Question:
My friend said his bank account was recently breached and about $11,000 was stolen. He said he mainly uses the bank’s app on his phone to access his account and did not share his password with anyone. He reported the incident to the bank and investigations are ongoing. I am worried about this – how do I protect myself from such data breaches? Tolu, Moncton
Dear Tolu,
It is quite unfortunate that data breaches have been on the increase globally in recent times, affecting individuals and organizations/ businesses. An attacker with relevant skills, resources and time can successfully breach anyone’s data, which is why it is important to make the ‘job’ as difficult as possible. Below are some steps you can take to protect your bank accounts and other accounts:
1) Password Management
·Create strong passwords and use Password Managers. Short passwords can easily be cracked using a brute force attack (multiple trial-and-error and combinations to guess your password/credentials) while long passwords can take some time/effort (see Figure 1) but easier to forget (and then reused across all accounts!). My recommendation is to use a Password Manager that generates strong passwords for your accounts. Some examples are KeePass, 1Password, DashLane, BitWarden etc. They work on almost any device or platform and can integrate with your browser. You can then use a long password or passphrase for your Password Manager and that is the only one to remember.
·Do not reuse your passwords across accounts. If any of your accounts is breached, the attacker can easily propagate this attack across your other accounts using the same credentials. It is important to create unique passwords for your accounts.
1) Two Factor (2FA) or Multifactor (MFA) Authentication
·This adds another layer of protection to your account by requiring a second form of identification, and thereby ensuring that anyone that steals your password cannot use it to log in. There are SMS-based 2FA where you receive the verification code on your mobile phone (which can easily be bypassed via SIM swap – see Mobile Security below) and there are app-based solutions (which is safer). If your banking institution supports app-based solutions like Microsoft Authenticator, Google Authenticator, Duo, Authy or even their bank authentication solutions, kindly use them. It is important to start with whatever is available to you – SMS-based or app-based.
2) Mobile Phone Security
•Mobile phones contain a significant amount of data about us – from bank accounts, contacts, email addresses, pictures, videos, and these devices can easily get lost. Below are some security measures you can take on these important devices:
• Protect your mobile phone using a password or passphrase with a minimum of 6 characters. Set your mobile phone to lock itself immediately and request for a password to use it again.
· Protect yourself against malicious apps by only downloading apps from your official store e.g., Apple Store and Google Playstore. Do not ‘jailbreak’ your phone. Check the information that the application is collecting about you in the background.
· Avoid clicking on links in text messages (smishing attacks) and fake emails (phishing attacks) as the attacker’s objective is to trick you into providing personal information like passwords or downloading malware onto the devices.
• Ensure that you install the latest OS versions and security updates on your phone (iOS, Android). These updates are made available by the vendors to remediate some identified vulnerabilities and prevent attackers from exploiting them.
• Public Wi-Fi networks are generally not as secure as private ones as we do not know who is monitoring them or if attackers are using them as a front. It is advisable to only connect to trusted and known Wi-Fi and Bluetooth networks and turn them off when they are not being used.
• Ensure regular backup of your mobile phone e.g., to your personal computer, iOS iCloud backup etc. Setup your device to erase itself after a maximum number of bad password attempts and if available, enable the option to remotely erase your phone. This can be useful If your phone gets lost or missing.
· SIM card fraud is when “fraudsters deceive a phone company into swapping a SIM card associated with one cellular phone to a new device, giving the fraudster access to all of a person’s phone calls and text messages2”. Enable port protection e.g., PIN, passcode or port lock as provided by your service provider to prevent authorized access or porting of your mobile phone subscription3.
3) Data Exposure/Privacy
• Limit the personal information you share online as they reveal a lot about you (location, home address, date of birth, friends, mother’s maiden name, child’s name, pet’s name etc.), making it easier for an attacker to steal your identity or data. Be thoughtful about what content to share and with whom and manage your privacy settings. Use strong passwords for your social media accounts and do not reuse them for other accounts (as mentioned previously). If possible, use a separate email address for your social media account.
Leave a Reply