FREE NEWSLETTER
IN AN ARTICLE last year, I wrote about the importance of strong online account security wherever you keep your savings and investments. I shared habits that should help you avoid the potentially huge financial losses caused by a cybercrime. I also urged readers to weigh a company’s commitment to security when choosing a home for their money.
I’d like to give kudos to Bank of America for providing a good example of this commitment. It recently added proactive, structured guidance to its security center. It’s a combination of education and guided “nudging” to take steps like creating strong passwords, enabling two-factor authentication, using the company’s mobile app with push notifications, and agreeing to receive alerts if the bank notices unusual activity. Below is an example of the feedback that Bank of America’s site offers.
The bank recently added support on its website for two-factor authentication using industry standard hardware security keys, such as YubiKey, which I use on my computers. The bank’s mobile app, an early adopter of biometrics such as Apple’s Touch ID or Face ID, now supports relatively simple two-factor authentication, too. Even if hackers manage to crack your password, it would be incredibly hard for them to access your account if you’ve enabled two-factor authentication.
While I’d love to get a higher yield on my savings, it’s more important to me that my cash remains in my accounts and I don’t face the hassle of a security incident. Reaching for yield? Think about risk—including the risk that a financial firm’s security isn’t up to snuff.
Bank of America may be doing the right things now, but just yesterday I discovered they are the #1 bank for customer complaints stemming from Zelle scams cleaning out their BofA accounts, of which most banks just shrug their shoulders and say, “Sorry, take it up with zelle…” So, this is probably a knee-jerk reaction to having so many incidences. Please, everyone, make sure you turn off, deactivate, and never use Zelle services with your bank! There are no customer protections and no customer service when the bad guy gets a hold of your account info and cleans you out. Zelle = BAD.
If you are someone who is intensely worried about security they should install a vpn on their computer. 1)It encrypts your sensitive data before it even leaves your device and connects to the web. This means that no one can see your traffic, 2) it changes your ip address and your apparent location (if desired). This new information goes to your online destination (in this case, your bank’s website) and back. As a result, the receiver of your data will not be able to see where the data originally came from, 3) do not use public Wifi unless using vpn on laptop
Thanks for the reminder to consider our online security. As with many things complicated things in life, a few simple habits can serve us well. In my career I specialized in application development and not cyber security, so I don’t pretend to be a cyber expert. That said, here’s a few things I do to minimize my online risk, especially with my financial applications:
I don’t go through this level of rigor for my “social” accounts. For example, accounts that I don’t really care if someone breaks into (ie. Netflix, social blogs, etc) I’ll just use the same account name and simple passwords that I’m comfortable typing by hand. That makes logging in on a motel tv into my Netflix account easy to do. But that info gives a hacker no insight into my financial accounts in any manner.
None of the above are “perfect”. I can certainly construct scenario’s where any of these techniques will prove inadequate. However, collectively they do help me move towards a safer online presence as compared to the alternative.
Good luck!
I have a question re Password Managers. How safe is your password to the password manager and can they be hacked. If they can be, then all your passwords have been hacked as well. I’d appreciate how secure you think Password Managers are. Thanks.
That’s a very key question. When I researched password managers this is something I was particularly interested in investigating as well. It really comes down to making sure that the password manager is a well-known reputable product that you can trust. Most have options where you can either store the passwords locally in a vault on your computer or store them in the cloud. But even if you are using a local option, you’re still “trusting” the integrity and competence of the company that made the product. Of course, the same is true for many applications you install on your computer or smartphone. I went with a major product that’s both well known and highly regarded in the industry when I researched this topic several years ago, so I’m highly confident that the product I choose is safe to use. I also spent some time weighing the pro’s & con’s and, for me, the password manager option came out on top. Speaking for myself, I found the increased strength of both the usernames and passwords I used (with the help of a password manager) was less risk than continuing to try to manage the passwords manually.
Off course, a password manager is a tool that can still be used correctly or misused. It’s up to the user to spend some time to understand the product they chose and use it correctly. For example, it’s up to the user to employ a strong password on their password manager account and use 2 factor authentication. As David mentioned below, either an authenticator app or physical security key makes the 2 factor authentication even stronger. In my case I did choose to use a cloud storage option, but that was based on my requirements and comfort level with the cloud storage solution offered by the product I choose. But with all that, if I then had used a few short easily guessed passwords rather long strong unique passwords, then I’d have gotten minimal benefit from a password manager. Also, understanding how to and being ready to recover from losing your 2 factor authentication app or security key is something to research before it happens. But that’s another instance of understanding and using the tool correctly.
All the major password managers support using YubiKeys or an authenticator app as a second layer of protection beyond your master password for the password manager. There are other ways to attack a password manager beyond compromising the master password, but those seem less likely to happen than an account takeover due to weak passwords without a password manager.
I wouldn’t put the level of protection and trust on two factor authentication that you appear to do unless you take the additional step to ensure it is not your cell phone number. SMS spoofing is relatively easy, and since most that use MFA use their cell this is an weak link in the chain. Ensure your MFA goes to a service such as Google Voice so even if your cell number is compromised, the number your MFA goes to will not be.
I would also take a step back and evaluate two things. First, the security features you mention from BoA are pretty standard across the banking industry. My credit unions have all these features and has had them for years. They are doing nothing “extra” or “special”, so trading yields for a standard security is foolish. You can do better, both in yields and account security.
Second, while your account may have the “highest security”, I would think you’d want to do your due diligence on the bank itself. BoA has earned a 808 out of 950 points from UpGuard (https://www.upguard.com/security-report/bankofamerica ), where other banks such as JP Morgan Chase and Wells Fargo are higher. It doesn’t do much if your own key is the best when the front door is flimsy. All BoA has done is offered basic security so when something happens they can’t be blamed for doing nothing. This conforming to industry standards is wrapped up in a nice interactive marketing portal.
Reminds me of this clip from Tommy Boy- https://www.youtube.com/watch?v=dAkSziqGk00
Actually, Chase’s rating is well below Bank of America’s — just 694:
https://www.upguard.com/security-report/chasecorp
Wells Fargo is indeed higher, though — for its customers — it seems the real threat is the enemy within.
https://www.upguard.com/security-report/bankofamerica BofA is 760. Wells Fargo is 922.