Financial information is some of the most sensitive and important data in our lives. Despite the fact that reputable banks have coverage and insurance for fraud episodes and other compromises, getting your information stolen can lead to weeks or sometimes months of pain and uncertainty. For those of you who may be more lucrative financial targets, the risk and potential pain increases. Our Mana clients know that we care deeply about online safety and proactive protection, having recently switched our file-sharing process to a more secure method. Today’s blog is all about how our readers can prevent bad actors from accessing their information, and how to get up to date with the best and latest safety practices online. 

First thing’s first: get in the right mindset

Online safety is in many ways a partnership between service providers and their users (that’s you!). Often, these providers will prompt their users and nudge them to take the best practice actions (have you ever been asked to add a phone number to your account?), but it’s still up to the users to follow through with these prompts and do it. Unfortunately, there’s little-to-no instant reward for changing your account settings or making good safety decisions in the moment (we talk about why that’s tough in past blogs), but the long term benefits are almost infinitely high in terms of threat prevention and mitigation. Luckily, there are a few simple things you can do to improve your online security. In the next sections, we’ll cover some of those practices, and offer suggestions about what you should do to protect yourself.

Staying safe when you sign in to your accounts

In order to access your account information, service providers need to authenticate you. Authentication is the process of verifying the identity of a user to ensure that they are who they claim to be. It involves the use of credentials, like usernames and passwords, biometric information, security tokens, or other methods, to confirm that the person trying to access the account is really themselves. The goal of authentication is to prevent the wrong people from accessing your information and protect your sensitive information by ensuring that you are yourself.

The very first and most basic thing you should do to protect yourself online is to use strong passwords. Passwords should be unique (not used by anyone else OR reused across sites) and long (probably longer than you think they should be). A good password might look like “AX7uikbbbYUi$Vh8TT6DwZMoQ%NGULdv”, but that also might be hard to remember. To make your own, you can try thinking of a memorable lyric or passage from a book, a series of words that are important to you, or a phrase from a poem you like, and then creatively remove/replace words, add numbers, characters and case changes to build your strong password. An example of how this works is choosing the phrase “Mary had a little lamb.” To make this a strong and less predictable password, we can make it unique by: changing words or spelling, capitalizing random letters, adding punctuation, or combining it with other phrases. Maybe your daughter and sister loved this song, so we could change it to:

“Mary!? Auntie had a liTtle lamb and Sara loved it too”

The longer the phrase and the more changes, the less guessable your password will be- just know that you need to be able to remember it yourself!

Because passwords for each site should be independent from each other, we'd recommend using a password manager. That way you can generate one long password and let the password manager generate random passwords for each of your sites that you never need to know. Another recommendation is to utilize password managers to help you maintain unique passwords on every site. At Mana, we like LastPass, but using your Chrome or Safari browser’s password manager can be a good start. LastPass offers better security (especially the paid version). 

The next layer of security: enroll your valuable accounts in 2SV and make sure you have a way to recover your account if you get locked out

Two-step verification, sometimes called 2SV or two-factor authentication (2FA), is a super important addition to your sign in process and account safety. If you do online banking, it’s likely that your institution has already asked you to enroll in 2SV by adding a phone number and/or email address to your account. If you have not already done this for your financial accounts, you should do it ASAP. You should also check your account settings and ensure that the phone number and email addresses on file are up to date and that you have access to them. Make sure that the email account on file with you bank is protected with a strong password and 2SV as well. Many users don’t realize that attackers who can access email can leverage that access into back account access. In an event where you can’t remember your password, or worse, e.g., it gets compromised in a data breach or phished, your phone number and email address are often your account recovery lifelines. Many financial institutions require you to create a PIN as an alternative or backup to your password. It’s important to remember these, and to make them less guessable (no 0000 please!). You can also store your PINs and secret questions in LastPass, which is extra handy because it means that LastPass can generate unguessable answers for you, e.g., What was your high school mascot? Can be answered with “leurimnop ferwixxed haughens”.

2SV factors fall into two of three categories:

1. Something you know: usually a password or a PIN 

2. Something you have: this could be your device (laptop, mobile phone, or a physical USB security key)

3. Something you are: biometrics information like your fingerprint or a scan of your face (if you use an iPhone, you’re probably familiar with facial scans, if you use an Android phone, you might be more familiar with fingerprint scans). 

When you enroll in 2SV, you’ll be asked to provide your password + a second piece of information to sign in. Many people are familiar with this second piece of information being sent as a time-sensitive code to your mobile device via text. You then take that code and enter it to successfully authenticate. Any of the items from categories 2 and 3 above could be used though. 2SV protects you in cases where your password is compromised or stolen, by adding an extra layer of security to verify that it’s you. 

The future of authentication is passkeys

Something that we want all of our readers to be prepared for is the introduction of passkeys to the authentication world. Passkeys are a new type of security credential, and passkeys are becoming the new way to log in online because of their security and usability properties.. They’re also easier to use, since you don’t need to remember any information or type in any codes. You can pass multi factor on a single device by providing your device's unlock. They typically work by using Bluetooth to establish a secure connection between two devices (let’s say you are signing in on a laptop, you can use your mobile phone to authenticate). Passkeys will come in multiple form factors. You can get dedicated Fido2 compliant keys from companies like Yubico, but most commonly you'll use them on devices like your phone or laptop. This adds a layer of security by requiring a user to confirm the connection between devices, and by using a secure Bluetooth connection, it ensures that the devices are physically close to one another and that the right user is confirming (often with a familiar biometric step on your mobile device, like your fingerprint or face scan). Unauthorized devices cannot pair or communicate with each other for passkeys. Passkeys are Fido 2 compliant, meaning that they use modern cryptographic protocols that mitigate many issues with password based authentication. Google has a helpful video explaining how this works. You can read more about passkeys here, and if you’ve already been prompted to enroll by one of your online services, you should consider doing so and getting used to the process! We expect that many people in North America will be signing in with passkeys within the next couple years. 

What else can you do?

Freeze credit agency accounts - these are known data leakers and you can protect bad actors from fraudulently opening accounts using your information

Credit freezes are thought of as inconvenient, but doing so is a great way to protect your online information and credit score. Unfortunately, credit agencies have been subject to hacks and massively harmful breaches in the past. The benefits of restricting access to your credit reports far outweigh the risks of keeping it open - it’s one of the easiest ways to prevent identity theft. 

To freeze your credit agency accounts, you’ll need to contact the three credit bureaus individually (Equifax, Experian and TransUnion). You can do this online, by phone, or by mail. NerdWallet has a helpful article on how to take action. You will likely get a freeze PIN when you initiate it, and it’s important to remember this PIN or store it somewhere safe to make unfreezing easy. It’s completely free to do this, and will not affect your credit. When you need to apply for a loan or new credit card, you can simply lift the freeze. 

Review your financial statements

Reviewing statements from your banks and financial institutions on a regular basis is an important practice to make sure nothing suspicious or confusing is going on. You can also use a credit monitoring service to make sure there are no worrisome changes on your credit report. Fraud detection services at banks are continually improving, but sometimes small charges slip through the cracks. Checking in on fishy activity and spotting compromises early can save you weeks of trouble down the line.

Keep your software up to date

One of the most important things you can do is keep your device and application software up to date. Do not ignore update prompts from your laptop or mobile device, and prioritize making them happen on time. You can always go to your device settings and check for available updates to make sure you haven’t missed anything. These software updates are constantly fixing security vulnerabilities to proactively protect users. 

Don’t click on attachments in emails or texts from new or unknown senders

Be wary of any link or attachment that is sent to you. Always check the address before clicking, and make sure that you know who is sending you the file.

Try not to send sensitive information over text or email

When sharing personal information like your SSN, driver’s license number, address, birthday, etc., you should exchange this through secure file sharing services, like ShareFile. The least secure thing you can do is simply text or email this data. Even sharing it in a private Google Doc that is only viewable by you and the other party (though not perfectly safe) is a better strategy. 

Don’t install random software and updates from the web, just let your device’s operating system (OS) do that for you

If a website is requesting that you download and install new software or an update to existing software, you should be immediately wary. This is a common malware attack. You can rely on your device to prompt you for operating system and application updates - not websites. Additionally, you should avoid installing browser extensions, especially from unknown developers. Remember that if something sounds too good to be true, it’s probably just malware. If you have kids, don’t let them install game hacks on your computer, as these are also typically malware in disguise.

Don’t use “free VPNs”. SSL encryption protects us for the most part, and a ton of free software is just malware in disguise

This is self-explanatory, but you should be extremely wary of “free VPN” software. For the most part, if you are accessing reliable websites and using strong authentication practices, you shouldn’t need a VPN to keep you safe.

Use your OS virus scanner (and keep it turned on), but don’t purchase or use any third party virus software

These days, there is little need for third party virus scanning software. Your device should come with its own virus scanning software, and you can rely on that to keep you alerted to threats. The risk of scams and malware with third party software tools generally outweighs any additional benefit.

We know this was a very technical blog, but if you’ve made it this far, we hope that you’ve learned something new and feel ready to be safer online. Hackers and bad actors are always working on new ways to compromise good users’ accounts, so it’s important to stay vigilant and do your best to proactively protect your information.