I SERVED ON A GRAND jury earlier this year. We heard more than 100 cases during our three-month stint. Our task was to issue an indictment if the state showed probable cause that a crime occurred. If we indicted, cases would then move on to traditional jury trials.
Some cases involved cybercrime. Others included private records subpoenaed by the District Attorney’s office from technology and phone companies, financial institutions, hospitals and commercial businesses. The experience was eye-opening. I learned that cybercrime is a huge threat and that my private data isn’t so private.
I also concluded that my knowledge of cybersecurity was lacking, so I set out to get a better handle on the topic. I want to share some important things I learned.
Let’s start with the distinction between cybersecurity and data privacy. Cybersecurity is the practice of protecting computing devices and data against unauthorized access or attack. Data privacy refers to a person’s ability to determine when, how and to what extent personal information is shared with others. In this article, I focus on cybersecurity.
Cybersecurity matters because the consequences of cyberattacks can be so unpleasant. HumbleDollar readers probably are most interested in the financial impact, which can be significant. Cybercriminals can drain your brokerage and bank accounts. They may make unauthorized charges on your credit and debit cards. They can steal your identity and use it to file for government benefits, open credit card accounts, file for tax refunds, destroy your credit rating or commit crimes. You may be able to recover your assets if you’re a victim. But do you really want to put that to the test?
Cybercriminals attack us in three primary ways. First, there’s physical theft. Criminals use confidential data on stolen devices for financial gain.
Second, there are technology-based attacks. Cybercriminals use powerful computers to guess possible passwords until they find the correct password to log into networks, computers or online accounts. They may use their expertise to hack into business and personal networks which, in turn, give them access to connected devices. They can steal confidential information as it’s transmitted over unsecured public wireless networks or intercept communications between users and domain name servers to re-route users to malicious websites. They also may download malicious software onto their victims’ devices.
Third, there are social-engineering attacks. Criminals use psychology to exploit human nature and manipulate us. Their aim is to trick us into voluntarily giving up confidential data, downloading malicious software or visiting malicious websites. These attacks are particularly effective because they cause us to do things that circumvent our security defenses.
There are some basic things most of us can do to protect ourselves that don’t require much technical knowledge or effort:
Cognitive protections. This starts with commonsense, knowing what to anticipate and staying alert. Familiarize yourself with social-engineering scams so that you recognize them if you’re targeted. Accept the fact that you’re up against worthy adversaries who must be taken seriously. Never let down your guard when you’re online.
Device protections. Use strong PINs or biometrics to unlock your electronic devices. Update operating system and applications software as soon as updates are available, because they often provide essential security fixes. Use internet security software and back up your devices. Protect your devices from theft by keeping them in your possession when in public. Think carefully about the apps and data you put on your mobile devices, asking yourself, “What would happen if this device was lost or stolen?” Use “find my device” apps, which enable you to see the location of your stolen devices and erase the data on them. Never go after criminals yourself. Call the police.
Network protections. Use wired ethernet networks or secured private wireless networks. Don’t use unsecured public wireless networks. Set your browser to use “https connections only” for safer and more secure encrypted connections. Better yet, seriously consider using a VPN (virtual private network) service provider to encrypt your data as it travels across networks.
Account protections. Safeguard your accounts with passwords that are unique, long and complex. This is doubly important for sensitive accounts like email, bank, brokerage and credit card accounts. Use a password manager app to help you use strong passwords and use two-factor authentication wherever it’s available. Review your financial accounts regularly to spot problems as soon as possible. Also, set up email or text alerts for your financial accounts so that you’re notified of transactions or changes to your profiles. Set up alerts with your credit card companies to notify you if new accounts are opened with your Social Security number. Protect your credit card accounts by using virtual credit card numbers for online transactions. Check for known data breaches of your email accounts.
Behavioral habits. Email, text messages and social media are ripe targets for scam artists. Never click on links or attachments in emails or messages unless you trust the sender. Even then, use caution, because a criminal may be impersonating a friend or family member.
Rick Moberg is the retired chief financial officer of a publicly traded software company. He has an MBA in finance, is a CPA and has a passion for personal finance. Rick lives outside of Boston with his wife. Check out his previous articles.
Do you enjoy HumbleDollar? Please support our work with a donation. Want to receive daily email alerts about new articles? Click here. How about getting our newsletter? Sign up now.
This is great. I have to do cybersecurity training every single year for work and thought I knew everything, but this gave me some really concrete ideas to work through. I’ve bookmarked this article so it (and the helpful ideas from other commenters below) doesn’t get lost in the shuffle.
Specifically, it’s time for me to get on obtaining a password manager, a VPN now that we’re traveling again, and setting up those text alerts across all of my financial services.
Google Chrome has a password manager built right into it.
Safari, Firefox, and Edge do too.
I would be cautious of using browser password managers. They are the ones that criminals are most likely to find and exploit when breaking into someone’s computer since they are the ones most people use. Using a password manager with a master password that is needed is much more secure.
A particularly vile scam is a call on behalf of a grandson who has been arrested in Backwater county and needs some financial help. If the caller ID hadn’t identified it as coming from the county prison, I would have jumped at the chance to help out, given my own detention for hitchhiking on the Merritt Parkway in the mid-50s. The studied vagueness of the caller also alerted me to the potential problem but at another less alert time I might have succumbed.
My father got that same call about my brother… who was at work as always, but it still shook my dad.
I can’t imagine being someone who thinks it’s ok to scam old people out of money.
Oldtimers are the best targets – the dollar amounts of the reported thefts are astounding.
As part of a masters degree program in cybersecurity, one of my class projects was to hack the key fob security for a vehicle. For about $50 in ebay parts, my lab partner and I were able to unlock and enter a Toyota in about 30 seconds using a software defined radio.
The lesson I learned is never leave anything valuable or confidential in your vehicle. Your iPhone, laptop or tablet can be easily stolen from your vehicle with no sign of physical entry. The vehicle can even be relocked as if no one was there. Embedded electronic devices oftentimes have very rudimentary built-in security features.
Here is an article about password managers. Leo Notenboom writes a technology blog that is easy to understand. I’ve used LastPass for years. I believe they sold a year or two ago, and I have read of concerns about LP. At any rate, this gives you an explanation.
https://askleo.com/are_password_managers_safe/
Thanks Jeff. It was a good article and good discussion underneath it.
Thanks for the extremely helpful article; its important, timely, and actionable. It would be great if these types of articles could be tagged so they don’t get lost among more mundane topics.
One aspect I don’t get is the use of password managers. It seems like I would be giving the keys to my financial house to an entity I know nothing about re: technical security against hacking or criminality -how do we know North Korea isn’t behind one or more of the password manager firms?
Industry is also rushing to harden security after incidents involving attacks on supply chains by nation state actors. A recent presidential executive order is helping by aligning companies around common standards.
None of this work will matter in the end, however, if your personal security is lax. Ensure the OS and web browser on your devices are up to date, use a password manager — as Rick recommends — to gradually replace weak passwords, and enable a second authentication method on all high-value accounts, including your email, mobile phone service account, bank/brokerage accounts, SSA, etc.
Great information Rick. Do you have experience with a password manager App? Is there one you would recommend? That’s something I’ve been thinking of, but haven’t done yet.
Dashlane and LastPass are worth a look though I’m troubled LastPass is still not using the most secure protocol available with Yubikeys. I expect they will one day but have not seen an announcement.
Bitwarden is a free easy-to-use password manager. From CyberNews – “Bitwarden is a perfectly secure password manager. The service uses an encrypted vault (that uses AES-256 encryption) to store all your passwords, protected by a single long master password. Bitwarden also uses zero-knowledge architecture. It means that your email and master password are generated into a string of random numbers and letters.” I’ve used Bitwarden for several months and have not experienced any difficulty or security breaches.
Thoughtful discussion Rick. In addition to the steps you suggest, consider freezing your accounts at the three credit reporting services – Experian, TransUnion, and Equifax. I froze our accounts on those services more than three years ago following a large data breach at a retailer where we had an account. I’ve unfrozen the accounts on two occasions over the past couple of years for a few days for a required credit check while making a purchase. Freezing and unfreezing the accounts was not difficult.