In the last two installments, we discussed Social Engineering and Phishing, as well as the danger of password re-use.
With reguards to social engineering, the best antidote is probably increased vigilence, however I am here to propose some real world solutions to the more technical attacks.
We'll start with the most minimal changes you can make without much inconvenience or cost, and we'll more onto more sophisticated options in future installments.
First, since enhanced security is almost always a trade-off, let's discuss why you might be willing to endure the inconvenience in exchange for more security.
Value Proposition
If, like many people, you don't have much money in your bank account, you might think that there isn't much to protect - but immagine that you only have $500 in your bank account, and scammers steal it. You lose your time and effort to reset your accounts, etc., and also the only $500 you had in the world. Worse yet, if they managed to steal your credit cards, information then they may have stolen money you didn't even earn yet by spending money on your credit cards. Sure, perhaps you can get that money back after everything is sorted out, but this can be a long and time consuming process and you may have to pay in the meantime.
On the other hand, if you have a lot of money in the bank, then there is more for the criminals to steal. This means you have more to protect. Likewise, your credit cards likely have higher limits as well.
Step 1: Separate Banking Phone & Accounts
If you are like most people, you probably use a smart phone for some of your online banking, and possibly a computer as well.
The first "trick" is to get a second phone, one dedicated to banking. Many people already have an old phone laying around from their last upgrade, or could get one relatively easily.
It would be ideal if you got a separate SIM card with a separate number for your banking phone, however we'll cover that in a future installment. For now, we'll assume you're going to go with WiFi.
The first thing to do is to do a factory reset on your old phone, and update the operating to the newest version.
If it's an android phone and you need to log in using a Google account, create a new one specifically for banking. Likewise, if it's an iPhone, perhaps you need to register a new Apple account.
When creating this email address, ideally use a random looking address that has nothing to do with your real name or normal email address. For example, if your real name is "Akiko Wada", then won't use AkikoWada56, use ChochoHima12. The idea is that you will only use this email for banking, so you'll never use it to post to social media and the like, and nobody (Except your banks and credit cards) should ever know what it is.
Make sure you use a different password than your normal account. Also, don't use your existing account as a backup account allowed to reset your normal account. You don't want someone who compromises your normal account to be able to use that to reset your banking account.
Make the password for your banking account sufficiently long, and set it to require an OTP when you log in if that's an option. You can put the OTP (Authenticator) app on your normal phone for now if you like.
There are probably apps on the phone that you don't need that will be installed by default - particularly on carrier branded Android phones. Uninstall or disable as many of these as you can.
Next, verify the login and password for each of your banking apps, and then uninstall them from your normal phone unless you will need them while you are out and about. Ideally you should have a separate spending money account that isn't connected to your payroll, but more on that in a future installment.
Install these banking apps on your Banking phone and log in. Since we'll be using your normal phone number for now, keep your normal phone handy to receive any SMS confirmations.
I would also highly recommend that you use ProtonMail for banking purposes, a free account is fine for now. If you already have a Protonmail account, then sign up for a new one just for banking.
Next, you'll want to log into each of your online banking and other finance related accounts (Credit cards, brokerages, etc), and change your email address to the new banking specific one you just created. Before you do that, though, let me sell you on another idea.
If you don't mind too much, it's best to create a separate account for each and every bank, credit card, etc., that you use. You don't actually have to create separate accounts, though, as you can use so-called +Aliases. This will work with either Gmail or Protonmail, but with ProtonMail, there is the added advantage that you can send from these addresses as well.
How does this work? You simply register mail addresses with each company as follows:
If your real email is xxx@yyy.zzz, you use xxx+ccc@yyy.zzz, where ccc is the company.
- beavis234@protonmail.com (Real/Main Address)
- beavis123+mitsubishi0114@protonmail.com
- beavis123+smbc1102@protonmail.com
- beavis123+mizuho1204@protonmail.com
etc. Here I also added a number at the end to make it harder to guess.
The advantage of these types of aliases is that they are widely supported, and free. You also don't have to create them beforehand, you can just make them up on the fly and use them.
The main disadvantage is that someone can tell your real address simply by looking at them and removing everythign between the + and @ symbols. You also can't easily block mails to such an alias.
So why bother?
a. You avoid giving out your "real" address, and potentially avoid spam.
b. You can use it as a check later on to see if emails are legitimate.
c. You can use it to create forwarding rules, etc. in the future.
Whether your use the aliases or not, update each bank account to use the banking email (either normal or alias).
If you log into your banking email on a PC, do it in a private window, and don't let your PC remember your username or password. Log out once you are done.
Once everything above is complete, I would recommend you switch any banking related OTP settings to use an authenticator app on your banking phone, then the separation between your work and financial online identities will be almost complete.
If you are in the US, then I would consider setting up a Google Voice number for your banking phone, if not, then we will cover setting up a separate number for banking in a future installment.
Congratulations:
Once this step is done you will have the following enhanced security:
1. If your normal phone is hacked, it won't give anyone access to your financial accounts since there are no banking apps on it.
2. Your banking phone is much less likely to be hacked since it doesn't have any non-financial apps.
3. Accessing your normal email via PC or phone won't give anyone any information in your finances or any way to break into your accounts.
4. If you see an email on your normal account from a bank, you will immediately know it's a phishing attempt (since all your banks will only email your baking email).
5. You are much less likely to receive phishing emails to your banking email address since you only use it for banking.
6. If your normal phone is lost or stolen you don't need to worry about banking apps being lost, and you will still have access to your critical banking apps. (Leave your banking phone at home and turned off when you don't need it).
7. If you used aliases, then you can easily tell when an account and the sender don't match. For example, if you used beavis+mitsubisi0114@protonmail.com with Mitsubishi, then all emails from them should arrive at that address only. When you receive an email from them, you can check the "to" line to make sure it's correct. (This is where using a number at the end makes it harder for anyone to guess the correct address).
8. If your mail account is compromised, they won't be able to use it to figure out where you bank, which credit cards you have, etc. (You did remember to delete all old mails from those places, right?)
9. As an added bonus, you won't need to set up all your banking apps and authentication again next time you upgrade or change your mail phone.
10. Since you don't need to keep your banking phone with you most of the time, you can keep it at home in a safe place so there will be much less risk of it being lost or stolen.
0 件のコメント:
コメントを投稿