Protecting Financial Assets from Fraud, Theft, and Scams (Part 2)

Want To Reach FI Sooner? Join more than 18,000 others and get new tips and strategies from Can I Retire Yet? every week. Subscription is free. Unsubscribe anytime:

In a previous post I applied the 80-20 rule to the realm of cybersecurity. My aim was to motivate you to take action to protect yourself from identity theft and/or financial loss. I proposed that you can achieve a great deal of protection with a minimum of effort.

Lock on computer symbolizing cybersecurity

Specifically, I urged you to freeze your credit reports and learn how to spot and avoid phishing scams. That post generated some excellent reader comments. Some brought to light worthwhile points not explicitly covered in the post.

In today’s second and final post on the topic, I will present two additional, simple steps you can take to get even further protection from the cybersecurity threat environment.

Use Multi-Factor Authentication

After freezing your credit reports and avoiding phishing scams, using multi-factor authentication (MFA) is perhaps the next best step you can take to protect yourself from financial loss.

Background

Let’s start by defining some terms. Authentication means proving you are who you say you are to some third party. For our purposes, let’s assume this third party is an authenticating system.

An authenticating system could be a website or smartphone app for a bank, a brokerage account, an email account (e.g., gmail, icloud), or any online system that requires authentication for access.

A factor is a means by which to prove (or authenticate) your identity to an authenticating system. And multi…well, you know what multi means. Put them all together, and you get MFA.

Factors

Let’s take a closer look at factors. When you log in to an authenticating system with a username and password, those bits of information–collectively known as your credentials–are one factor of authentication. In this case, that factor is something you know.

If your credentials match what the authenticating system has on record, that system will trust that you are who you say you are, and grant you access to the system.

Your driver’s license is another factor of authentication. In this case, the factor is something you have. When you present your driver’s license to the traffic cop who just pulled you over for speeding, the cop compares the picture of your face to the one sitting behind the steering wheel. If they match, the cop knows (or is at least reasonably sure) you are who the license says you are, thereby authenticating your identity.

And when your fancy new iPhone uses facial recognition to unlock your device, this is yet a third factor of authentication. In this case, the factor is something you are.

Adding just a second factor of authentication to a single-factor protocol makes it considerably more difficult for a cybercriminal to impersonate you.

Action Items

As with adding a credit freeze, setting up 2-factor authentication (2FA) is easy. Nearly all reputable financial institutions with an online presence offer convenient 2FA setup. If they don’t, then they don’t take security seriously.

Log in to your institution’s website or app, navigate to your profile and select security settings. This process will differ, but likely only slightly, from company to company. Then follow the instructions to set up 2FA.

Once 2FA is active, every time you submit your username and password to the website or app, it will prompt you for one additional bit of information before granting you access. This additional bit of information–typically a random six- to eight-digit number the website generates each time you submit your credentials–is called a token.

The website sends this token to your smartphone via text message. In this model, your smartphone is the 2nd factor of authentication; i.e., the something you have.

What does this look like from the perspective of the cybercriminal? Well, even if he gets hold of your credentials, he won’t be able to log in to your account without also having your smartphone. And the likelihood of his acquiring your credentials and your smartphone is far less than that of acquiring one or the other individually.

Hence the power of 2FA to protect your accounts from unauthorized access.

Caveats

Many institutions are beginning to offer 2FA via an authenticator app, which replaces the text message-based model described above. In this model, the token comes from an app installed on your smartphone, not a text message sent to it by the authenticating system.

The advantage of using an authenticator app is that the token is bound to your device, not your phone number. The distinction is subtle, and many will argue it is important enough to favor authenticator apps, but I disagree.

Here again, the 80-20 rule is instructive. In this case, it means activating 2FA with text messaging will buy you 80% protection over plain old single-factor authentication. I’d go further and say 90% to 95%.

In my opinion, the marginal improvement afforded by app-based 2FA is not worth the effort. It may even be counterproductive; say if you have to install a different app for each authenticating system you use. The additional complexity is not only inconvenient, it may lead to less security.

Moreover, the chief downside of message-based 2FA cited by proponents of app-based 2FA can be mitigated by locking down your phone number with your service provider (e.g., T-Mobile, Verizon, etc.). This is something you should consider doing anyway.

If the authenticating system doesn’t offer the message-based variant, and instead requires you to use an authenticator app, then I would say it is better to use app-based 2FA than none at all.

Last Word

2FA is a simple and effective way to add an extra layer of security to your high-value online accounts.

Think carefully which of your accounts qualifies as such. These might include not just bank and brokerage accounts; but also email, insurance, social security…pretty much any account or system that contains information you want to keep out of the hands of bad actors.

Use Strong Passwords

The fourth and final to-do on my cybersecurity checklist concerns passwords.

Passwords are unquestionably the weakest link in the chain of online, digital security, and you are only as strong as the weakest link in the chain.

A big reason for this is the laxity with which many of us treat our passwords. It is no wonder why this is the case. It seems we are constantly being asked to set up some new online account, forcing us to commit yet another password to our overburdened memory cells.

As a result, we invent easy-to-remember passwords; or worse, we write them down on Post-It notes and affix them to our computer screens.

Here again, however, making just a small investment of effort will net you a whole lot of protection.

Background

To understand why it is such a bad idea to use weak passwords, it helps to understand how cybercriminals exploit them to steal our assets and identities.

Cybercriminals use wordlists that contain commonly-used passwords–hundreds of millions of them. Commonly-used means not just words in the dictionary, or popular word-number combinations (Password1), or even clever variations thereof (P@ssw0rd!). The wordlists also contain hundreds of millions of passwords that have previously been exposed in data breaches.

In 2016, for example, 164 million email address/password pairs were stolen from LinkedIn. Mine was one of them. This means that the email address and password I used to log in to LinkedIn until 2016 is, and will forever be, in hackers’ wordlists.

I have since changed my LinkedIn password. Moreover, I have not reused this password for any other account since (nor will I ever use it again).

The LinkedIn breach is but one of thousands of data breaches in which passwords have been leaked, and thus found their way into ever exploding wordlists.

Unless you’ve been living in a cave for the duration of the internet era, at least some of the passwords you’ve used in the past (or are currently using) are in those wordlists. And just like your social security number, your leaked (or otherwise terrible) passwords are just waiting to be exploited by a cybercriminal.

Action Items

As with 2FA, start by identifying your high-value accounts. These are the ones you want to protect with good, strong passwords.

Create one strong password for each such account (i.e., don’t reuse the same password across multiple accounts). Then log in to each account and change your existing password to the new strong one.

You want to use a single password for each account because, if the password is compromised, the damage will be confined to just that account. Credential stuffing is a technique hackers use to exploit password reuse. Avoid this by using just one password for each account.

What constitutes a strong password? Two factors make the biggest difference here: predictability and length. That is, the less predictable and longer the password, the better.

Predictability

Let’s briefly examine these two properties, starting with predictability. Predictable words (Password), phrases (MySuperSecretPassword), word-number (Password1) and even word-number-symbol (P@ssw0rd1!) combinations are bad password choices. They are easily guessable, have likely been used before (and therefore leaked), and are thus present in the wordlists.

Instead, you want your passwords to be random, because randomness is the enemy of predictability. Unfortunately, random passwords are hard to remember (that is why we choose predictable, and thus weak, passwords in the first place).

But a random password need not be difficult to remember. Random multi-word combinations (CorrectHorseBatteryStaple) are not so hard to remember (follow the link for further explanation). Due to the randomness of the word selection, however, they make excellent passwords.

Such passwords balance nicely the contradictory requirements of randomness and memorableness. By the way, do not use CorrectHorseBatteryStaple as a password.

Length

The other ingredient to a good, strong password is length. You may think that complexity trumps length when it comes to password strength, where complexity is the number of different character types used in the password (e.g., letters, numbers, symbols).

But it is a mathematical fact that passwords consisting of three to five randomly-selected words are harder to guess than shorter ones riddled with myriad symbols.

Craft a multi-word combination in such a way that you will remember it, but that will look nonsensical to anyone else. If you are forced by a system’s password complexity requirements to use numbers, symbols and the like, add a string of such characters to the end of each multi-word password you create; e.g., CorrectHorseBatteryStaple1@! (then reuse the 1@! suffix for each account password, making the symbol combination easier to remember).

Password Storage

If you have a poor memory (like me), you’ll want to store your passwords somewhere besides your brain.

To do this safely, here is the procedure I use, which I refer to as the poor man’s password manager:

I store my high-value passwords in an Excel spreadsheet. Then I protect the spreadsheet itself with a strong password. That is, the spreadsheet cannot be opened without this master password.

Note that the single, master password with which I protect my spreadsheet must be committed to memory (because if I store it in the spreadsheet, and then forget it, I’ve got a chicken-and-egg problem). Now, instead of a bunch of passwords, I have only one to remember.

Any time I change an account password, I update the spreadsheet and attach it to an email that I send to myself. Because I use gmail, the spreadsheet-bearing email is saved in perpetuity in the google cloud. This effectively serves as a backup if my computer’s hard drive gives up the ghost. Call this the poor man’s backup strategy.

Even if my gmail account gets hacked, the spreadsheet is useless to anyone who doesn’t also have the master password.

Finally, I change the passwords on all my high-value accounts at least once a year, just for good measure.

Caveats

The savvy reader might be puzzled as to why I did not suggest the use of a password manager to manage the credentials of your high-value accounts.

To me, password managers suffer from some of the same drawbacks as authenticator apps (which I described in the section on Multi-Factor Authentication). Specifically, they add needless complexity to an otherwise simple process.

For example, using a password manager requires you to trust a third party–i.e., the password-manager vendor–not just to do the right thing, but to do it correctly. There is at least one case of such a vendor being hacked, so the concern is not theoretical.

That said, if you already use a password manager, congratulations. You are already way ahead of the curve when it comes to practicing good password hygiene. If you don’t use a password manager, but would rather use one instead of the poor-man’s approach I described above, I wouldn’t blame you in the least.

Last Word

The savvy reader might also have noticed that multi-factor authentication already protects us from poor passwords. So why bother using strong ones? The idea being that even if a hacker guesses your password, he’ll still need your smartphone to do any damage.

I would agree that using MFA makes using weak passwords less of a concern. But I prefer to stack the odds in my favor. In my opinion, the extra effort required to create and use strong passwords is minimal compared to the extra security it buys me.

Wrapping Up

In this and the previous post, I outlined four actions you can take to protect yourself from identity theft and financial loss.

To recap, these are:

  • Freeze your credit reports
  • Don’t open unverified attachments or links
  • Use multi-factor authentication (MFA)
  • Use strong passwords

None of these actions costs any money. Each confers a massive benefit relative to the small effort required to implement it.

I hope you found this two-part series on cybersecurity useful. Above all, I hope it prompted you to take one or more of these actions to protect yourself from the ever-growing universe of cybersecurity threats.

* * *

Valuable Resources

  • The Best Retirement Calculators can help you perform detailed retirement simulations including modeling withdrawal strategies, federal and state income taxes, healthcare expenses, and more. Can I Retire Yet? partners with two of the best.
  • Free Travel or Cash Back with credit card rewards and sign up bonuses.
  • Monitor Your Investment Portfolio
    • Sign up for a free Empower account to gain access to track your asset allocation, investment performance, individual account balances, net worth, cash flow, and investment expenses.
  • Our Books

* * *

[I’m David Champion. I retired from a career in software development in March 2019, just shy of my 53rd birthday. To position myself for 40+ years of worry-free retirement, I consumed all manner of early-retirement resources. Notable among these was CanIRetireYet, whose newsletters I have received in my inbox every Monday morning for the last ten years. CanIRetireYet is one of exactly two personal finance newsletters I subscribe to. Why? Because of the practical, no-nonsense advice I find here. I attribute my financial success in no small part to what I have learned from Darrow and Chris. In sharing some of my own observations on the early-retirement journey, I aim to maintain the high standard of value readers of CanIRetireYet have come to expect.]

* * *

Disclosure: Can I Retire Yet? has partnered with CardRatings for our coverage of credit card products. Can I Retire Yet? and CardRatings may receive a commission from card issuers. Other links on this site, like the Amazon, NewRetirement, Pralana, and Personal Capital links are also affiliate links. As an affiliate we earn from qualifying purchases. If you click on one of these links and buy from the affiliated company, then we receive some compensation. The income helps to keep this blog going. Affiliate links do not increase your cost, and we only use them for products or services that we're familiar with and that we feel may deliver value to you. By contrast, we have limited control over most of the display ads on this site. Though we do attempt to block objectionable content. Buyer beware.

18 Comments

  1. You said this already but I’d like to repeat it: Make sure you have 2FA on your email. I was a target a couple of years ago. I had 2FA setup for all my banks, broker, etc. But somehow I neglected my email. Someone was able to take control of my email account. They then proceeded to banks etc., and hit “forgot password” and started resetting passwords. They managed to initiate ACH transfers out of my bank. Very scary time. I’m pretty sure there is a complete profile on me out in the dark web. I think a lot of it came from a data breach at my employer. At one point they called my bank live and pretended to be me and tried to talk the customer service person into resetting my account. They were able to answer every identifying question the bank rep asked. Nonetheless, the rep thought it was too fishy and leveled it up before doing as requested. Thankful for that smart rep.

    These bad actors attacked multiple banks, brokers, email, etc., all at once. Very scary. Repeating…..make sure your email account is secure. That’s how they got me.

    Solutions I’ve implemented:
    -2FA everywhere I can use it. Especially email.
    -New stronger/longer passwords.
    -New stronger login ID’s…..critical log-in ID’s are no longer emails or last name. My broker recommends changing user ID every 90days.
    -Password manager. Not inconvenient for me as it syncs across devices.
    -Authenticator app for broker. Their fraud team said the authenticator had never been breached. But 2FA by SMS had some number of cases where bad actors were able to clone cell phones and intercept the SMS. Rare, but documented.
    -Maintain multiple bank relationships in case one gets locked out so I can still pay the bills with the other.
    -All new accounts and account numbers. Any account numbers in my dark web profile would now be obsolete.

  2. Great reminder about 2FA. Just went through all my accounts and enabled where it wasn’t already.

    Interesting note about blocking sim swapping risk with carrier. Going to look into that!

    Thanks

  3. Suggestion: Use an open source password manage that is not online, such as KeePassXC. It also supports generation of passphrase generation (i.e. multi-word combination).

    1. Hi David, well done. In decades as an IT, Cyber, and network expert, yours was one of the most succinct and useful primers I’ve encountered. I hope our less experienced readers heed your sage advice.

      I especially liked this: “… passwords consisting of three to five randomly-selected words are harder to guess than shorter ones riddled with myriad symbols.” It will seem counterintuitive to many and as a result the old make it long and complex mindset remains in place.

      Also, a comment about MFA. The easiest way to remember the three main factors is a thing you have, know, or are. Combining two is better than one and all three are better than two. It is that simple. So just because your two factor authentication uses something you know twice does not make it multi factor; e.g., password followed by a text code. It is better than just a password, but not mathematically so.

      BTW, there are other factors beyond the NIST standard three such as time, location, et al., but difficult or costly to implement with commonplace existing tools and techniques.

      1. Thank you, Mike!

        Yes, regarding the MFA subtlety, you are correct that the token in this model is in fact also a something-you-know. However, because this token is obtained from your smartphone (i.e., a something-you-have), I consider SMS-based 2FA to be a legitimate 2-factor protocol.

        Please correct/clarify if you think I am wrong.

  4. Regarding 2FA, there is a new scam going on. It is SIM Swap. With this new scam, scammers are able to route your phone number to their phone, get the 2FA code, login, and drain your account. Please read about SIM Swap scams that is emerging. With this scam, it may be beneficial to use authenticator app since it is tied to your device. Just a thought!

    1. Hi Ravi,

      I am aware of the SIM swap issue, and alluded to it in the post. I didn’t go into much detail about it because details cause most folks’ eyes to glaze over and they wind up doing nothing.

      Remember the 80-20 rule: SMS-based 2FA will save you 80% of the time. Even if a bad actor manages to swap your SIM card, he will need to get hold of your password, too, in order to break in to your account. That’s a heavy lift, and not worth it for most hackers—they will instead look for a victim who uses no 2FA at all.

      If you want to go further, and install app-based 2FA, more power to you! And/or set up a PIN with your carrier, as well, as I suggested in the post.

  5. Chris,
    Thanks for writing about this important topic.
    Despite the warnings issued by the FTC, FBI and NIST the US banking system hasn’t taken SIM swapping seriously. Yet.
    My bank told me “It happens to so few of our customers that the cost to prevent it is too high for us and being locked out of your online account is only an inconvenience because you can always come into a branch” Good Grief!

    The telecommunications industry is incapable of preventing SIM swaps even if you established a PIN/passphrase with your wireless carrier. For example, they cannot prevent a corrupt CSR from doing one.

    But even if your bank supports an authenticator app their “forgotten password” option still allows sending text codes to your phone. Bad actors always take the path of least resistance.

    Its very easy for malware to steal passwords stored in the password manager that came with your browser.

    1. Hi JT,

      The 80-20 rule says that using SMS-based 2FA will protect you from 80% of the threats. Like you said, bad actors will take the path of least resistance. This means the vast majority of them will go after those who don’t use 2FA at all—there are plenty of fish in that pond.

  6. How do you handle or suggest securely sharing passwords with a spouse or trusted party if/when one becomes incapacitated? It seems at some point the passwords have to be updated when changed, written down and printed out or stored in the insecure cloud? Perhaps a password manager is more useful with this in mind.
    Thanks for the perspective.
    -RB

    1. Great question, RB!

      I use an old-school approach, which involves a safe deposit box. But it seems to me a password manager solves the problem of sharing sensitive account credentials with your spouse in the event one of you becomes incapacitated.

      Of course, it is crucial both of you commit the master password to memory (because if you write it down, you somewhat defeat the purpose of the password manager).

  7. This is all great advice, thank you David! I’ve recently gone to a paper notebook password manager that I store in a fireproof safe. Perhaps a bit of overkill, but I wanted to make sure that our kids could access everything in case anything happened to us. The password thing is really intriguing … here’s an easy way to add randomness … find the BIP-39 word list online … it contains 2048 words. Then you can use a random number generator (0-2048) to pick the words. Again, maybe overkill.

    1. Thanks, Kevin.

      Happy to learn I am not the only one who resorts to old-school approaches (although spreadsheet-based password management is slightly higher tech than paper-based 😊).

      Using a random-number generator to pick words from a vetted wordlist (e.g., BIP-39) would remove the human element, and indeed guarantee randomness of word selection. You’d want to pick at least four, and preferably 5 (or more) words from a list consisting of just 2,048 words, however.

      If you’re a math geek (like me), the number of possibilities is 2,048 raised to the power the number of words you choose. So, you’d want to scale your exponent (i.e., the number of words) a bit to compensate for the shortness of the list.

  8. I appreciate your report. My go to master password involves 3 different languages (Swedish, Navajo, Hawaiian) for example. Plus a sequence of numbers and special characters . So far never been breached, but I try to at least challenge the theives.

    1. Thank you, Lisa.

      Your approach seems sound. Glad you are doing your best to defeat the bad guys!

  9. What is the appropriate length to consider as strong password length? Some accounts only insist on 8 or 10 words for password length. Thanks for your excellent advice and insights.

    1. Hi Art,

      Thanks for the share.

      I think you meant 8 or 10 characters, not words (correct me if I am wrong)?

      Unfortunately, password complexity requirements are often self-defeating. Confining a password to 8 to 10 characters all but guarantees a weak password choice. I explained this in the post, where I said it is a mathematical fact that length trumps complexity…

Comments are closed.