Thursday, August 15, 2019

Why Can't We Stop Pfishing?

During my employee orientation at America Online in 1997, that day-long tradition of assaulting new hires with mundane and mind-numbing facts that are immediately forgotten, I was warned that AOL employees were constantly under threat of phishing attacks, though they weren't called that, and I admit that I didn't really understand the explanation.

By close of business the following day I had developed a full appreciation of the threat because I had unwisely clicked on a link in an Instant Message and unwittingly handed my employee login credentials to a hacker, something I had been told not to do just hours before. IT's "clean-up" process took two days, though I suspect that was a form of punishment, and during that time I wore the scarlet letter of being cut off from the rest of the company that functioned entirely around AOL Mail and Instant Messaging.

What a dunce. Lesson learned.

AOL finally put a huge dent in the phishing attacks by implementing two-factor authentication (2FA) for all employees, as I described in those previous posts, except that in 1997 we used hardware tokens because there were no smartphones.

Having dedicated my last two posts, You're Responsible for Your Own Online Security and How to Secure Your Online Financial Accounts, to securing online financial accounts, I realize my retirement finance blog has taken on a computer-geek air of late. My rationale is that retirement finance is primarily about dealing with risk and cyber security is a huge component of financial risk.

Malwarebytes.com describes phishing attacks as follows.
"Phishing is the crime of deceiving people into sharing sensitive information like passwords and credit card numbers. As with real fishing, there's more than one way to reel in a victim, but one phishing tactic is the most common. Victims receive a malicious email (malspam) or a text message that imitates (or “spoofs”) a person or organization they trust, like a coworker, a bank, or a government office. When the victim opens the email or text, they find a scary message meant to overcome their better judgment by filling them with fear. The message demands that the victim go to a website and take immediate action or risk some sort of consequence."
The term "phish" comes from fishing. A hacker dangles some bait in front of you in the form of a disguised hyperlink in an email or text message and hopes you will click on it hook, line and sinker.

Phishing attacks can be implemented with text messages, email, or even phone calls. It is actually a "social engineering" attack because rather than relying on technology to steal your vital information, it relies on you giving away that information in a moment of fear, confusion or just complacency.

Some people provide their sensitive information over the phone in spite of knowing that no bank, brokerage or government office like the Social Security Administration is going to call, text or email you and ask for your login credentials. The IRS does not announce an audit in an email.

Others click on a hyperlink in an email or text message because they believe they know the sender or because the link looks familiar or harmless. It isn't difficult for a hacker to change an email sender's address, using an attack known as "spoofing." You cannot trust an email's source simply by looking at the sender's email address or a phone call's source by checking Caller ID.

A lot of people who should know better get hacked by phishing attacks. It's a highly effective strategy.

Cyber security firm, CSO, lists three infamous phishing attacks.
  • Perhaps one of the most consequential phishing attacks in history happened in 2016 when hackers managed to get Hillary Clinton campaign chair John Podesta to offer up his Gmail password. 
  • The "fappening" attack, in which intimate photos of a number of celebrities were made public, was originally thought to be a result of insecurity on Apple's iCloud servers, but was in fact the product of a number of successful phishing attempts.
  • In 2016, employees at the University of Kansas responded to a phishing email and handed over access to their paycheck deposit information, resulting in them losing pay.
The Clinton Campaign phishing hack may have helped decide a presidential election.

(Note to political parties: Why are you sending unencrypted sensitive information over email systems like GMail when you can create a free, encrypted account at CERN's Proton Mail or spend a few bucks to encrypt your own mail server? More importantly, why are you saying things in an email that you wouldn't want the world to share? Emails never die. Your stupidity will be on the web forever. This is not the way you want to go viral.)

My goal is to help you protect yourself and your wealth from phishing attacks (if political organizations haven't figured out how by now then I have little hope for them in cyberspace).

Because phishing attacks are social engineering attacks that depend on tricking you, your diligence is the best protective measure. Think twice — no, make that three times — before you click on any link in an email or text message.

Check the context. My friend, Lex, send me lots of emails, text messages and messaging app thoughts. I normally click on all of his links but when I recently received an email from him that contained nothing but a hyperlink, I deleted it. It would be very unusual for Lex to send me a link with no explanation.

Needing no further clues, I checked the email's CC list and noticed it was quite long and included no one that I know. Not a confidence-building sign.

If I have any doubt that a link I receive is not legitimate, I will contact the sender and ask if the email or message was really from them but it is critical to contact them through a different channel and not by replying to the message. If the link really is phish, then replying may simply be me asking the hacker if he is legit. He'll probably say yes. If the link arrives in an email, for example, call or text the sender, instead.

When I receive an email or text message regarding the status of a credit card account,  I visit the card's website without clicking on the link.

It's quite easy to make a link look like a legitimate website when it actually points to a hacker's own malicious website. It's also quite easy to make that website look like Chase Bank's website, for example, and encourage you to "login" at the fake website and thereby hand your login credentials to the hacker.

Most email systems and websites allow you to view the actual link by hovering your mouse over the hyperlink. The underlying link will appear. Read the actual link closely to detect small changes that indicate you might not land where you expected.

You may find, for example, that a link that appears to point to theRetirementCafe.com (my website) actually points to theRetirmentCafe.com, which could belong to anyone. Notice the subtle misspelling. Hover your mouse over each of these links and, depending on your browser, the actual destination hyperlink will show up somewhere on your screen.

Some anti-virus and anti-malware software also incorporates anti-phishing features. Check your software's website to know for sure. Still, it won't replace your own diligence in examining hyperlinks sent to you before clicking on them.

Why are phishing attacks still so successful though we've been exposed to them since the late 1990s? They prey on our fear, complacency, and familiarity. It should be really easy to always say, "I'm not 100% sure this is a legitimate link so I'm just not going to click it" or "no legitimate business would ask me to provide sensitive information through an email or a phone call," yet it remains a successful hacking strategy.

One last question you might ask yourself is what would happen if I don't click this link? If it is important, the sender will surely try other ways to reach you, even if it's a friend just making sure that you saw the link she sent to her latest baby pictures.

Phishing attacks aren't the only cyber threat to your wealth but they are one of the most common and they are very effective. The best way to protect yourself is to treat any link sent to you as a potential threat. Never click on them without stopping to think about possible bad outcomes. Err on the side of avoiding the pfisher. If you're not certain, don't click.




Tuesday, August 6, 2019

How to Secure Your Online Financial Accounts

In my previous post, You're Responsible for Your Own Online Security, I noted that online fraud protections from banks, credit unions, investment companies, and other financial services companies are significantly weaker than consumer protections for credit cards, debit cards, ATMs, and EFTs. The "100% online fraud guarantees" advertised by financial services companies can have a lot of fine print and they are backed by the companies, not by consumer protection laws.

You may be thinking, "That's a lot of trouble. In the unlikely event that my account is hacked, the financial services company will reimburse me." I think that's a mistake for a few reasons. First, even if the company covers your losses, recovering from the fraud is unlikely to be a pleasant experience. Second, if you don't meet the company's security requirements spelled out clearly on their websites, you might not be covered by their online fraud guarantee, at all. Do you want to take that risk with your savings?

My goals for this post don't include boring you to tears, though that is certainly a risk when one explains technology to people who just want things to work. The truth is that Internet passwords don't work. We need a very different solution for securing online access but unless and until we get that, we have to work with what's available.

One of my goals is to help you avoid losing your hard-earned wealth to online fraud. A second goal is to help you avoid the long, painful process of recovering from online fraud when recovery is possible — you'll find it much easier to stop fraud before it happens than to tidy up afterward. And, my third goal is to keep you from running afoul of requirements that might preclude those "100% online fraud guarantees" offered by financial services companies. I used to refer to them as "online financial services companies" but now almost all of them are.

I warn you up front that some of these measures can be complicated to implement and that they will complicate your financial life a bit. It won't be as easy for you to access your online financial services but it should be a lot more difficult for a thief to do so.

And finally, before diving into security measures, be aware that many online services offer different levels of security that you can implement depending on how much set-up work you are willing to do  and how much inconvenience you will tolerate to achieve greater security. You can improve security significantly with stronger passwords, for example. With more work and complexity, you can greatly improve on long-password security by adding two-factor authentication. You will need to decide if the extra security is worth the effort.

You might also think, "This is way too difficult. I'm just going to avoid online access to my accounts altogether."

While this might be achievable in some limited way, it will preclude most investment opportunities. I asked Fidelity Investments if it is possible to open an account with no online access. They thought I had lost my mind. And, should you decide to simply not set up the online access, a thief might well do it for you.


Wade Pfau and the gang at RetirementResearcher.com are seeking volunteers for a research project called the Retirement Income Style Awareness,™ (RISA™). Please consider following this link to the survey.  Participants will be able to get results from the survey in the fall.


First, if your computer, smartphone, or tablet is compromised, no other security process can be trusted. If someone installs a keylogger on your computer, for example, that person can watch you type in your log-in credentials from half a world away and it won't matter what other security measures you take, they're looking over your shoulder. Run anti-malware software on your computer and only download smartphone apps from your apps store. This step is essential. There are several excellent free anti-malware products for computers. I like Avast for Mac[1]. Windows Defender[2] generally gets high marks, as well.

Next, you probably have a lot of sensitive information on your smartphone. Many services will use your phone to reset your password, for example. A thief doesn't need to learn your password if she can more easily reset it. Actually, a thief doesn't need to physically steal your phone. He may be able to illegally "port-out" your phone number and receive all your phone calls and text messages. Your smartphone is a key to your online security whether or not you intended it to be.

You need to keep that key beyond the grasp of hackers. Bite the bullet and change your lock-screen passcode to at least 8-digits.[3] (Are you still using four digits?) This step is also essential. I'd recommend avoiding lock-screen patterns on Android phones.

For many financial services companies, the use of "third-party aggregators" like Mint.com, Fidelity Fullview and Vanguard Portfolio Watch will violate your guarantee of fraud protection. Charles Schwab explicitly states next to the button to enable these services that they invalidate your guarantee. Stop using them. This is an essential step. You can go to the aggregator websites and turn off the feature but you can also change the passwords on all your financial services accounts (which you probably should do, anyway) and simply not update them at the aggregator website. If your financial data still shows up at your aggregator site, you know you're not finished. The aggregators will no longer have access to your data and you will no longer be in violation of the terms of your guarantee.

Creating strong passwords is an essential step. Make passwords to all your sensitive online accounts at least 12 random characters long. Use upper and lower case letters, numbers and special characters as allowed by the website. Here's an example: Wt4e-7B13^qS. As the saying goes, the best password is the one you can't remember. It has been estimated that an 8-character password can be cracked in hours, nine characters in months, and 12-character passwords in hundreds of years with a brute force attack. If your password contains recognizable words, a dictionary attack can be even faster.

Don't reuse passwords. This is essential because cracking one of your passwords compromises every other account using that password. Every sensitive account should have its own.

Never share your password with anyone other than a spouse on a joint account. That will almost certainly invalidate your online fraud protection. If you want an advisor or a spouse to have access to your individual accounts, grant that authority explicitly by filing the appropriate paperwork with your financial services companies instead of going through the "back door" of sharing your passwords. Recognize the risk you're taking by doing this and consider sharing "read-only" access and not authority to transact in your account.

If you write them down, store the list of passwords in a secure location and hide a backup in a different physical location. The next step isn't essential but I find it helpful. I use a password manager to both create random passwords and store them. LastPass, Dashlane,  and 1Password are perhaps the best known and you can access passwords from your computer, smartphone, and tablet.

The next level of security (and complexity to implement and use) beyond strong passwords is two-factor authentication. 2FA is perhaps not as essential as strong passwords but many experts would disagree. I consider it mandatory for my accounts but I also recognize that it is complicated for a "non-techie" to understand and implement. I can imagine that most will consider it too complex and that's a shame because it is a huge step up in security.

In essence, 2FA provides a second password that changes every minute and can only be read from an app on your smartphone (or a dedicated hardware token[4]). Unless a thief has access to your smartphone, she can't log in to your account even if she knows your password.

2FA is now offered by most, though not all, financial services websites. I even use 2FA at social media websites and on my email accounts. Two Factor Auth[5] provides a list of websites that support 2FA and PCMag.com[6] explains how to use many of them.

I have found that customer service departments of financial services companies will walk you through implementing 2FA over the phone if you ask and it only takes a few minutes. This is far and away the easiest way to implement 2FA on your account.

There are several ways in which 2FA can be implemented. The passcode can be sent to you in an email, sent to your phone in a text message (SMS), delivered by a voice phone call, or created by an app on your phone. If your financial services company offers a choice, the app approach (or a hardware token) is the safest.[7]

Some websites, like TreasuryDirect®, will email a one-time password (OTP) as a second layer of authentication after you enter the correct password. A lot of people know I can be reached at JDCPlanning@gmail.com and that's the first place a hacker might search for my one-time password. It would be harder for a hacker to intercept my OTP if I have it sent to say, dog73202@gmail.com, which doesn't identify me.

If any of your accounts use 2FA by sending an email, consider setting up an email account with a random name solely to receive 2FA passcodes. Set up a notification in that email account to alert you anytime you receive an email.

Many websites have a "password recovery" process that will reset your password if you answer security questions like "What was your high school mascot?" It makes no sense to go to all this trouble to secure a password when someone can "recover" your password by answering these security questions after reading your social media posts or by Googling your name.[10]

(I checked my password recovery questions on an email account I use for junk and found that that a hacker would need to either spend hundreds of years guessing my password or simply guess the name of my favorite band to gain access to my account.)

I make up unrelated answers to these questions and store both the questions and the answers with my passwords. For example, I might choose the question "What was your school mascot?" ("Eagles" is a good guess for a hacker.) I might enter "bookbinder" as the answer.

Thieves can sometimes illegally "port-out" your mobile phone number to theiro phone and the only indication you will get that this has happened is that your phone will stop working. They'll receive your text messages and phone calls so they'll intercept any one-time passwords sent by either of those methods. Furthermore, many online accounts will allow you or a thief to recover your password by texting or calling your phone and the thief is now the recipient of both of those. You may have the physical phone in your hand but all of your voice calls and text messages will now go to the thief's phone.

To illegally port-out your phone number, a thief only needs some basic name and address information about you and a PIN that is set up at your wireless carrier's website. Better beef-up the security of wireless carrier passwords and PINS with your wireless carrier. Krebs on Security tells you how.

Log on to your wireless carrier online account and make sure your PIN isn't something obvious like "1234" or the last four digits of your social security number. Use a strong password on your wireless carrier's website. I added 2FA to mine. Otherwise, the fraudster can hack into your wireless carrier account and change that PIN. Your smartphone, one way or the other, is the key to much of your online security. If it is lost or stolen, take action immediately.[8,9]

Since this all began with a reader's comment regarding security at TreasuryDirect®, let's look at how we might secure accounts there.

To log on to a TreasuryDirect® account, a thief will need your account number, a password for that account, an email address to which TreasuryDirect® will send a one-time passcode each time we attempt to log on, and that one-time passcode.

First, create a random password at TreasuryDirect® that is at least 12 characters long. Then, create unrelated answers to password recovery security questions at TreasuryDirect®, as described above.

Create a new email address with a random name and direct TreasuryDirect® to send one-time passwords there instead of sending it to your public primary email address. Secure the email account with a long, random password.

Now, a hacker will need to learn your TreasuryDirect® account number, hack its long random password, figure out what e-mail account you have told TreasuryDirect® to send your one-time password, and hack that e-mail's long random password to learn your OTP. If he tries to hack your TreasuryDirect® account using password recovery, he will need to know that you told TreasuryDirect® that your father was born in the city of banjo.

I believe any web-based service is hackable but a thief could probably find an easier way to steal money than this.

If you only install anti-malware software on your computer and improve your passwords, you will greatly enhance your online security. If this seems overwhelming, start by improving all of your passwords on financial services company websites and do more later.

You can download a checklist in Word to organize your security enhancement project. I included a sample using a Charles Schwab account. Click the link to see the document, then click download to save a copy.

This is the world we live in. Practically all financial services companies have an online presence with fraud guarantees provided only if the company considers that you have adequately protected your login credentials.

I realize that most readers will find this all quite complicated even with the links I have provided but this is your retirement savings we're trying to protect here and i4 your security doesn't meet the standards of financial services companies, their "100% online fraud guarantee" might not be available to you. Follow these steps and you are far less likely to ever need to recover from online fraud or rely on a fraud protection guarantee.




Some readers are having problems posting comments anonymously. Please feel free to email comments to JDCFinance@gmail.com and request that I post them anonymously.


REFERENCES

[1] Avast for Mac



[2] Windows Defender, Microsoft.



[3] Change Your IOS Passcode. or Change Your Android Passcode for Android.



[4] Some financial services companies will provide, often for free, a hardware "token" to generate the 2FA passcode instead of using your phone. See Protect Your Investment Accounts With A Security Token.



[5] Two Factor Auth list of 2FA supported websites.



[6] Two-Factor Authentication: Who Has It and How to Set It Up, PC magazine.



[7] This is why you shouldn’t use texts for two-factor authentication, TheVerge.com. Major SMS security lapse is a reminder to use authenticator apps instead, TheVerge.com.



[8] If your iPhone, iPad, or iPod touch is lost or stolen.



[9] Find, lock, or erase a lost Android device, Google Help.



[10] Time to Kill Security Questions—or Answer Them With Lies, Wired.



[11] This is why your six-digit iPhone passcode isn’t secure, BGR.com.