I am not the only one thinking about this. New York State Department of Financial Services issued a report on cybersecurity in the banking sector, where more than 150 organizations rely on third-party service providers for critical banking functions. The regulators want the banks to tighten security.
So should you.
We spend most of our time in financial markets looking at ways to deploy our capital: What assets to buy or sell, how much we should save for retirement, whether we should own more of these stocks and less of those bonds.
We don’t spend so much time thinking about the ways we can lose that money — to fraud and to common theft. We should be more vigilant, especially as we move our lives online, with digital access to our checking and savings accounts, our online portfolios, even our taxes.
It is impossible to make yourself hack-proof, but you can make yourself less vulnerable.
It all starts with some common-sense security steps. Three ways you probably can improve your existing practices: Develop better e-mail habits, beef up password security and (as always) remember that your behavior is the root of most of your problems.
Get your e-mail act together
Every day, your inbox fills with all manner of junk. Some of it is merely time-wasting nonsense, but let’s not forget about the really dangerous stuff: phishing schemes, malicious viruses and malware. It seems the only reprieve we get are those rare occasions when the main servers in Russia — a.k.a. Spambot Central — gets temporarily knocked off-line.
People have tried a variety of ways to tackle this: Filters, whitelists, e-mail verifiers and trusted ID services; disposable e-mail addresses from sites such as Mailinator; “junk” e-mail addresses from Hotmail, Yahoo or Google. And still the danger keeps coming.
I have a few tricks I use to keep the really nasty stuff under control, such as:
• View e-mail as plain text.
All of the bad links, embedded viruses and other malware go away when you select “view as plain text.” Sure, you lose all of the graphics and links, but you lose the threats as well.
• Create a primary e-mail address.
This is your main address — for colleagues, clients and peers. Never share this e-mail address. Don’t subscribe to anything using this address — no Internet mailing lists, no subscriptions, nada. Use this address alone for your finance- and business-related e-mails. Anything unrelated is junk; treat it that way. Block the domains of senders. Mark junk mail as junk.
• Use an e-mail forwarder.
I have been a big fan of Leemail.me. Instead of giving out my e-mail address, I use Leemail to auto-generate an address whenever I want to share my e-mail with an unfamiliar company. It forwards my e-mail from the company to me. When I want to shut that sender off, I flick a button.
Tracking the companies that share or sell your e-mail address is invaluable. The basic version of Leemail is, astonishingly, free, and the upgrade is only a few bucks a year.
• Don’t hit “unsubscribe”; get blacklisted instead.
There are a number of companies that provide e-mail services to third parties, shops such as Constant Contact, Vertical Response and iContact. They are the middlemen between businesses and consumers. And while they claim to be “opt-in only” and not spammers, in truth, they are subject to whatever bad behaviors their clients engage in. They all have become legal quasi-spammers.
On every e-mail these companies send, there is an unsubscribe button. NEVER CLICK THAT. When you do, you are not unsubscribing. Rather, you are verifying that your e-mail address is legitimate.
Instead, go to the company Web site and track down the customer service number. Call customer service and insist on having your e-mail or domain “blacklisted.” Thats the only way to ensure you will truly be unsubscribed. If the company refuses, file a Federal Trade Commission complaint.
If you were like I was five years ago, you had one simple password that you used for everything — Amazon, Facebook, Wall Street Journal — everywhere. This could’ve been disastrous. Now all passwords are different. Avoid the common errors, such as using birthdays or your kids’ names. Never use sequential numbers. And for goodness sake, don’t use “password” as your actual password.
Put all of your passwords on a document named something other than “My passwords.” I find burying passwords somewhere in a spreadsheet to be useful. Print out a copy and place it in your safety deposit box with other important papers.
I have said all too often that when it comes to investing, people are their own worst enemy. Behavioral problems are rife in security as well. Get into the practice of thinking about security, and soon it becomes second nature.
The Securities and Exchange Commission has gotten much more serious about personal financial data security. They have informed advisers and brokers that there is a duty to protect client data. When we set up our wealth-management practice, we put into place specific policies and procedures to protect clients:
● All sensitive information is sent by secure e-mail using a third party for encryption.
● We never e-mail Social Security numbers or account numbers or other private data via regular email.
● We went totally paperless. Our file cabinets are empty, everything is cloud based.
● Any documents that arrive are shredded, so even our outgoing garbage is secure with nothing usable to a thief.
Most of this is common sense. However, many people are still vulnerable. With smarts and a bit of awareness, you can make your financial assets much more secure.
Ritholtz is chief executive of Ritholtz Wealth Management. He is the author of “Bailout Nation” and runs a finance blog, The Big Picture. On Twitter: @Ritholtz.
It is good practice to regularly back up your web financial services with a paper copy, perhaps every week.You need a record to fall back on in case the system is wiped clean. Don’t trust your computer or a cloud arrangement to be the backup.
We are already in a cyberwar. Like the improvement of weaponry during wartime, the sophistication to enable theft or other harm to all using the internet will continue to be enhanced at warp speed.
I agree with most of your points, Barry, and have already been practicing most for many years. However, when it comes to going all digital, I believe ‘theexpertisin’ makes some salient points. One should be cautious about relying on the permanence of bits and bytes. This technology is still in its infancy and the durability of digital media is far from ensured. It’s well-documented that CD’s, DVD’s and BluRay discs have a finite life depending on the rate at which the underlying physical media (i.e. aluminum, other metals, plastics) degrades over time.
I would also point you in the direction of an article on Medium by Quinn Norton titled, “Everything is Broken.” You likely have already read it, but if not, it’s a pretty sobering read about the digital underpinnings of computer technology and one that your readers would likely appreciate.
Here’s the link:
Everything is Broken
ADMIN: BR used that in a linkfest a few weeks ago
You have touched on a difficult problem — getting end users to follow secure practices.
The basic problem is that actual, real honest-to-goodness security is too much in the way of what we want to do. An acquaintance surveyed French users – their most common logon password for work was “bon jour”. People make it easy on themselves.
In my retirement, I have tried with no success to get folks in my social sphere to improve their security. They nod politely, but privately they think I’m nuts.
The point is to communicate, and security gets in the way of that.
From what I’ve read, and from my surmises, really secret communications is not entrusted to end users. Specially trained security people, be it by NSA or KGB, handle the communications. The communicator composes in militarese (from my study of the VENONA decrypts, the NKVD did not use normal Russian, they used KBG dialect, which I dubbed KGBese.) Then the militarese is handed over to the cipher people who massage it according to security practices, then send it.
End users will sabotage security, and without really meaning to. It’s just that it is too much impediment to what they are trying to do. Cryptanalysis would not be possible without that.
I follow secure practices for myself, but I have given up trying to get others to understand the need.
cybersecurity…complain about NSA, extra super strong password changed randomly every 10 seconds but record my life on Facebook and twitter.
One of the best password systems I have come across is one that was implemented by a large British bank. You choose a password of your liking. Then, when you log in, you are asked to enter some of the characters in your password (e.g. you might be asked to enter the 1st, 4th and 7th characters of your password). The requested characters vary at each login. Not quite as good as an RSA token but pretty damned secure