Playing Defense

David Powell

THE LETTER WAS IN a mountain of mail delivered the day after my wife and I returned from holiday. “Dear David Powell, Thank you for your recent application for a Bed Bath & Beyond Mastercard account. Your request… was carefully considered, and we did not approve your application….”

I’ve never been happier to receive a rejection.

We use exactly one credit card, pay it off each month and have never applied for another. This fraudulent application, a result of identity theft, was denied because I froze our credit files at all the credit reporting agencies years ago, when our personal information was stolen from a nonprofit we once supported as volunteers. With a credit freeze, this kind of identity theft is easy to prevent—or, failing that, you at least make yourself a harder target.

But there’s another kind of identity theft to consider. Back in 2004, the Federal Deposit Insurance Corp. and the Federal Trade Commission noted a rising financial risk. This one is as old as the internet. It’s also harder to prevent, because it involves changing our habits and adopting better security solutions. The risk: internet account hijacking.

This happens when malicious hackers gain access to your online account at, say, a bank, brokerage firm, mutual fund company or payments company, with an eye to diverting funds by linking your account to accounts they control. Here’s how many of us make account hijacking all too easy:

  • We use weak passwords. An analysis of passwords stolen from cyberattacks found 35% of passwords in use can be easily cracked with a simple “dictionary attack.”
  • We reuse passwords on multiple sites. This exposes you to hijacking when a nonfinancial site you access is hit with a cyberattack—and you use the same password for your financial accounts.
  • We skip two-factor authentication (2FA). Now available on most financial sites, 2FA avoids hijacking when passwords are stolen in bulk from organizations you’re connected with, or when your passwords are lost in phishing attacks or to keyloggers.
  • We access financial sites over public wi-fi networks.

There are now good solutions to each of these problems—ones which are convenient and either free or inexpensive. A password manager takes much of the hassle out of creating and using hard-to-crack unique, strong passwords. It can also tell you when a password you’re using on a particular site has been compromised, so you can change it. Good password managers are available for use in mobile apps on iOS and Android, and in most popular browsers, whether you’re using a PC or Mac.

Two-factor authentication has become ubiquitous on financial sites because it prevents remote attackers from accessing your account, should they manage to get your password. Each time you log in, you supply your username and password, and then you supply a second key or factor. The most basic form of 2FA involves a unique, time-limited code sent via text message to your mobile phone.

While there are already known ways of exploiting vulnerabilities in cellular carrier messaging systems, it still beats using no 2FA. Better 2FA systems use an authenticator app to generate a code. Authenticator apps are available from Microsoft, Google, Symantec (VIP Access) and elsewhere. The best 2FA solutions use a hardware key, like the ones sold by Yubico.

Meanwhile, the risks of using public wi-fi networks can be mitigated simply by avoiding them when accessing financial accounts, or by using a reputable virtual private network (VPN) solution.

Why bother spending precious time and money on mitigating these risks? Won’t your bank or brokerage firm cover any losses if your account is hijacked? I’m not an attorney. But in reading the policies of a few companies, the answer may depend on whether the firm believes you’ve taken basic, prudent steps to stay secure.

Vanguard Group’s online fraud policy promises to reimburse amounts taken in an unauthorized online transaction if you’ve followed steps to protect your device, protect your account credentials and monitor account activity, and if you notify the firm immediately, should you discover any unauthorized activity. Fidelity Investments’ customer protection guarantee has similar language. To be covered, you must adopt Fidelity’s recommended security practices.

Computer security, like investing, requires some humility. It’s impossible to be perfectly secure. But it isn’t hard to improve your odds—and make yourself a far tougher target.

David Powell has written software or led engineering teams for 35 years. He enjoys work, vegan fine dining, cycling and travel with his spouse.

Want to receive our twice-weekly newsletter? Sign up now.

Browse Articles

Notify of
Inline Feedbacks
View all comments

Free Newsletter