While maintaining cybersecurity is obviously beneficial for a financial services firm, it can also benefit you as an individual. From high-profile attacks, such as those at Equifax and Capital One, to lesser-known crimes such as the heist of DD Perks accounts at Dunkin Donuts or the ubiquitous fake emails from ersatz computer companies, hackers are in constant search of targets great and small.
What can individuals do to protect themselves? Our cybersecurity consultant, Jakob Speksnijder, offers advice, some of which includes using a cookie jar.
Speksnijder, a native of the Netherlands, has worked in IT for over two decades, both in programming and developing cybersecurity for clients including Siemens, Sony, and the Philadelphia Shipyard. Since his retirement in 2017, he has focused on providing education to individuals regarding safety on social media and consumer usage of the internet. Speksnijder says that maintaining cybersecurity for large companies and individuals entails essentially the same approach, though it’s not as complicated for individuals as it would be for a large firm.
As our examples of recent breaches show, hackers are less like Ocean’s Eleven and more like petty pickpockets, just as apt to hijack customer rewards points as financial information. They are indiscriminate and relentless, targeting anyone and taking anything, whether points for a free cup of coffee, vacation photos, or a bank account.
For Speksnijder, the three areas where online consumers are most at risk are password theft, phishing scams, and software updates.
Password Theft
When a site is hit, the hacker will take your data including Social Security number, address, and passwords, Speksnijder says. Many of us use the same password for multiple sites because it is easier to remember, meaning it is likely that the hacker also has access to everything you do online, which could include your bank account, giving the crook access to your financial transactions.
To make this more difficult for the hacker, you should have different passwords for every site you have an account with. But if not, going through and changing your passwords is the first thing you should do after becoming aware of a breach. In fact, it should be a habit to change your password often, at least once a year. You can start with your bank accounts and other websites you deem important. Changing your Snapfish account password yearly is not as important (but you still should).
The password shouldn’t be a common word, such as “chair” or “football,” that is easily guessed. Sites often require the use of numbers and symbols. Many of us may just add a “1@” to the end of the word. Why does this method fail? It’s can be easily guessed by an experienced hacker. There is software that lets a hacker figure out a simple password in seconds, because online sites reveal personal data such as old phone numbers, addresses, dates of birth etc. If you’re not a social media user, it’s harder, but there are still sites out there with info on you, such as your street address, middle name, etc. The software can find it and let the hacker put it together.
A good practice is using a sentence for a password, such as “I eat peanut butter every day.” (Note: for safety’s sake, no one reading this should use this sample password, even if you truly love peanut butter. Hackers read, too.) Speksnijder says the longer the password, the better — at least 12 characters. If the site limits the number of characters, use the first letter or two of each word in your password sentence.
He also suggests using numbers that have some meaning to you. “I still have ex-girlfriends’ numbers stuck in my memory,” Speksnijder says, “as well as my old personnel numbers from when I was working for companies.” Those numbers can run up to 20 or 30 characters, but you need to remember which accounts you associated them with.
Never recycle old passwords, he cautions.
For many of us, just having separate passwords and changing them yearly — let alone remembering them all — is a daunting task. Speksnijder strongly recommends using a password manager, which is basically software that stores and encrypts your password for you and, even better, generates a new password for you. You can also use your username as a password, which allows adding an extra layer of security. “Nothing says you ever have to give your actual name for your username,” he says. “You can use random letters. You can put whatever you want, because the manager will remember.”
As an example of a software-generated password he gives, “4RonILP4cArB4t%uCfhT.” Speksnijder says this kind of password will take several days for a good hacker to crack, while a typical user-generated password such as “Joan08211987” will take just seconds to work out.
A password manager adds a level of difficulty, and anytime you make it a little more difficult, the hackers will move on. If you have your passwords organized and well defined, you are very, very safe. “You can see it as a notebook with your passwords written down,” Speksnijder says, “but it’s a notebook that went through a shredder, and instead of you having to glue it back together to get your password, the software does it for you.” He recommends using KeePass, but also thinks LastPass, Bitwarden, and 1password are worthwhile.
Phishing Scams
Phishing scams send emails purporting to be from reputable companies in order to trick you into revealing personal information, such as passwords, credit card accounts, or social security numbers. Emails that appear to come from trusted sources can be spoofed — for example, by subbing a dash for a period in a link (such as “yourbank-com” instead of “yourbank.com”). Unlike those from reputable firms, a phishing email will ask you to click on the link that brings you to a page that looks exactly like your bank’s website but is not; it’s a fake or spoof. They will ask you enter financial or personal information (like a username and password) to confirm a phony account problem. Phishing emails are created by software that allows a hacker to send millions of emails just by hitting a button.
Always doubt emails from financial institutions, Speksnijder says. Common sense comes into play. Never go from an email to a financial institution’s website. Banks and other financial institutions will never send you an email with a link to their website. Reputable firms never send emails like this; a bank will generally call if there is an issue. If in doubt call the real institution’s customer service number.
Software Updates
Computer companies are constantly updating their software. These updates are generally not optional for the user. You must take them. Not all updates are important, Speksnijder says; however, security updates are. Especially for browsers, it’s important to get the latest security upgrades. It’s also important to check if your browser is still the best to use. He says Chrome and Firefox are still safe browsers, but he believes the latest and most protective for your privacy is the Brave Browser.
According to Speksnijder, these updates come with inherent risks. Hacker groups are often aware of the patches meant to foil them before they are even applied. And the originators of the patches and updates take information from users, sending data to the software maker for commercial purposes.
Software upgrades that don’t deal with security are usually not so important, he says, but you should read the information first before deciding to skip it. Upgrades are difficult to avoid, but to protect yourself, you can go to your computer settings and uncheck the updates you don’t want. “The companies make it difficult for you to find, but you can control it,” he says.
Other Steps You Can Take
Speksnijder also recommends covering your laptop’s camera with a sticker; the camera can be remotely operated, allowing hackers to spy.
For that matter, never log in to a site using a social media platform, he says. Though many sites encourage logging in using Facebook or Twitter, this puts your privacy and online safety at a greater risk.
Be careful when using public WiFi; it’s best not to conduct personal business in a coffee shop or bookstore.
Remember that computers can be stolen. They also stop functioning, and if you haven’t backed up your information, it can be lost. Try to get in the habit of having no data stored on your laptop at all. A thumb drive has enough storage room for all your day-to-day data. Store it there, and back it up regularly.
Oh, the Cookie Jar
It’s not just computers that can be hacked. If you have keyless entry for your car, for example, the signal is vulnerable to “relay theft,” in which a device is used to capture the signal.
Speksnijder recommends storing devices such as phones or car keys in a secure place protected from radio waves, such as a cookie jar. That’s not jargon. A metal cookie jar can act like a Faraday cage, an enclosure used to block electromagnetic fields. “Just make sure it’s a good cookie jar,” he says.
Be Careful Out There
In the end, there is no silver bullet for complete electronic security. As an individual consumer, it is impossible to outspend some of country’s largest companies on cybersecurity, but by following a few guidelines you can make your information less attractive to potential thieves.
There is an old saying: “You don’t have to run faster than the bear to get away, you just have to run faster than the guy next to you.” There will always be an escalating battle with the cyber criminals, and we all must be aware of what we can to make ourselves less attractive to the crooks.
If you have any questions about cybersecurity or any questions in general, please contact us at 610-793-1001 or info@bowenasset.com.
Disclaimer: While this article may concern an area of investing or investment strategy in which we supply advice to clients, this document is not intended to constitute a complete description of our investment services and is for informational purposes only. It is in no way a solicitation or an offer to sell securities or investment advisory services. Any statements regarding market or other financial information is obtained from sources which we and/or our suppliers believe to be reliable, but we do not warrant or guarantee the timeliness or accuracy of this information.
Past performance should not be taken as an indicator or guarantee of future performance, and no representation or warranty, express or implied, is made regarding future performance. As with any investment strategy or portion thereof, there is potential for profit as well as the possibility of loss. The price, value of and income from investments mentioned in this report (if any) can fall as well as rise. To the extent that any financial projections are contained herein, such projections are dependent on the occurrence of future events, which cannot be predicted or assumed; therefore, the actual results achieved during the projection period, if applicable, may vary materially from the projections