By David Koch, CFP®, AIF®, CFA, Senior Wealth Advisor
October is Cybersecurity Awareness Month and today, now more than ever, it’s important to protect your digital assets. We’re going to be covering three key points in today’s post.
#1: Make sure to use a unique password for each website.
#2: Make sure to use a unique password for each website.
And finally, #3: Don’t forget rules number one and two. This may sound glib, but it’s literally the single most important thing you can do to protect your assets online.
There have been so many massive hacks, including Facebook, Home Depot, Marriott, Target, Yahoo, and worst of all, Equifax. The Yahoo breach in 2013 compromised 3 billion people. That included their usernames and passwords (more on this below). First American Financial Corp, an American real estate and mortgage insurer, disclosed in 2019 that it left 900 million files with sensitive customer information exposed. Equifax revealed in 2019 that as many as 143 million people had their sensitive data online compromised.
What makes the Equifax especially awful is that they are one of the three American credit reporting agencies (including TransUnion and Experian) that track all of your financial accounts and store some of your most sensitive data. Even the US Social Security Administration uses Equifax’s security questions to verify your identity with them.
Once your data is breached, criminals buy lists of usernames and passwords online.
I read a story about fraudsters who bought a woman’s Yahoo e-mail and password, and quickly realized she used the same e-mail and password for her Airbnb account. Furthermore, when they logged into Airbnb, they also found out that she had her American Express already linked and, when they checked out, they were never asked for the security code on the credit card. The scammers then had a nice apartment for the weekend to take their time cleaning out – and I don’t mean tidying up, I mean robbing them. Because this person used the same login and password for both Yahoo and Airbnb, they now created a second victim, the owner of the Airbnb.
Although simple passwords can be cracked, the vast majority of hackers are just looking to find a match. They’ve got a username and a password, and they keep trying it until it lets them in something with value. It’s like the two hikers who find a bear in the woods. One starts to run and the other says, “you can’t outrun a bear,” to which the first replies, “I don’t need to outrun the bear, I only need to outrun you!” If you simply use a different password for each website, you’re no longer the slowest hiker.
A simple way for using a unique password for each website is to have a relatively complex master password, and then attach the first three letters of the website you’re trying to log into. For example, your master password might be “F!uffy8unn1e-“. Then, if you’re logging into your Yahoo account, you would attach “yah” to make “Fuffy8unn1e-yah”. Your Farmers Only password would then be ” Fuffy8unn1e-far,” and your People of Walmart password would be “Fuffy8unn1e-peo.” See? Not so bad after all.
If you’ve made it this far, I have two more very important tips for you.
Next, delete your private information online, like on Facebook. If someone is going to try to break into one of your accounts, they’re likely to need to answer some personal questions like Where were you born? or What was your high school mascot?, both of which can likely be found by looking at your Facebook profile. You just don’t need to have your high school and hometown (and most of your other personal information) online.
Better yet. Lock down your Facebook privacy settings; your profile doesn’t need to be public. Go to: Settings and Privacy -> Settings -> Privacy – and consider switching to the settings below. Now, if friends or friends of friends are trying to hack your accounts, this doesn’t help, but it would prevent strangers from finding you.
And secondly, and critically: Don’t like two-step authentication? Too bad. Embrace it. At the very least set up text message 2-factor authentication, but even that can be hacked via a “sim swap” (and other methods). Notification via text is better than nothing, but better yet, find out which sites you can set up with an authenticator app like Google or Microsoft authenticators, Symantic’s VIP app, or Authy.
Check to see how many sites that have your information have been compromised by putting your email (or phone number) into Have I Been Pwned? Hint: it is not going to be zero. Let this be your unpleasant epiphany to start the process of changing your (hopefully not abysmal) passwords. Remember, don’t be the slowest hiker.
Halbert Hargrove Global Advisors, LLC (“HH”) is an SEC registered investment adviser located in Long Beach, California. Registration does not imply a certain level of skill or training. Additional information about HH, including our registration status, fees, and services can be found at www.halberthargrove.com. This blog is provided for informational purposes only and should not be construed as personalized investment advice. It should not be construed as a solicitation to offer personal securities transactions or provide personalized investment advice. The information provided does not constitute any legal, tax or accounting advice. We recommend that you seek the advice of a qualified attorney and accountant.