Last month, I published a guest post from David Champion about the benefits he’s derived from gamifying his retirement spending. A discussion developed in the comments related to the challenge of securing your online accounts.
David was a software engineer before retiring early. In addition to the expertise his background provides, he’s spent time and energy educating himself on the topic of securing your identity and financial accounts.
He has generously offered to share that expertise in a practical and actionable way. Take it away David….
The 80-20 Rule
We’ve all heard of it, right? The 80-20 rule holds that 80% of outcomes are attributable to 20% of causes. It has been used to explain results in domains as diverse as engineering, economics and psychology. It can be a useful heuristic when choosing between options where the right call is not otherwise obvious.
Here I want to apply it to an area that many of us neglect, but that we should probably pay more attention to: securing our financial assets from identity thieves and cybercriminals.
Protecting ourselves from all possible threats would require a mind-numbing array of preventative measures. It is simply not worth the effort for the vast majority of us.
But I propose that implementing just two of them will protect us from 80% of the threat universe. That is, in terms of the 80-20 rule, implementing just 20% of preventative measures will net us 80% protection.
As a bonus, in a follow-up post I will present two additional steps that, when combined with the first two, will get us closer to 95% protection.
Freeze Your Credit Reports
Freezing your credit reports is perhaps the single most effective step you can take to mitigate the risk of identity theft.
Before a financial institution agrees to sell you a product, it needs to know that you are who you say you are and, if so, that you are a good financial citizen. It does this by pulling your credit report, typically from one of the three principal credit reporting agencies: Equifax, Experian, or TransUnion.
To pull your credit report, the financial institution needs your social security number, along with other bits of personally identifiable information (PII), to present to one or more of these agencies. You provide these details to the financial institution. In exchange, they consider you for the product or service you are applying for.
Now, consider this chilling fact. Despite your best efforts to keep it a secret, your social security number is likely already available on the dark web, just waiting to be exploited by an identity thief.
Along with your other requisite PII–most of which is readily available in the public domain–an identity thief can use your social security number to apply for a loan or credit card, or open a bank account, in your name. Once this happens, the damage to your financial bona fides can be devastating. The burden is entirely on you to clear it up.
If your credit reports are frozen, however, the identity thief has a problem: the credit reporting agency won’t release a report that has been frozen without authorization to do so. Since you instituted the freeze, only you can provide this authorization. And without the credit report, the financial institution will deny the application for the financial product or service.
Suddenly, your leaked social security number is a lot less valuable to the identity thief, and he will move on to the next victim.
The home pages of the big three credit reporting agencies I linked above provide step-by-step instructions for freezing your credit report, so I am not going to regurgitate the details here. Suffice it to say it’ll take you an hour, tops, to implement freezes at all three.
Best of all, thanks to a federal law passed in 2018, all three agencies are required to provide this service at no cost to you.
You may have to scroll down the homepage a bit to find the right place to start (after all, these agencies want to sell you their paid services, not give away the free ones). I just confirmed that each homepage features the relevant link.
There are a couple of details worth mentioning. All of the credit agencies offer credit locks, in addition to freezes. I recommend the latter. Locks are theoretically easier to lift, but the agencies charge you a fee for the privilege. Unless you are planning to apply for loans, credit cards, and the like in the near future, if you choose a lock you’ll be paying for a convenience you likely won’t use.
Also, if you do wind up having to lift a freeze, you’ll need to know at which agency to lift it. For example, recently I applied for a Chase credit card. Chase did not make it clear which agency they use to pull credit reports.
A simple Google search yielded the answer. With that, I logged in to my account at that agency and unfroze my file. They even allowed me to set an expiration date for the thaw, so I didn’t have to remember to log back in to re-freeze it.
Freezing your credit reports won’t completely erase the value of your social security number to bad actors. An identity thief could still file a fraudulent tax return, or apply for (and even work at) a job, using your social security number. Neither action requires the intervention of a credit reporting agency.
But herein lies another manifestation of the 80-20 rule. The 80% protection gained from freezing your credit reports is better than the 0% without.
Don’t give out your social security number to just anyone. A good rule of thumb is this: if you didn’t initiate a contact, and that contact asks you for your social security number, don’t divulge it. And if you did initiate the contact, at least ask them why they need it.
Related: Identity Theft Strikes Home!
Don’t Open Unverified Attachments or Links
The second most important step you can take to protect yourself is not something you should do, but rather something you should not do; and that is open attachments or links on your smartphone, tablet or computer unless you are sure they are legit.
Malicious attachments and links are types of phishing attacks. They can come not just in the form of email attachments, but also clickable links embedded in emails and text messages.
If you open a malicious attachment or link, your device may become compromised. In the best case, this could mean it will be co-opted in a cryptocurrency mining pool, causing your device to slow to a crawl (see cryptojacking). In the worst case, the data on your device could be encrypted, making it inaccessible to you pending payment of a steep ransom (see ransomware).
Develop Good Habits
Avoiding these (and potentially other catastrophic) outcomes simply requires developing good habits; like fastening your seatbelt before you even start the car, or brushing your teeth first thing in the morning.
Start by assuming every attachment or link you lay eyeballs on is malicious. That is, assume it is guilty until proven innocent.
How do you prove an attachment or link is innocent? It starts with the same advice I gave for divulging your social security number. If you requested the email or text message containing the attachment or link, it is probably okay. But if you didn’t request it, it probably is not.
Even if the email came from a person you know and trust, if you didn’t request the email, check with that person to confirm they indeed sent it before opening the attachment or link. Email spoofing is astoundingly easy.
As a result, the tactic is commonly used by cybercriminals. This tactic has tricked even the savviest of recipients into opening malicious attachments.
If the email came from an entity you do not know personally, but with whom you have a relationship (say your bank), read the email carefully before opening any attachments. Does the email make sense? Is it written in good English, using correct spelling and grammar? If the answer to any of these is no, then the attachment is almost assuredly malicious.
Even if it passes the native-English test, be suspicious if the email contains baiting language. For example, an email from your bank requesting that you log in immediately to change your password due a “security incident” is a red flag. A bank or financial institution will never ask you to take such action via a link embedded in an unsolicited email or text message.
When In Doubt
Finally, if the email came from somebody or something you’ve never heard of, assume it is malicious and delete it (or move it to your spam folder) summarily. This can be especially hard to do if the message contains baiting language of another sort, such as, “Click here to claim your prize!”
Generally speaking, the more tempted you are to open an attachment or link–by fear, greed or some other powerful emotion–the more suspicious you should be.
Social engineering techniques are specifically designed in this way to manipulate potential victims. Don’t let yourself be one of them.
There are many other ways a hacker can try to trick you; far too many to catalog here. Just being aware that social engineering is a thing will put you ahead of the curve.
Above all, remember the 80-20 rule. If you develop a habit of healthy skepticism toward all attachments and links, you will protect yourself from the vast majority of threats.
For an extra layer of protection, keep the software on your devices up to date. New vulnerabilities are being discovered literally every day. Device and app vendors are in a constant race to stay ahead of them via software updates.
The more up to date your software, the less likely your device will be compromised if you accidentally open a malicious attachment or link. That’s because the vendor may have included protections against the malware in a recent update.
So the next time your smartphone, tablet, or computer prompts you to do an update, think twice about rejecting it. Better still, enable automatic updates on your device. That way, you won’t even have to think about it.
Freezing your credit reports and practicing vigilance with attachments and links will go a long way toward protecting your assets and identity. You get lots of protection for minimum effort and zero cost.
In an upcoming post I will propose two additional steps you can take to stretch your protection even further. To whet your appetite, the topics of that post will be multi-factor authentication and good password hygiene.
True to the 80-20 rule, there are ways to maximize the benefits of those, too, while avoiding needless additional complexity. So stay tuned for those details in the next post.
* * *
* * *
[I’m David Champion. I retired from a career in software development in March 2019, just shy of my 53rd birthday. To position myself for 40+ years of worry-free retirement, I consumed all manner of early-retirement resources. Notable among these was CanIRetireYet, whose newsletters I have received in my inbox every Monday morning for the last ten years. CanIRetireYet is one of exactly two personal finance newsletters I subscribe to. Why? Because of the practical, no-nonsense advice I find here. I attribute my financial success in no small part to what I have learned from Darrow and Chris. In sharing some of my own observations on the early-retirement journey, I aim to maintain the high standard of value readers of CanIRetireYet have come to expect.]
* * *
Disclosure: Can I Retire Yet? has partnered with CardRatings for our coverage of credit card products. Can I Retire Yet? and CardRatings may receive a commission from card issuers. Other links on this site, like the Amazon, NewRetirement, Pralana, and Personal Capital links are also affiliate links. As an affiliate we earn from qualifying purchases. If you click on one of these links and buy from the affiliated company, then we receive some compensation. The income helps to keep this blog going. Affiliate links do not increase your cost, and we only use them for products or services that we're familiar with and that we feel may deliver value to you. By contrast, we have limited control over most of the display ads on this site. Though we do attempt to block objectionable content. Buyer beware.