I know people who avoid doing shopping, banking and other financial activities on-line because they don’t think it’s safe.
If only it was that simple. While it is true that any on-line account can potentially be compromised, there is also a security benefit to creating certain accounts: If you don’t create an account at your bank’s web site, some hacker might create one for you and have access to your money without your knowledge. For other benefits, keep reading.
I’m sure most of the skeptics still use their phones, believing that they are safer than the Internet. That’s not necessarily true. Brian Krebs writes about “Mitch,” a security professional who was fooled by a well-executed scam, conducted entirely by phone, and lost more than $10,000.
After reading that article, here are some lessons to be learned:
- Even security professionals can be tricked. If it happens to you, don’t let embarrassment prevent you from seeking whatever help you need to fix things. And don’t wait to do so.
- Never trust Caller ID. It’s usually correct but can be spoofed easily. My recommendation, if you are not a business or someone who needs to answer all calls, is to simply let all calls go to voicemail unless you recognize the number. If the caller is legitimate and it is important, they will leave a message. If they leave a callback number, exercise due caution. If necessary, look up an official, published number and use that instead.
- Most banking and other financial on-line accounts let you set up alerts to notify you when certain things happen. Use them! For example, I typically set credit card accounts to alert me, via e-mail or text message, on every transaction. I’ll know immediately if someone makes a fraudulent charge on my card.
- Never disclose any sensitive information on the phone unless you initiated the call! The key mistake made by Mitch was to provide his one-time code to the person who called him. Normally, he would have used a code on a call that he himself had initiated.
- Freeze your credit files! This is the best guard against identity theft. Although it might sound like a pain, it really isn’t difficult. I froze the files for myself and my wife at four credit bureaus – Equifax, Experian, TransUnion and Innovis – in about half an hour. If I ever want to apply for a new credit card, I can do a temporary 1-day lift at the big 3 bureaus in about 5 minutes.
I’ll add this about one-time codes. These codes, often delivered via text message, provide a second factor for authentication. You should use two-factor authentication (2FA) wherever you can, because it protects your accounts even if your username and password are stolen.
However, text messages (SMS) are more vulnerable than some other types of 2FA. First, scammers can trick your mobile phone carrier into switching your number to a phone they control. Second, the phone network can be hacked to intercept or divert messages.
SMS 2FA is better than no 2FA, but consider other options if offered, such as time-based one-time passwords (TOTP). These are generated on your phone or computer using an app like Google Authenticator, Authy, 1Password or LastPass. So they cannot be intercepted on any network.
Just make sure you don’t give the code to someone who just called you on the phone!