Be Your Own Cybersecurity Engineer

It’s bad out there and it seems to be getting worse. Computer hackers are attacking individuals and corporations alike. Nobody is immune. Colonial Pipeline is the most recent headline-worthy attack, but these attacks go on all day, every day. Do you receive robocalls or spam emails? Those are all attacks to hack into your personal accounts and to steal money from you. I recently attended a webinar about these cyberattacks and what each of us can do about them without resorting to extraordinary or expensive measures, and I will summarize and add my own suggestions here:

Two Factor Authentication

For any log-in that you have for any bank, savings, brokerage, insurance, or any other account you have that involves money, you should move to two-factor authentication. What is that? It’s another step you need to do after you input your user name and password but before you can access your account. There are many forms of two-factor authentication, some more effective than others. Here is a summary:

  • Secure code card from the financial institution: This is very safe. For my main brokerage account, I have a credit card-sized card with many alpha-numeric codes. When I try to log into my brokerage account, I am given numbers that correspond to the codes on my card, which is specific to my account. I look up the codes on the card, type them in, and I am now in to my account. This is very safe, but requires that you don’t lose your code card.
  • Face ID: For this same brokerage account, I could use Face ID through my phone, but I choose not to. I have used the Face ID method in the past but the code card works better for me. With the Face ID method, whether through an app on your phone or through your desktop or laptop, your account is linked to your phone number, and you open your phone so it sees your face, and you are in. Face ID is probably the preferred method of two-factor authentication if you are just using an app on your phone to access your account. Also very safe.
  • RSA Security Device: I have this for my checking account, specifically for my business account, although it could be used for a personal account. This is a variant on the code key card. With the RSA device, a 6-digit numeric code is provided and is updated every minute or two. When you log into your bank account, simply input the 6-digit code that appears on your device at that time, and you are in. Very safe, but you have to have your device with you when you log in. I assume there are companies or devices other than RSA that do the same thing.
  • SMS Text: Beware of this! This is the most common form of 2 factor authentication but is also the most easily hackable. We have all done this: An app or website sends you a text containing a 6 digit code that you then type in to gain access. Problem is, if the hackers already have access to your phone, then they can easily have access to your texts and thus the 6 digit code. Let me clarify: SMS Text is still better than no 2-factor authentication, but it’s not as good as other methods.
  • Authentication Apps: The leading players seem to be Twilio/Authy, Google Authenticator, and Microsoft Authenticator. I am not as familiar with these but plan to use them to see how they work, and will report what I find. Try one of them yourself and see what you think

Passwords

The moderator of the webinar I attended spent a long time discussing how he comes up with unique passwords for each new log-in. We’ve all been there: You open a new app or website, and it asks you to create a password. Brain-lock ensues. You know that you really should not re-use passwords that you already have in play, but you are impatient to open the app, so you cave and re-use an old password. Don’t do this! The moderator suggested we use thought and word association related to that specific website or app in order to derive a new password. That’s fine, but the problem is most new passwords require combinations of small letters, capital letters, numbers, and special characters. They do this for your own safety but it makes it difficult to come up with a creative phrase. What I do sometimes to address this is to use alphanumeric strings from other sources, just to come up with something. The key, however, is to write down the user name and password in the Notes section of my Contacts app on my iPhone. That way, I always have access to each user name and password. My search engine on my computer (Google Chrome, mostly) will auto-generate passwords and would (or should) remember those passwords the next time you log in. That works, if you are lucky and the search engine works the way it is supposed to, but what if you use multiple computers and/or multiple search engines? I still think you need to write down your user names and passwords. Also, there are apps out there such as Dashlane that will auto-generate passwords. I used Dashlane for a while a few years ago, but then Dashlane crashed and took all of my passwords with it, so I have a bias against Dashlane. That’s my personal experience, although I expect (hope!) Dashlane has improved its performance.

RoboCalls and Spam

The moderator says there isn’t a lot we can do about these banes of existence as of now. He stated that the average person receives 20 robocalls per day, which seems high because that’s what I get on a bad day. However, even if the number is half that, it’s still too many. We’ve all heard that you aren’t supposed to answer the calls, but the only way to make the bloody phone stop ringing is to answer it. Recently, my iPhone has been providing a Decline button when a call comes in, but only on some calls but not others. I would like to see the phone company provide a Decline option for all calls, cellphone or land line. Anything to make the thing stop ringing. As for limiting robocalls all together, that will require government action, which means you should keep your hand where it’s warm.

As for email junk or spam, you can Unsubscribe, but that doesn’t necessarily prevent the junk emails from coming in. The moderator spent a lot of time also discussing various spam (and robocall) schemes that are out there. Basically, the message was don’t under any circumstances do what the scammers ask for you to do. The IRS will not call you or email you; they will send you a letter in the mail if they want to get in touch with you. If you get a call or email saying they are from Apple or Amazon and there is a problem with your account, then log into your accounts on those websites and see if there is a problem; likely there is not one. Be very skeptical and use common sense.

IMO

All of these recommendations require more time spent and more work by you, but none of them require expenditures. Do them for your own safety. You lock your car and your front door; you should also do what you can to lock your online selves. Think of these steps as your keys. By doing so, you will be your own cybersecurity engineer: another job title you probably didn’t think you would attain just a few years ago!