The reality is that each week there is another high-profile story like the incidents at Equifax, Target, and Yahoo. Unfortunately, there are many more that never make the headlines. The fact is business is online these days, from receiving eStatements from Schwab to buying your movie tickets for Friday night.
One thing is clear: You must take control of your online identity and security.
We’ve structured this program into four parts:
- Video Overview
- Written Content
- Downloadable Checklist
- Additional Resources
While we suggest going through each piece, if you are pressed for time, we recommend watching the video and completing the checklist.
Bottom Line: Don’t let the FUD factor (Fear, Uncertainty, and Doubt) keep you from using and enjoying the world of technology.
Watch: Overview Video
Henssler Financial’s own “Old Bald Guy” and official senior citizen explains—in non-technical terms—how to protect your identity to the best of your ability without going off-grid and living in a yurt.
Use a Password Manager
Each and every website that you use should have a unique password.
A password manager can automatically generate usernames and passwords. It will save this information and can automatically log you in.
The reason we recommend using unique passwords and usernames is that should one of the sites you use have their user data stolen (it happens all too often) and you use the same password for multiple sites, now the hackers have the login information for more than just the exploited site.
Having unique login information means when you receive the notification from a website that it was exploited, you only need worry about changing your information for that ONE site.
Sometimes, it takes months before a company discovers its website has been hacked, so people who re-use passwords may not know their information has been compromised until it is too late.
We Recommend LastPass
Personal usage for LastPass on a single device is free to try. If you want to use it on multiple devices (i.e., your smartphone, personal computer, tablet, etc.) it is $24 per year for one user or $48 for a family of six users. You only have to remember one password.
LastPass has the ability to share logins with other LastPass users; a way to share full access with trusted users in case something happens to you; secure notes, and the ability to scan the information saved in LastPass and check for sites using the same password and insecure passwords.
Because LastPass will save this information, you should make passwords as long as the website supports. Furthermore, if the website does not support multi-factor authentication and the username does not have to be your email address, we recommend letting LastPass generate something unique for that as well.
Unfortunately, many websites do not have a way to easily change your username. Just remember this feature for any new websites you join after you start using LastPass.
LastPass tutorials can be found at https://lastpass.com/support_screencasts.php
Pro Tip: Make sure you enable multi-factor authentication for LastPass (details in step 2).
Protect Your Email
The majority of websites still do two very insecure things:
- They require you to use your email as the username for your account
- They send password resets without any form of authentication
Should someone gain access to your email account, they can then read through all of your saved, sent, and deleted emails where they likely will find information for many of the websites you use.
They will then go to those sites and click on the Forgotten Password link, which will send a reset email to—that’s right—your hacked email account. Not only does this give them access to your account on that site, but they can now change your password AND your contact info and make your life even more fun later on.
We Recommend Using an Account that Supports Multi-factor Authentication
First, make sure your email password is unique by using LastPass. Generate a password as long as the email provider supports with whatever combination of characters it supports.
Second, enable multi-factor authentication (MFA). MFA combines two or more credentials: something you know (your username and password) plus something you have. One of the oldest methods of MFA that most of us have used is your bank ATM card. Your PIN is something you know and the card is something you have.
For email, this “second factor” can be an app on your smartphone that generates a one-time use six-digit token or a multi-digit number that is sent to your phone via text message. We recommend the Google Authenticator app. It is free and works on all types of smartphones and tablets.
What do you do if your email provider does not support MFA? CHANGE EMAIL PROVIDERS. We recommend Gmail from Google. You should be able to forward all of the email from your old/insecure email provider to your new Gmail account so you don’t miss anything.
Third, consider using a different email address for your critical financial accounts. You can have unlimited free email accounts at Gmail—make sure you enable MFA! Use this for your bank and credit cards but nothing else. This helps you segment email from those institutions, and since this isn’t your public email account, it is much less likely to be compromised.
Pro Tip: Make the address totally generic (i.e., NOT any portion of your name) for example: mybanks@gmail.com. Gmail makes it very easy to manage multiple email accounts. You can even forward all of your emails from this account to your public account so you only need to check one for new email.
Monitor Your Accounts
You may be able to detect fraud or identity theft early by reviewing your accounts; your credit report and ratings, and your mail.
Early detection and immediate action are the only ways to limit, and potentially stop, the damage that can be done once your information is compromised.
We Recommend Regular Monitoring
Sign up for Credit Karma. It’s FREE and gives you access to your TransUnion and Equifax credit reports. Make sure you enable their alert for hard credit inquiries, which will email you if a hard inquiry is made to either of these services.
You can also use annualcreditreport.com to obtain a full report from each of the three credit reporting agencies once per year. Georgia residents are allowed to receive two additional free credit reports from each CRA per year, but you must contact the CRAs directly for those. See http://www.consumer.ga.gov/consumer-topics/credit-reports-and-credit-score for details.
A hard inquiry is what a company will perform before issuing credit, providing a loan, issuing a credit card, etc. Once this alert is configured, we still recommend logging into Credit Karma at least once a month to check your credit scores and make sure the information is accurate.
Enable all of the alerts and notifications available on your bank accounts and credit cards. This is the quickest way to know if there has been unauthorized access to one of those accounts. Some have text messages, some email notifications, some both. Use whichever fits your lifestyle.
If you use a personal finance manager, such as Mint.com, which downloads your transactions for credit cards and banks, you can use this to quickly summarize and verify your transactions weekly.
Between this and account alerts, you will know quickly if someone has gained access to your accounts.
1/2 Auto-Update Devices
Some old school techies refuse to do this, claiming newly released patches from Microsoft, Apple, etc., “breaks their stuff.” While this rarely happens, the alternative is much worse. Unless you diligently monitor software patches on all of your devices, turn on auto-update.
Hackers exploit well-known bugs in software that still exist, sometimes years later because it has not been updated. Auto-updating solves a lot more problems than it might cause. Turn it on and be done with it!
If you don’t know how, open a Google search page and type, “How to enable auto-update for Windows 10” (replacing “Windows 10” with whatever software or device you are using e.g., “How to enable auto update on iPhone 8”). Google (or Bing) search is No. 1 in the geek handbook. Type it like a question, the results should be right on target.
Complete Action List:
To put your new knowledge into action, we’ve created a downloadable checklist of steps you need to take based on the video and information above.
Download the Checklist
Questions?
If you have questions, please email them to cybersecurity@hensslerfinancial.com
Additional Resources
Henssler Articles:
Digital Deception: Current Trends in Cybercrime
Protecting Your Business from Cyber Threats
Internet Security Best Practices
Online Articles:
How to give your parents the security talk this Thanksgiving