Friday, June 3, 2016

Online Commerce and Banking Security: First Steps

Online Commerce and Banking Security: First Steps.

 Prepared by Daniel Hoffman
ADI Consulting, Inc.


In today’s connected world, it is hard to find someone who doesn’t purchase products online or use online banking services.  So, it’s no wonder that credit fraud, identity theft, and banking fraud incidents resulting from internet hacking are on the rise.  Many people I know are scared they will be hit, but have no idea where the threats are or where to start when thinking about security. Well, here’s a quick way to get started in making yourself a harder target for hackers.
Many people use personal email accounts for both personal/public social interactions and online banking or shopping.  I advocate using separate accounts for your fun and finance.  It may seem like a hassle, but I think it’s worth it.  Or at least have separate email addresses for trusted sources and one for public use.

Prevalence of email as a hacking vector.

It’s not uncommon to hear about a friend that has had their email account hacked in some way.  I’ll bet you (the reader) knows someone who has had an email account compromised and had to change passwords and clean up the resulting mess, and then told you about it.  In fact, according to the 2015 California Attorney General’s breach report, 54% of breaches where accomplished using malware and/or some other form of hacking.  Malware is most often spread through email.  And when your email box is cluttered with thousands of emails from everyone and anyone, it’s hard to spot the bad ones.  Find more information on Malware here:  https://en.wikipedia.org/wiki/Malware

Who Sent That?

The problem with using personal email for business is basically that it gets cluttered, and you expect it to be that way.  We get emails from a lot of people, and those people often get compromised.  Have you ever received an email from a friend/family member’s email that turned out to be spam or have a suspicious link or attachment?  Some of those emails will contain malware as attachments, or have links to sites that will try to compromise you in some way.  Learn about Phishing here: https://en.wikipedia.org/wiki/Phishing. If you use the same email address for banking or online shopping, be careful. Losing control of the email account you use for banking is serious business.

Most people use the same password for multiple accounts.

So, let’s look at how this might play out:  If a hacker is able to get your email password, they will first try to use your credentials on other sites, like your bank, online shopping sites, etc. They can get that information by looking through your emails.  If they get one account, they get many accounts.  So, a good strategy is to use different usernames and passwords for your important accounts.

The old password reset trick.

If you used good password policy and they can’t get in right away, they will probably go to your bank’s web site, click the “I forgot my password” link and wait for the bank to send a link to your email account.  Bam, they’re in.  Even if your online bank asks for your secret question, how hard is it to find your mother’s maiden name?  Or what about the name of your elementary school?  If you’ve ever posted these things online, that’s not a problem.  A good counter measure is to use phrases as answers to your secret questions, rather than just words. Another way to make things harder for them to get in is to use two factor authentication.

The case for two factor authentication.

One of the things that attracts us to online banking and e-commerce is the convenience. We get so used to the idea of “ease of use” we think that using passwords that are hard to remember or having to receive a code from our service provider along with a password is too much of a pain.  We all curse our cell phones if something takes longer than 30 seconds to finish, forgetting that we are beaming signals into space and around the world.  However, you can mitigate a lot of the really easy attacks just by adopting some relatively painless online habits. 
First, don’t use the same passwords for all your accounts.  I can’t stress this enough. Make sure that any shopping site, online banking site, or the email address you use with those sites are all using different passwords, that are in line with strong password policies/recommendations.  Your online banking site will probably suggest a minimum length of 8 to 10 characters, must contain both upper and lower case letters, and should contain a number and/or special character.  Make sure you keep a copy of them in a safe place, like in a safe. Furthermore, you should make a habit of changing passwords from time to time.  Even if it’s once a year, or just watch the news sites for breach reports and change passwords related to sites and services that have possibly been breached.
Second, use two factor authentication whenever possible.  Both Google and Microsoft email accounts offer the option of using two factor authentication.   Two factor authentication works by requiring you to set up an alternate method of identification in your account settings.  Many sites allow you to use what is called Two Factor Authentication to periodically confirm it’s you by making you enter a code along with your password when you log in, especially when accessing the site from a new computer or changing important settings.  This will make it much harder for someone to login to your account from another computer. Microsoft and Google both have apps for generating authentication codes for your account, as well as an option to use SMS text to your cell phone as an option for receiving this code.   More on Two Factor Authentication here: https://en.wikipedia.org/wiki/Two-factor_authentication

Wrapping things up.

The internet is fun and convenient.  But, it’s also a feeding ground for predators.  There are some relatively painless steps we can all take to make it a bit safer.  My suggestion is to have an email address that you use only for online transactions and turn on two factor authentication for any online service you use related to money.  I found this list of online sites and services that support two factor authentication.  https://twofactorauth.org/ .  Indeed, the 2016 California Attorney General’s Breach Report includes a recommendation for online commerce to make multi-factor authentication available to their consumer facing portals.  If you’re banks and retailers don’t offer it as an option, please tell them that you, the consumer, want it.  Use passwords or phrases that are hard to guess and use different ones for all your accounts.  Heck, use different usernames as well.  Learn about Phishing scams, don’t click on links to shops and banks.  If you need to go there do to something you received in an email, verify the link is correct first or better yet, type the url into your browser yourself.  There are browser plugins available for most major browsers that can help, I’ll include some links at the end of the article.
If you are worried about credit fraud or think you may have been compromised, you can also contact the major credit bureaus to put a fraud alert on your credit report.  Then any time someone tries to open a new line of credit in your name, a number of protections will be in place.  It’s a hassle if you want to open a new line of credit, but might be worth it for those who already have all the credit cards they want and aren’t buying a house next month.  Discuss this course of action with your CPA or financial professional first.
Reminder:
This is far from a complete picture of the risks involved in online shopping and banking. It’s just a brief overview of some basic things to keep in mind.  If you want to make sure your business is doing everything it can to balance the risks, contact a security professional for help.

Sample Browser Plugins:



No comments:

Post a Comment