In some cases, where we suspect a problem, we will put additional security measures on financial accounts. For example, Schwab offers a “security token.” This is a little keychain device (“key fob”). You press a button on the keychain and a number appears. Every time you log into Schwab it will ask you for a token number in addition to your password. Each time you press the button on the device you get a fresh number.
If we are very concerned, it is also possible to assign a verbal password… so if somebody calls Schwab they need the verbal password to do anything. Usually the steps in this paragraph are not needed and the default security measures are okay… but we will typically do these extra steps when fraud attempt is detected.
When accessing any financial account online, always verify that the connection is secure. This is typically indicated by a padlock icon next to the web address or at the bottom of the browser window.
Only access financial accounts via that company’s website. Do not click on links in emails because this could take you to a cloned site designed to get your personal information.
Malware and Viruses
While we see the most problems with email hacking, there is also potential risk via malware and viruses. Therefore, make sure you have good updated virus and malware protection (one that costs money – not a freebie). Also, keep your operating system up-to-date. When Windows (or Mac OS) tells you to update, you should… because once they offer a security update, it is an announcement to attackers to focus on the weakness they are updating.
If you would like to talk about this in greater detail, please feel free to call and we can summarize what we think are good practices in the area of computer protection. While we are not computer experts we can summarize our experiences and/or direct you to appropriate sources.
As much as I like traditional PC computers (Dell etc.), I have seen a lot more struggles on PC than with Mac/Apple. For business application there is often not much choice. But for home use an Apple product could be the best solution. An expert explained to me that it comes down to numbers- there are more PCs in the world so the attackers go after PCs.
We are pleased to present a four part review of considerations regarding identity theft, from a financial management prospective. This review was prepared by Edward B. Aufman, CFP and William J. Gaffey, CFA.
Aufman Associates Inc. www.aufmanassociates.com
© 2013 Aufman Associates Inc.
Considerations Regarding Identity Theft
Traditional financial planning topics include retirement, tax, investments, etc. Thanks somewhat to overseas pests, it is more important than ever to include “identity protection” in the list. This letter outlines our thinking on various topics surrounding identity theft and financial fraud.
First let’s begin by saying that we do not want to communicate that this is a huge risk that should cause all of us to hunker down and stop using computers. Nor do you need to feel obligated to do all the items mentioned in this letter. We just need to be careful and logical. So, we will outline below a lot of different things solely for the purpose of keeping you well informed.
This article is a summary of our observations, experiences, and notes from various experts. This article was prepared for our clients, but we would like to share with others… not to be the expert on this topic… but just to share thoughts on an important issue we should all address together.
The biggest risk we have seen is via hacked email accounts. Typically somebody outside the country initiates this attack. Our observation and understanding is that they target the big email providers. They look for weak passwords. Once they have a password they either use the account to gain information… or in some cases sell the ID and password on illegal online auctions. The attacker monitors your email account and gains information. They can then use this information to commit fraud such as wiring money out of your financial accounts. Or, they can commit identity theft and set up accounts using your info.
Our firm has procedures to watch for unusual emails. We have received an increasing number of fraudulent emails that request unusual wires. These emails appear to come from the client, but are actually attackers. In all cases we have quickly identified the fraud and reported it. Without 100% of your personal information, it would be difficult for an attacker to actually succeed, given all the security measures in place. But it could happen.
We don’t want to slow down the process by being overly cautious… but it certainly makes sense to have an increased sensitivity to information being processed over email. In particular, account numbers and Social Security numbers should be protected. When we transmit a form that has this information, we will password encrypt using Adobe pdf. This is a very simple and effective solution. We will communicate the password verbally (not over email). Also, we will minimize the amount of personal information that transmits.
When returning a signed form to our office, fax is the most secure. If sent over email, consider assigning a password to the pdf document. The rationale is that if your account has been hacked (and you don’t realize) you don’t want the hacker to see your signature.
Since the risk largely lies in an attacker gaining your password to your email account, we recommend using a secure password that includes upper case and lower case letters. Keep the password random. Also, if allowed, use special characters like $, !, %. This makes it more difficult to hack the account. In addition, periodically change the password (every three to six months).
There are also security questions tied to email accounts. For example, if you forget your password, they will ask a secret question like “what is the name of your first pet.” You should make sure these are very unique and are something an attacker could not guess.
Some email providers allow “two step verification.” When an attempt is made to login from a different computer or device, a code is first sent out and you must approve the access on the new machine. This is a very good safeguard.
Part 2 Coming Soon !!!