Online Commerce and Banking Security: First Steps.
Prepared by Daniel Hoffman
ADI Consulting, Inc.
In
today’s connected world, it is hard to find someone who doesn’t purchase
products online or use online banking services.
So, it’s no wonder that credit fraud, identity theft, and banking fraud
incidents resulting from internet hacking are on the rise. Many people I know are scared they will be
hit, but have no idea where the threats are or where to start when thinking
about security. Well, here’s a quick way to get started in making yourself a
harder target for hackers.
Many
people use personal email accounts for both personal/public social interactions
and online banking or shopping. I
advocate using separate accounts for your fun and finance. It may seem like a hassle, but I think it’s
worth it. Or at least have separate
email addresses for trusted sources and one for public use.
Prevalence of email as a hacking vector.
It’s not uncommon to hear about a friend that has had their
email account hacked in some way. I’ll
bet you (the reader) knows someone who has had an email account compromised and
had to change passwords and clean up the resulting mess, and then told you
about it. In fact, according to the 2015
California Attorney General’s breach report, 54% of breaches where accomplished
using malware and/or some other form of hacking. Malware is most often spread through
email. And when your email box is
cluttered with thousands of emails from everyone and anyone, it’s hard to spot
the bad ones. Find more information on
Malware here: https://en.wikipedia.org/wiki/Malware
Who Sent That?
The problem with using personal email for business is
basically that it gets cluttered, and you expect it to be that way. We get emails from a lot of people, and those
people often get compromised. Have you ever
received an email from a friend/family member’s email that turned out to be
spam or have a suspicious link or attachment?
Some of those emails will contain malware as attachments, or have links
to sites that will try to compromise you in some way. Learn about Phishing here: https://en.wikipedia.org/wiki/Phishing.
If you use the same email address for banking or online shopping, be careful.
Losing control of the email account you use for banking is serious business.
Most people use the same password for multiple accounts.
So, let’s look at how this might play out: If a hacker is able to get your email password,
they will first try to use your credentials on other sites, like your bank,
online shopping sites, etc. They can get that information by looking through
your emails. If they get one account,
they get many accounts. So, a good
strategy is to use different usernames and passwords for your important
accounts.
The old password reset trick.
If you used good password policy and they can’t get in right
away, they will probably go to your bank’s web site, click the “I forgot my
password” link and wait for the bank to send a link to your email account. Bam, they’re in. Even if your online bank asks for your secret
question, how hard is it to find your mother’s maiden name? Or what about the name of your elementary
school? If you’ve ever posted these
things online, that’s not a problem. A
good counter measure is to use phrases as answers to your secret questions,
rather than just words. Another way to make things harder for them to get in is
to use two factor authentication.
The case for two factor authentication.
One of the things that attracts us to online banking and
e-commerce is the convenience. We get so used to the idea of “ease of use” we
think that using passwords that are hard to remember or having to receive a
code from our service provider along with a password is too much of a
pain. We all curse our cell phones if
something takes longer than 30 seconds to finish, forgetting that we are
beaming signals into space and around the world. However, you can mitigate a lot of the really
easy attacks just by adopting some relatively painless online habits.
First, don’t use the same passwords for all your
accounts. I can’t stress this enough. Make
sure that any shopping site, online banking site, or the email address you use
with those sites are all using different passwords, that are in line with
strong password policies/recommendations.
Your online banking site will probably suggest a minimum length of 8 to
10 characters, must contain both upper and lower case letters, and should
contain a number and/or special character.
Make sure you keep a copy of them in a safe place, like in a safe.
Furthermore, you should make a habit of changing passwords from time to
time. Even if it’s once a year, or just
watch the news sites for breach reports and change passwords related to sites
and services that have possibly been breached.
Second, use two
factor authentication whenever possible.
Both Google and Microsoft email accounts offer the option of using two
factor authentication. Two factor
authentication works by requiring you to set up an alternate method of identification
in your account settings. Many sites
allow you to use what is called Two Factor Authentication to periodically confirm
it’s you by making you enter a code along with your password when you log in,
especially when accessing the site from a new computer or changing important
settings. This will make it much harder
for someone to login to your account from another computer. Microsoft and
Google both have apps for generating authentication codes for your account, as
well as an option to use SMS text to your cell phone as an option for receiving
this code. More on Two Factor Authentication here: https://en.wikipedia.org/wiki/Two-factor_authentication
Wrapping things up.
The internet is fun and convenient. But, it’s also a feeding ground for
predators. There are some relatively
painless steps we can all take to make it a bit safer. My suggestion is to have an email address
that you use only for online transactions and turn on two factor authentication
for any online service you use related to money. I found this list of online sites and
services that support two factor authentication. https://twofactorauth.org/ . Indeed, the 2016 California Attorney
General’s Breach Report includes a recommendation for online commerce to make
multi-factor authentication available to their consumer facing portals. If you’re banks and retailers don’t offer it
as an option, please tell them that you, the consumer, want it. Use passwords or phrases that are hard to
guess and use different ones for all your accounts. Heck, use different usernames as well. Learn about Phishing scams, don’t click on
links to shops and banks. If you need to
go there do to something you received in an email, verify the link is correct
first or better yet, type the url into your browser yourself. There are browser plugins available for most
major browsers that can help, I’ll include some links at the end of the
article.
If you are worried about credit fraud or think you may have
been compromised, you can also contact the major credit bureaus to put a fraud
alert on your credit report. Then any
time someone tries to open a new line of credit in your name, a number of
protections will be in place. It’s a
hassle if you want to open a new line of credit, but might be worth it for
those who already have all the credit cards they want and aren’t buying a house
next month. Discuss this course of
action with your CPA or financial professional first.
Reminder:
This is far from a complete picture of the risks involved in
online shopping and banking. It’s just a brief overview of some basic things to
keep in mind. If you want to make sure
your business is doing everything it can to balance the risks, contact a
security professional for help.
Sample Browser Plugins:
No comments:
Post a Comment