How to Protect Your Financial Accounts From Cyber Thieves
If there were an electricity that powers the fraud industry, it
would be information. Without names, email addresses, Social Security numbers,
passwords, credit card info or other personal data, a scammer cannot reach you
or pretend to be you.
And
so a massive illegal, international underground economy has emerged to serve
the needs of scammers. The wares? More than 15 billion pieces of stolen
personal data, say law enforcement and cybersecurity experts with the firm
Digital Shadows. Which sounds like a lot of data, but it isn’t. The average
person logs in to nearly 200 sites that require passwords or other information,
Digital Shadows estimates. Sitting in your computer are endless amounts of
personal data that may be useful to a scammer. And so another illegal industry
is constantly at work: data stealing. There were a record 1,862 publicly reported
breaches of large-organization customer databases last year, according to the
Identity Theft Resource Center. Most of that data ends up in this dark web
marketplace, being bought and sold.
If
this info marketplace were an actual mall, the people you’d find there
primarily would be hackers who steal the information and sell it in bulk,
malicious code writers who help those hackers gain access to your computer by
infecting it with malware, and vendors who buy the stolen data, repackage it
and sell it to the “end users”—the people actually trying to ensnare you in a
scam.
How much is your personal identifiable information
(PII) worth to scam artists? While many people think a nine-digit Social
Security number is their most valuable identifier, “it’s actually worth about
$2,” says James E. Lee, chief operating officer of the nonprofit Identity Theft
Resource Center in San Diego.
If a Social Security number comes with a name and
date of birth, it’s $4 or $5, or about “the cost of a caramel macchiato,” says
Brian Krebs, a cybersecurity expert who runs the website KrebsOnSecurity.com.
A person’s credit card information is worth more,
about $25 to $35, Lee says. A hacked Facebook account can bring $65, and a
selfie photo with a U.S. driver’s license, $100.
Who’s buying this information?
“There are hundreds of thousands of serious ‘threat
actors’ throughout the world,” says Robert Villanueva, a retired U.S. Secret
Service supervisor who’s now executive vice president of Q6 Cyber in Hollywood,
Florida.
This personal data is sold in digital “shops” on the
dark web as well as in more exclusive online “forums” accessible to more
sophisticated cybercriminals, Villanueva adds.
Malware, or malicious software, is critical to
their crimes, because if a computer is compromised with what’s called a
keylogger, every letter a person types is revealed to the bad guys, who can
grab banking and email credentials and take over these accounts.
Your smartphone is also targeted. “Threat actors
are really going after people’s phone numbers to hijack their digital lives,
because that’s the weakest link,” Krebs says.
How to stay safe
- Set up your digital accounts to require multifactor authentication.
- Freeze your credit at the three major credit bureaus. Do the same for your dependents’ credit. That helps prevent a scammer with your info from making any major transaction in your name or the name of a dependent.
- Do not save credit card numbers online with merchants or service providers.
- Activate biometric locks (facial recognition or fingerprints) on your mobile device to safeguard data if the device is lost or stolen.
- Use antivirus software and perform recommended cybersecurity
updates on your devices.
- Because your phone number increasingly is being used to identify
you, remove it from as many online accounts as possible. You may need to
use your number to open some accounts, but go back and remove it later.
Our financial fingerprints are scattered all over our computers
and devices: banking, credit card and retirement account data; tax returns;
travel loyalty clubs; digital payment apps; online accounts for megastores; and
much more. What resides on your smartphone alone is like a “candy store” to
cybercriminals, warns John Buzzard, the lead fraud and security analyst at
Javelin Strategy & Research in Pleasanton, California.
Of growing concern to him and others who battle cybercrime is a
scourge known as an account takeover. In this type of attack, a criminal gains
access to one of your digital accounts. The crook may not stop at a single
account, either. Multiple critical accounts — and hard-earned cash — can
eventually be at risk, Buzzard says.
What's an
account takeover?
It's worse than a cybercrook's stealing your credit card number
and going on a buying binge at a big-box electronics store. In an account
takeover, your username, log-on information and the mobile number associated
with your account are manipulated or changed in a way that prevents you from accessing
your account and receiving notifications about possibly
fraudulent activity. Account takeovers reached a six-year high in 2019,
striking an estimated 4.4 million adults in the U.S. and causing $6.8 million
in losses, Javelin Strategy & Research estimates.
Account Takeovers in the U.S.
GRAPHIC BY AARP
Approximately
4.4 million adults had a financial account taken over by cybercriminals in
2019, losing an estimated $6.8 million. Both numbers were the largest in six
years.
Data breaches galore
In light of persistent, troubling data breaches, a
trove of sensitive consumer information is already in the hands of bad actors,
Buzzard notes. Breaches can expose databases from entire organizations, and,
according to Verizon's 2020 “Data Breach Investigations Report,” there were
3,950 breaches last year.
Mike Stamas, 44, cofounder of GreyCastle Security
in Troy, New York, observes that at the same time these crimes are soaring, our
digital presence has grown. “Compared to 15 years ago, we have a much larger
presence of online assets, whether it's Facebook, Twitter, online banking,
multiple email accounts, [crowdfunding site] GoFundMe and [payment app] Venmo,”
he says.
Consider a designated tablet for finances
Stamas, his firm's vice president of business
development, says computer tablets
and notebooks are so inexpensive now that consumers should
consider buying one exclusively for online banking and other financial
accounts. Without email, social media and internet browsing on that designated
device, he explains, “you would significantly reduce your risk posture” by
decreasing the incidence of phishing emails,
spyware and malicious payloads.
Different accounts? Different passwords
Buzzard and Stamas, both 20-year cybersecurity
veterans, say the smartest first step to thwart crooks from hacking into your
accounts is this: Set up different, complex passwords not just for your
financial accounts but for every online account. “Many people will use the same
password and same log-in for their Yahoo email account and their J.P. Morgan
account,” Stamas observes.
He urges people to avoid passwords featuring
dictionary words, because computers, in what are called brute-force credential
attacks, can sort through thousands of words to try to guess a password or
passphrase. Stamas also suggests inserting a special character in the middle of
a password — or someone's nickname.
Get a digital password
vault or manager if you need one, Buzzard advises, though
writing down passwords and storing them in a safe place is an alternative.
Here are 10 more tips to protect your financial
accounts
1. Never
give a stranger who contacts you remote access to your computer. “There's
absolutely no (legitimate) scenario in the world where someone will call you up
on the phone unexpectedly and say, ‘We understand your computer is infected,
and we'd like to help you,’ “ Buzzard says. If you suspect that your device has
a problem, such as malware (malicious software), contact a trusted technician
for service.
2. For
another layer of security beyond a password, require two-step
authentication to access sensitive accounts; it may be a number
given in a text or call.
3. Ensure
that your antivirus and anti-malware software is up to date.
4. Perform
software updates as available on your computer, laptop, tablet and mobile
device.
5. Set
up your smartphone to stay locked until you provide biometric data such
as a fingerprint or facial scan.
6. Contact
your bank, credit card company and investment firm and ask what additional
security measures they recommend for digital accounts; examples include fraud
alerts and dollar limits on transactions. “They would love it if their
customers took more initiative like that,” Buzzard says.
7. Write
down your mobile device sign-on information and store it safely. You will need
it to find your phone or, if stolen, to wipe the device.
8. Periodically
review the “last log-in” time stamp on websites you frequent. Check if the
stated times match your activity.
9. If
you need to contact a customer service department, call using a phone number
you know is legit, such as one from a billing statement. Stamas says his
mother-in-law once ran into trouble by Googling “Amazon tech
support” and phoning the first number that popped up. It wasn't
Amazon but a “malicious organization” that induced her to turn over financial
information.
10. If
you receive an email directing you to log on to a financial account to check
out a transaction, ignore it. Instead, bookmark your financial websites and log
on through a secure, trusted website. Stamas says an unexpected email “has a
high likelihood of being malicious or a phishing scam,” in which a bad actor
tries to steal something of value, like a credit card number or account number.
5 Easy Ways
to Protect Yourself From Web Hackers and Eavesdroppers
During the pandemic, we've grown even more
dependent on our devices to stay in touch, get work done and remain
entertained.
We're shopping and banking online; viewing and
sharing recipes; and getting news pushed to our phones, tablets, laptops and
smart speakers. But with the increased reliance on tech comes a greater risk of
being tracked, analyzed, marketed to or even scammed.
Whether your internet service provider, a search
engine or social media giants are blatantly mining your data or cybercriminals
are out to defraud you through computer viruses, phishing scams or ransomware,
your privacy, security and sanity are at stake.
The good news is you don't need to be Bill Gates to
fight back. Consider these simple ways to stop cyber-snoopers in their tracks.
1. Use a VPN
Many of us choose the “private” or “incognito” mode
when opening a web browser because it deletes your history and trackable
cookies after your surfing session. But be aware your online
activity is still visible during your time online. This
information can be tracked, saved and shared or sold to third parties.
While private browsing prevents information from
being automatically stored on your device, everything you do is still visible
to your internet service provider. Websites you visit can see your IP address,
which gives them your approximate geographical whereabouts, and identifies your
device.
Instead, install a reputable virtual private
network (VPN), which provides anonymity when browsing online.
Popular VPN options include ExpressVPN and NordVPN.
An up-to-date security suite should also help you
keep away from prying eyes.
2. Create strong passwords, pass phrases
Remember to have a strong password for all your accounts.
Make it at least seven characters long and a combination of letters, numbers
and symbols. You'll get bonus points for adding upper and lowercase letters.
Never use the same password for all your online
activity. If a site or app is breached, then the bad guys have access to all
your accounts. Password manager
apps aren't a bad idea.
A pass phrase instead of a password is a good way
to lengthen your passwords and give you a memory aid. Myd0gD#1! Is derived from
“my dog Duke is No. 1."
For online banking and shopping apps, opt for two-factor
authentication. It not only requires your password to log in but
also a one-time code sent to your mobile device to prove it's really you.
3. Mute, unmute your smart speaker
While smart speakers are
convenient for their instant responses to your queries, these digital
assistants are always listening for their wake word — “Alexa” for Amazon Echo
devices or “OK, Google” for the Google Nest or Google Home family. That means
your virtual assistant is always listening.
If you don't feel comfortable with this fact, press
the Mute button on top of the smart speaker or smart display.
That turns the microphone off, so the device can't listen for its wake word.
You can enable it whenever you have a request, so you'll have to be within
arm's length when you want to use it.
While anonymized, also know your requests and
commands are stored on each company's servers after you say them, which helps
these companies gather data and improve services. You can delete the
information any time:
For Alexa devices,
log into your app on a smartphone or tablet and select Settings | Alexa
Privacy | Review Voice History.
For Google devices, go to history.google.com. Click on the Settings icon,
which looks like three stacked lines and also is called a “hamburger” icon, at
the top left of the page. Go to Voice & Audio Activity and
select a recording to delete.
4. Disable sharing to Facebook
The world's biggest social network doesn't have the
best reputation for privacy and transparency. But to the company's credit, it
released a tool last year for you to manage how your activity is tracked.
Called Off-Facebook Activity, this tool gives you a summary of
activity that businesses and organizations share with Facebook about your
interactions, such as visiting their apps, games, or websites (often when you
log in with your Facebook ID), and lets you turn off that tracking.
To review your off-Facebook activity:
Log into Facebook.
Tap the hamburger icon or down arrow at the top
right, depending on your device
Tap Settings & Privacy | Settings | Your
Facebook Information | Off-Facebook Activity. Facebook
says you will see a summary of your activity that Facebook receives, but it may
take a few days for recent activity to show up.
To turn off this tracking, tap or click where it
says Manage Your Off-Facebook Activity. You can also select Clear
History and More Options to download your information
or manage future activity.
5. Don't forget about your webcam
We're now accustomed to using Zoom and other apps
for video chats, so be sure to take precautions to avoid having your camera
compromised.
If you use an external webcam, one that plugs into
your computer's USB port, connect it only when you need it.
If your camera is built into your laptop, pick up a
lens cover, which may be available at your local dollar store or is a low as $3
for 2 on Amazon. For a camera built flush into your screen, use a double layer
of tape to block the tiny lens, but don't leave it on forever because it could
gum up.
If an app tries to access your camera, some
cybersecurity software solutions, such as ESET, have webcam detection.
If you need your computer repaired, take it to a
trustworthy source. An ill-intentioned technician could secretly install
spyware on your laptop.
If you want to control which apps use your
computer's webcam, go to the Appleicon on Macs | System
Preferences | Security & Privacy | the Privacy tab
| Camera or, on a Windows machine, type Settings in
the search box at the lower left corner of the screen and type Camera
privacy settings to see which of your apps has access to your camera.
You can click a toggle switch to turn off access to a particular app.
Marc Saltzman is a contributing writer who covers
personal technology. His work also appears in USA Today and other national publications.
He hosts the podcast series Tech It Out and is the author of several books,
including Apple Watch for Dummies and Siri for
Dummies.
Katherine Skiba covers scams and fraud for
AARP. Previously, she was a reporter with the Chicago Tribune, U.S. News & World Report and the Milwaukee Journal Sentinel. She was a recipient of Harvard University's Nieman
Fellowship and is the author of the book Sister in the Band of Brothers: Embedded
with the 101st Airborne in Iraq.
https://www.aarp.org/money/scams-fraud/info-2021/account-takeover.html
Files Related :
There is no files