In the wake of revelations that the National Security Agency is harvesting our online data, NPR is airing a series that describes “just how vivid the typical person’s digital picture has become — and how easy it can be for others to see it”.
This isn’t 2006, so we’re not going to talk about the importance of keeping sketchy photographs off social media. (Just ask Anthony Weiner, if you haven’t forgotten his name already.)
Unfortunately, today’s concerns about personal information on the Web go far deeper than a potential employer seeing an old party photo on Facebook.
As we increasingly use online banking and cloud-based services like Gmail and Dropbox not only to organize our life, but archive it, we have to rely on these services’ security protocols to keep our digital lives away from prying eyes, be they the government, an identity thief, or a jealous lover.
For now, the security measures on these sites work most of the time. But we’ve recently learned that our friends at the NSA have begun to circumvent standard encryption methods – the digital scrambling algorithms sites use to protect sensitive information like our passwords and banking data. And if the NSA can do it, hackers can, too.
Your email account is the weakest link
Let’s say I’m a hacker who wants to transfer money from your checking account to mine. Where should I start? Your bank’s website?
Of all the digital services we use, our bank’s Web sites are supposedly the most secure, for obvious reasons. A few failed login attempts at a banking Web site will usually lock you out, requiring a call to customer service to prove your identity with information like your Social Security number and date of birth. As a thief, if I had this information already, I mind as well open a new credit account in your name rather than steal a few hundred bucks from an existing one.
But as NPR pointed out, if I were to simply get access to your email account, suddenly I get far more than a peek at your weekend plans and saved exchanges with exes. It’s probable I’d learn:
- The name of your bank
- Your address and birthday
- Names of friends and family (good password-guessing fodder)
If you weren’t careful, it’s also possible I’d find:
- Your social security number
- Bank account routing and account numbers
- Account passwords
Plus, think of how many Web sites allow you to reset your password simply by sending an email to your account? Even some credit cards will do this if you also supply some other identifying information like your DOB or social. And guess what? I have that from your email.
How to lock down your online banking
First let’s state the obvious:
1. Do not make passwords guessable (no family names) and change them every few months.
2. Choose strong passwords.
Phil: Your password is baloney1?
Mr. Chow: Well, used to be just baloney, but now they make you add number!
Most strong Web sites will require this anyway.
3. Choose a unique password for every online account you use.
This is a royal pain, but at least choose unique passwords for sensitive accounts like banks. You’ve probably heard the stories of hackers who get lists of logins and passwords from blog sites. Why do they care about a bunch of passwords from Gawker accounts? They don’t; they’re going to try them all at Chase.com and BankofAmerica.com. And many will work.
As a blogger, I live in the digital world and have over 100 logins to remember. (Not going to happen.) So a few years ago I started using LastPass, a freemium browser add-on that stores passwords.
LastPass protects your passwords with an encrypted master password that, if forgotten, cannot be recovered. Is LastPass as secure as remembering every single login in your head? No, but sometimes we have to make concessions between security and practicality.
Consider the above steps a bare minimum. If you don’t at least take these precautions and find your bank account hacked, well, it’s your own damned fault. But I’ve taken a few mores steps.
4. Create non-identifiable usernames for banking accounts.
If you use an email account professionally, the days of being NavyBean27@yahoo.com are gone. Most of us use some combination of initials and our name in our email account.
The problem is – with Google for example – our email address becomes our login for countless other services. If you have an unusual name like I do, it’s easy to guess that the login dweliver might belong to me.
It’s unlikely I’m going to change my username to firstname.lastname@example.org, but what I can do is stop using dweliver for financial accounts. Instead I create unique usernames for these accounts that don’t include my name (so they can’t easily be tied back to me). Often, my logins contain both numbers and letters so they look more like passwords.
Again, LastPass comes in handy to remember these, but I don’t make the logins so complex that I won’t remember them – the main goal is to remove the personally identifying information (my name).
5. Use two-step verification for important accounts.
Most Websites use a single step – a username and password – to authenticate that you are, in fact, you. The problem with a password, of course, is that anybody who knows the password can use it.
This is why many sites are beginning to offer step verification (also known as two-step authentication). With two-step verification, when you sign onto your account from a new computer (or after clearing your browser’s cookies) you must enter your username and password and a unique, one-time use security code.
The Web site automatically generates the security code and provides it to you in few ways: You can receive it by phone call or text message or — with some sites — you can download an app that generates the codes.
The downside to two-step verification is that without your phone, you won’t be able to login. But that’s the point: A hacker across the globe won’t have your mobile.
And because you only need to use two-step verification the first time you login, it’s usually not a big inconvenience. (It’s also a good reminder that logging into sensitive accounts from public computers is a dicey practice anyway.)
Right now I use two-step verification with my Chase credit card, Dropbox, and Google. If you use Gmail and tend to archive most of your mail (guilty here), I recommend setting up two-step verification with your Google accounts: here’s how.
6. Get sensitive data out of your email.
Okay here’s the thing: As I’m writing this I’m searching through the 8+ GB of emails in my Gmail archive to make sure I haven’t left my Social on any attachments. It’s possible there’s an old tax return somewhere. And that’s really bad.
Email is not secure. Even if you choose a strong password and use two-step verification, standard email is not encrypted when you send it, so people could pick it up on either end (such as by sniffing your WiFi connection).
As a rule, there are at least three things that I will not send over email.
- Social Security numbers
- Bank account numbers
- Credit card numbers
For these, an encrypted Web form, phone, fax, or good old snail mail are the better choices.
But here’s a workaround if you’re friendly with the recipient: Send half of the number via email (delete it after of course) and send the other half via text message. Anybody intercepting either message shouldn’t have enough data to cause trouble.
7. If you use mobile banking, set your phone to wipe after too many failed login attempts.
Mobile banking apps are convenient, but they put another potential hole in online banking security. If you use mobile banking, put a password on your lock screen.
Again, a would-be thief would need to figure out your banking password to breach your bank’s app, but by just picking up your phone he would immediately figure out which banks you use. It’s not the entire puzzle, but it’s an important first piece.
As an extra precaution, most phones will self-erase after a set number of failed login accounts. It’s not a bad idea to use this feature.
8. Create a separate email account for banking-related notifications.
Lastly, I no longer receive bank and credit card statements in my primary email account. I created another free email account (with a non-identifiable username) and opted to receive banking communications there.
Although bank statements shouldn’t reveal account numbers, they do indicate where you bank. And though somebody could still hack this account, the address isn’t public and it’s not tied back to me in anyway, making it much more difficult to use that account to steal passwords.
Why go through the trouble?
Taking these steps to harden the security of your online banking accounts took me a little over an hour. Yes, it complicates my digital life a bit. But as I put more personal information into the cloud while simultaneously potential threats to privacy grow exponentially, it’s a small price to pay for sleeping just a little bit better.