hackers to penetrate your computer via unsecured WiFi networks and websites.
I am guilty of this as well in the past, but there is a solution and that is to only use secure websites with the little lock in the corner (like this one), combined with using a VPN.
Use a VPN when connected to public WiFi
A virtual private network (VPN) gives you online privacy and anonymity by creating a private network from a public internet connection.
CNET breaks down the best VPN services here. They also say “Don’t use free VPN services: You’ll find only paid VPN options below because they’re the only ones we can recommend.”
Their recommendations:
I have used several of these services, they all generally work the same. I would follow CNET’s advice and avoid the free services. It’s not worth any potential risks or having to deal with advertising.
The Ideal Security Setup
For services that allow you to turn off authentication via a phone number, the combination of a hardware key and a smartphone-based authenticator app, with a set of backup codes locked in a file drawer, is the ideal solution.
ZDNet.com
Yep that is right. Here is the ideal secutiy solution:
- Use a password manager and strong passwords
- Turn off authentication via phone and use a security key and authenticator app instead.
- Put backup codes, and/or an additional security key in a safe (or safe place)
Did I miss anything?
If I missed any security practices or there are any other major concerns to be aware of, please let me know in the comments.
Conclusion
Look folks, it is scary out there.
I recommend that you follow all of my advice to secure your accounts.
Even with today’s top notch security, hackers are always one step ahead.
So be careful and be smart.
Make sure that you are as secure as you possibly can be, especially if sharing any financial information online.
Good luck out there! Use secure passwords!
Lastpass had a major breach (user password vaults were stolen) last year that was significant enough that they should no longer be a recommended security solution. Please do some research and update your recommendation to better choices. You are doing a disservice by continuing to promote this product.
I was a long time subscriber to Lastpass and have moved on to another solution due to the
They fucked up majorly. That much is clear. But I think they MAINLY screwed up in their communication and media handling of the breach.
I would argue that in general, using any 3rd party tool is never going to be 100% failsafe.
This was a persistent targeted attack of a higher up engineering employee. I’m sure it won’t be the last security company to be targeted and successfully breached.
The good news is that Lastpass has added safety protocols and learned greatly from this.
Any Lastpass user, should change their master password and always ensure they are using 2FA.
I would say at this point using Lastpass is about as safe as using any 3rd party provider. BUUUUUT nevertheless using a password manager is better than not because you can enforce and remember stronger passwords in the first place.
I followed this story closely for months hoping the situation would improve since I was a long-time client. If only it was largely about poor communication. But the more I read the more I realized they didn’t ever do proper 3rd party testing (pen test, audits, etc) of their networks. In fact all of their audits were done internally, never by a 3rd party. This just isn’t good enough.
I agree that using any password manager is definitely better than not. Anyone that isn’t has simply fooled themselves in to believing either that an account hack will never happen to them OR their own password system is good enough. You and I both know they are playing with fire.
However, Lastpass was highly negligent IMO and in the opinion of several security experts. I determined switching was best and moved me and my family to Bitwarden. From my research Bitwarden and 1Password are two superior alternative solutions. Both of them have had several audits done by external security organizations.
Not going to lie, AR, I kind of wish I didn’t read all of the ways I could have my identity (and money) stolen. That’s a little nerve wracking!
But agree, definitely best not to bury your head in the sand. Two factor authentication is a must and really doesn’t add much hassle. I’ll have to look into all these other strategies also.
Awesome and super informative post!
Haha thanks. Yeah I would use strong passwords and 2-factor. I’ve been testing out security keys more, and I really like them BUT you can easily work around them and request a text message, so unless you use a security key and turn off all other authentication methods, it isn’t giving you a ton of extra security. They are easy to use though!
Hello, At least 4-5 times a year i check my computer using “Shields up”,
Google those 2 words and the W/site -GRC – will come up. After running the port test it states that my computer “is in full stealth mode”, and it doesn’t respond to attempts to connect up. Thus i’ve always assumed that i am protected.
I didn’t know about CISA, but this is a good resource, so thanks for sending it over. It looks like the other port test you are talking about on GRC is legitimate, but I wouldn’t take it as a full scan of your security other than your router’s firewall. But I am no security expert either!
A few things: KeePass is a free, open source, multi-platform password manager I’ve used for years. It’s absolutely great, free, and doesn’t depend on any online service. The encrypted database is a local file you can keep in whatever Authenticator-secured cloud storage for use on multiple devices. Can use a local unlock key file with it as well to be kept offline.
Credit monitoring: I think in this day and age Lifelock is totally unnecessary. I think every credit card I own now comes with excellent free monitoring services; Chase, capital one, Bank of America, etc. Even Mint does this for free. I get alerts for opening accounts, closing accounts, large transactions (Mint), credit report requests, credit score, even dark web password hacks associated with my email address. To me, I get so much monitoring for free it’s just not worth paying for. I’ll bet they all use the same backend service anyway.
Hey FrugalMD,
Thanks for the recommendation to KeePass, I’ll have to give it a look.
Good to know about Mint as well. I haven’t used it in years, and have been giving preference to Personal Capital’s tools. But I will check it out and add it to the list of potential tools!
Great post AR, I agree that in this day and age 2FA is a must for your finances! I have used Symantec VIP for Fidelity and Schwab now for over a year and while it is an extra step, I can rest assured knowing my money is better protected.
Exactly. I’d rather have some slight hassle to login into places, versus trying to unbundle a nightmare hacking situation. Nice to hear that Symantec VIP isn’t too cumbersome. Personally, I’ve found the security keys to be very easy to use, in fact faster than 2FA!
This is great advice.
Thanks! Protect your money folks!!!
These all work great – as long as I still have access to my phone and authenticator app/device. But how do I regain access to my accounts if the phone/app/device is lost or destroyed?
It will depend on the account – some may have a backup code that you can save to a secure location to get back into the account in the event you lose access to your device. It also probably makes sense to setup a second device (a spouse, ipad, etc.) to also setup as a backup authenticator. I might even personally buy a device just backup authentication with nothing else on it.
I also enjoy the security keys, because they are small and you can easily keep one out and put a backup in a safe or other secure location.
Lastly, you can always likely call to reset your username/password with many of your banks/brokerages. In fact, in this way these are some of the least secure type accounts, but someone would really have to have a lot of your information to get into them.