How to Protect Your Financial Accounts From Cyber Thieves

If there were an electricity that powers the fraud industry, it would be information. Without names, email addresses, Social Security numbers, passwords, credit card info or other personal data, a scammer cannot reach you or pretend to be you. 

And so a massive illegal, international underground economy has emerged to serve the needs of scammers. The wares? More than 15 billion pieces of stolen personal data, say law enforcement and cybersecurity experts with the firm Digital Shadows. Which sounds like a lot of data, but it isn’t. The average person logs in to nearly 200 sites that require passwords or other information, Digital Shadows estimates. Sitting in your computer are endless amounts of personal data that may be useful to a scammer. And so another illegal industry is constantly at work: data stealing. There were a record 1,862 publicly reported breaches of large-organization customer databases last year, according to the Identity Theft Resource Center. Most of that data ends up in this dark web marketplace, being bought and sold.

If this info marketplace were an actual mall, the people you’d find there primarily would be hackers who steal the information and sell it in bulk, malicious code writers who help those hackers gain access to your computer by infecting it with malware, and vendors who buy the stolen data, repackage it and sell it to the “end users”—the people actually trying to ensnare you in a scam.

How much is your personal identifiable information (PII) worth to scam artists? While many people think a nine-digit Social Security number is their most valuable identifier, “it’s actually worth about $2,” says James E. Lee, chief operating officer of the nonprofit Identity Theft Resource Center in San Diego.

If a Social Security number comes with a name and date of birth, it’s $4 or $5, or about “the cost of a caramel macchiato,” says Brian Krebs, a cybersecurity expert who runs the website KrebsOnSecurity.com.

A person’s credit card information is worth more, about $25 to $35, Lee says. A hacked Facebook account can bring $65, and a selfie photo with a U.S. driver’s license, $100.

Who’s buying this information?

“There are hundreds of thousands of serious ‘threat actors’ throughout the world,” says Robert Villanueva, a retired U.S. Secret Service supervisor who’s now executive vice president of Q6 Cyber in Hollywood, Florida.

This personal data is sold in digital “shops” on the dark web as well as in more exclusive online “forums” accessible to more sophisticated cybercriminals, Villanueva adds.

Malware, or malicious software, is critical to their crimes, because if a computer is compromised with what’s called a keylogger, every letter a person types is revealed to the bad guys, who can grab banking and email credentials and take over these accounts.

Your smartphone is also targeted. “Threat actors are really going after people’s phone numbers to hijack their digital lives, because that’s the weakest link,” Krebs says.

How to stay safe

• Set up your digital accounts to require multifactor authentication.
  
  
• Freeze your credit at the three major credit bureaus. Do the same for your dependents’ credit. That helps prevent a scammer with your info from making any major transaction in your name or the name of a dependent.
  
  
•  Do not save credit card numbers online with merchants or service providers.
  
  
• Activate biometric locks (facial recognition or fingerprints) on your mobile device to safeguard data if the device is lost or stolen.
  
  
• Use antivirus software and perform recommended cybersecurity updates on your devices.

• Because your phone number increasingly is being used to identify you, remove it from as many online accounts as possible. You may need to use your number to open some accounts, but go back and remove it later.

Our financial fingerprints are scattered all over our computers and devices: banking, credit card and retirement account data; tax returns; travel loyalty clubs; digital payment apps; online accounts for megastores; and much more. What resides on your smartphone alone is like a “candy store” to cybercriminals, warns John Buzzard, the lead fraud and security analyst at Javelin Strategy & Research in Pleasanton, California.

Of growing concern to him and others who battle cybercrime is a scourge known as an account takeover. In this type of attack, a criminal gains access to one of your digital accounts. The crook may not stop at a single account, either. Multiple critical accounts — and hard-earned cash — can eventually be at risk, Buzzard says.

What's an account takeover?

It's worse than a cybercrook's stealing your credit card number and going on a buying binge at a big-box electronics store. In an account takeover, your username, log-on information and the mobile number associated with your account are manipulated or changed in a way that prevents you from accessing your account and receiving notifications about possibly fraudulent activity. Account takeovers reached a six-year high in 2019, striking an estimated 4.4 million adults in the U.S. and causing $6.8 million in losses, Javelin Strategy & Research estimates.

Account Takeovers in the U.S.

GRAPHIC BY AARP

Approximately 4.4 million adults had a financial account taken over by cybercriminals in 2019, losing an estimated $6.8 million. Both numbers were the largest in six years.

Data breaches galore

In light of persistent, troubling data breaches, a trove of sensitive consumer information is already in the hands of bad actors, Buzzard notes. Breaches can expose databases from entire organizations, and, according to Verizon's 2020 “Data Breach Investigations Report,” there were 3,950 breaches last year.

Mike Stamas, 44, cofounder of GreyCastle Security in Troy, New York, observes that at the same time these crimes are soaring, our digital presence has grown. “Compared to 15 years ago, we have a much larger presence of online assets, whether it's Facebook, Twitter, online banking, multiple email accounts, [crowdfunding site] GoFundMe and [payment app] Venmo,” he says.

Consider a designated tablet for finances

Stamas, his firm's vice president of business development, says computer tablets and notebooks are so inexpensive now that consumers should consider buying one exclusively for online banking and other financial accounts. Without email, social media and internet browsing on that designated device, he explains, “you would significantly reduce your risk posture” by decreasing the incidence of phishing emails, spyware and malicious payloads.

Different accounts? Different passwords

Buzzard and Stamas, both 20-year cybersecurity veterans, say the smartest first step to thwart crooks from hacking into your accounts is this: Set up different, complex passwords not just for your financial accounts but for every online account. “Many people will use the same password and same log-in for their Yahoo email account and their J.P. Morgan account,” Stamas observes.

He urges people to avoid passwords featuring dictionary words, because computers, in what are called brute-force credential attacks, can sort through thousands of words to try to guess a password or passphrase. Stamas also suggests inserting a special character in the middle of a password — or someone's nickname.

Get a digital password vault or manager if you need one, Buzzard advises, though writing down passwords and storing them in a safe place is an alternative.

Here are 10 more tips to protect your financial accounts

1. Never give a stranger who contacts you remote access to your computer. “There's absolutely no (legitimate) scenario in the world where someone will call you up on the phone unexpectedly and say, ‘We understand your computer is infected, and we'd like to help you,’ “ Buzzard says. If you suspect that your device has a problem, such as malware (malicious software), contact a trusted technician for service.

2. For another layer of security beyond a password, require two-step authentication to access sensitive accounts; it may be a number given in a text or call.

3. Ensure that your antivirus and anti-malware software is up to date.

4. Perform software updates as available on your computer, laptop, tablet and mobile device.

5. Set up your smartphone to stay locked until you provide biometric data such as a fingerprint or facial scan.

6. Contact your bank, credit card company and investment firm and ask what additional security measures they recommend for digital accounts; examples include fraud alerts and dollar limits on transactions. “They would love it if their customers took more initiative like that,” Buzzard says.

7. Write down your mobile device sign-on information and store it safely. You will need it to find your phone or, if stolen, to wipe the device.

8. Periodically review the “last log-in” time stamp on websites you frequent. Check if the stated times match your activity.

9. If you need to contact a customer service department, call using a phone number you know is legit, such as one from a billing statement. Stamas says his mother-in-law once ran into trouble by Googling “Amazon tech support” and phoning the first number that popped up. It wasn't Amazon but a “malicious organization” that induced her to turn over financial information.

10. If you receive an email directing you to log on to a financial account to check out a transaction, ignore it. Instead, bookmark your financial websites and log on through a secure, trusted website. Stamas says an unexpected email “has a high likelihood of being malicious or a phishing scam,” in which a bad actor tries to steal something of value, like a credit card number or account number.

5 Easy Ways to Protect Yourself From Web Hackers and Eavesdroppers

During the pandemic, we've grown even more dependent on our devices to stay in touch, get work done and remain entertained.

We're shopping and banking online; viewing and sharing recipes; and getting news pushed to our phones, tablets, laptops and smart speakers. But with the increased reliance on tech comes a greater risk of being tracked, analyzed, marketed to or even scammed.

Whether your internet service provider, a search engine or social media giants are blatantly mining your data or cybercriminals are out to defraud you through computer viruses, phishing scams or ransomware, your privacy, security and sanity are at stake.

The good news is you don't need to be Bill Gates to fight back. Consider these simple ways to stop cyber-snoopers in their tracks.

1. Use a VPN

Many of us choose the “private” or “incognito” mode when opening a web browser because it deletes your history and trackable cookies after your surfing session. But be aware your online activity is still visible during your time online. This information can be tracked, saved and shared or sold to third parties.

While private browsing prevents information from being automatically stored on your device, everything you do is still visible to your internet service provider. Websites you visit can see your IP address, which gives them your approximate geographical whereabouts, and identifies your device.

Instead, install a reputable virtual private network (VPN), which provides anonymity when browsing online. Popular VPN options include ExpressVPN and NordVPN.

An up-to-date security suite should also help you keep away from prying eyes.

2. Create strong passwords, pass phrases

Remember to have a strong password for all your accounts. Make it at least seven characters long and a combination of letters, numbers and symbols. You'll get bonus points for adding upper and lowercase letters.

Never use the same password for all your online activity. If a site or app is breached, then the bad guys have access to all your accounts. Password manager apps aren't a bad idea.

A pass phrase instead of a password is a good way to lengthen your passwords and give you a memory aid. Myd0gD#1! Is derived from “my dog Duke is No. 1."

For online banking and shopping apps, opt for two-factor authentication. It not only requires your password to log in but also a one-time code sent to your mobile device to prove it's really you.

3. Mute, unmute your smart speaker

While smart speakers are convenient for their instant responses to your queries, these digital assistants are always listening for their wake word — “Alexa” for Amazon Echo devices or “OK, Google” for the Google Nest or Google Home family. That means your virtual assistant is always listening.

If you don't feel comfortable with this fact, press the Mute button on top of the smart speaker or smart display. That turns the microphone off, so the device can't listen for its wake word. You can enable it whenever you have a request, so you'll have to be within arm's length when you want to use it.

While anonymized, also know your requests and commands are stored on each company's servers after you say them, which helps these companies gather data and improve services. You can delete the information any time:

For Alexa devices, log into your app on a smartphone or tablet and select Settings | Alexa Privacy | Review Voice History.

For Google devices, go to history.google.com. Click on the Settings icon, which looks like three stacked lines and also is called a “hamburger” icon, at the top left of the page. Go to Voice & Audio Activity and select a recording to delete.

4. Disable sharing to Facebook

The world's biggest social network doesn't have the best reputation for privacy and transparency. But to the company's credit, it released a tool last year for you to manage how your activity is tracked.

Called Off-Facebook Activity, this tool gives you a summary of activity that businesses and organizations share with Facebook about your interactions, such as visiting their apps, games, or websites (often when you log in with your Facebook ID), and lets you turn off that tracking.

To review your off-Facebook activity:

Log into Facebook.

Tap the hamburger icon or down arrow at the top right, depending on your device

Tap Settings & Privacy | Settings | Your Facebook Information | Off-Facebook Activity. Facebook says you will see a summary of your activity that Facebook receives, but it may take a few days for recent activity to show up.

To turn off this tracking, tap or click where it says Manage Your Off-Facebook Activity. You can also select Clear History and More Options to download your information or manage future activity.

5. Don't forget about your webcam

We're now accustomed to using Zoom and other apps for video chats, so be sure to take precautions to avoid having your camera compromised.

If you use an external webcam, one that plugs into your computer's USB port, connect it only when you need it.

If your camera is built into your laptop, pick up a lens cover, which may be available at your local dollar store or is a low as $3 for 2 on Amazon. For a camera built flush into your screen, use a double layer of tape to block the tiny lens, but don't leave it on forever because it could gum up.

If an app tries to access your camera, some cybersecurity software solutions, such as ESET, have webcam detection.

If you need your computer repaired, take it to a trustworthy source. An ill-intentioned technician could secretly install spyware on your laptop.

If you want to control which apps use your computer's webcam, go to the Appleicon on Macs | System Preferences | Security & Privacy | the Privacy tab | Camera or, on a Windows machine, type Settings in the search box at the lower left corner of the screen and type Camera privacy settings to see which of your apps has access to your camera. You can click a toggle switch to turn off access to a particular app.

Marc Saltzman is a contributing writer who covers personal technology. His work also appears in USA Today and other national publications. He hosts the podcast series Tech It Out and is the author of several books, including Apple Watch for Dummies and Siri for Dummies.

 

Katherine Skiba covers scams and fraud for AARP. Previously, she was a reporter with the Chicago Tribune, U.S. News & World Report and the Milwaukee Journal Sentinel. She was a recipient of Harvard University's Nieman Fellowship and is the author of the book Sister in the Band of Brothers: Embedded with the 101st Airborne in Iraq.

 

 https://www.aarp.org/money/scams-fraud/info-2021/account-takeover.html