Sony, JP Morgan Chase, Target, Home Depot attacked. Russian, Chinese, North Korean, stateless hackers blamed. Stories about identity theft, e-mail hacks, and elder abuse blanket the news. No wonder many of our clients fear it's just a matter of time before the cyber criminals attack them personally. Fortunately, with a reasonable amount of vigilance, you can avoid becoming a victim.
Here is a summary of attacks against our clients, simple steps you can take to protect yourself, and what our firm is doing to protect clients' data.
Attacks against our clients in the last 12 months
1. Taking over e-mail accounts
Using your computer to connect to e-mail over a public WiFi (e.g. Starbucks) enables hackers armed with "sniffers" to grab your e-mail login and password. Once in, the hacker browses the outbox to sleuth out relationships with wealth advisors, travel plans, and other helpful facts. We recently received an e-mail asking us to wire $27K to pay for the purchase of a horse. Our client lives in rural New Hampshire, so it's not out the question that he would make that request. However, our money transfer rules require a phone confirmation on e-mailed money requests we weren't expecting. We called the client and learned that, not only had he not made the request, but he was also about to fly to Europe on vacation.
We immediately advised him to change his e-mail passwords AND all his bank and credit card passwords, since people often "recycle" passwords among multiple applications. A pain to do right before vacation, but of course the hacker knew from the client's e-mail about his upcoming plans. We also realized that the client wasn't receiving e-mails from us. We did a join.me session to review the client's e-mail settings and saw that a filter had been installed directing e-mail from @HeronFinancialGroup.com directly to the trash folder. The client wouldn't see e-mails from us. Meanwhile, the hacker could respond to us from the trash folder to keep up the charade that the client still wanted to buy the horse, but just couldn't reach us by phone while in EuropeMessages to us would be deleted from the send folder, so the client wouldn't stumble onto the exchange.
2. "Spear Phishing" attacks
Spear phishing attacks are ever more believable e-mails with links that install mal-ware on the victims' computer. We've seen very realistic e-mails from "Social Security" offering to help establish an online account (except that Social Security's website is SSA.gov, not SocialSecurity.com.) If you click on a fake link, you may install "ransomware," software which encrypts all your files, leaving only a text file ransom note. The only way to remove the encryption is to follow instructions to forward funds (in untraceable Bitcoins) to the ransom artist, who will then reply back with a decryption key.
Protect yourself against these attacks by:
A. Taking an extra couple of seconds to "mouse over" a link before clicking on it. If the e-mail is from Virgin America but the link points to http://find2.airline-rewards.us/ - stop!
B. Make sure that your computer automatically installs the latest security patches.
C. Make sure that your anti-virus software subscriptions are up to date.
D. Make sure you have a back-up system that supports multiple versions of backed up files. For example, if your files were encrypted on 4/28, you could still use the backups dated 4/27 and previous.
E. Don't hesitate to bring in a technician to review your computer settings if you have doubts about any of the above.
F. Older clients and family members are generally less tech savvy and therefore particularly vulnerable.
On two separate occasions, callers to our clients in Texas and Pennsylvania claimed to be nieces or grand children who had been in a car accident. Reading apparently from the same script, callers claimed to be a niece or a granddaughter who sounded strange because "my nose is all banged up. The callers insisted that the victims send $1000 via Western Union, "or the other driver will have me arrested. Oh and don't call Mom and Dad, I am ashamed and don't want them to find out." In both cases, the women went to Western Union to send money, and in both cases, Western Union refused to process the transaction.
How did the callers know so much about the victim and their families? From perusing Facebook postings! When using social media, be thoughtful about your privacy settings and be thoughtful about what you post. Hackers LOVE to read posted birth announcements. With good luck for the hacker, it could be 18 years before your child or grandchild finds out that his or her identity was stolen at birth.
4. Theft of credit card data
Credit card theft long predates the Internet era -remember tearing up credit card carbons in the 1980's? These days, hackers download millions of credit card numbers with a single attack against a retailer like Target or Home Depot, which are then bulk-sold to counterfeiters. Cards equipped with RFID chips for "swipe-less" use can transmit account data to a passerby with a laptop. Hackers even place readers over the card slots of ATM machines or gas station pumps to obtain your data that way.
A. Review your credit card statements on receipt - anything you don't recognize, call the credit card company to identify the purchase. Couples that share accounts with multiple cards may find this challenging, so consider opening additional accounts verified separately by each.
B. Try NOT to use debit cards, which these days often double as ATM cards. If someone fraudulently charges an item to your credit card, it's the bank's or vendor's problem. If someone defrauds your debit card, it's your problem. If you have enrolled in overdraft privileges for your debit/ATM card, you could have your entire bank account drained AND owe money.
C. If an ATM or gas station card reader looks odd, grasp the card slot and pull hard. If a piece comes off in your hand, that's a card reader. Walk away.
D. Consider the risk of storing credit card numbers with online merchants you use often, for example, Staples or Amazon. If someone gets access to a merchant account, they can order high value items like computers and TV's, ship to another location for resale. Vendors are taking counter-measures. For example, if you add a new address to your Amazon account, you will not be able to use the "one click" service until you have reentered your 3-4 digit card code.
5. Elder abuse
Not only are older clients at greater risk for e-mail phishing attacks and phone solicitation, but it's also becoming ever more apparent that the ability to make good decisions declines dramatically in the last 5 years of life.
Last year one of our clients learned that his father died - not unexpected as the gentleman was 92 and in poor health. Three days later, our client learned to his horror that, 6 months previously, his father's chauffeur had conspired with a law firm to prepare 100% legal documents naming himself power of attorney, executor and sole beneficiary of a multi-million dollar estate. By the time our client travelled to his father's town, the funeral was over and the body buried, the locks on the family home were changed, the safe deposit box was emptied of stock certificates, and all bank accounts were cleaned out. We helped our client find an elder abuse attorney to try and recover something, but even getting the family photo albums is in doubt.
Adult children need to have the uncomfortable conversation with their parents sooner rather than later to establish powers of attorney, understand where assets are stored, "clarify and simplify" their parents brokerage and bank accounts, get set up with duplicate statements on those accounts AND carefully monitor their parents' caregivers.
Simple steps to protect yourself.
1. Check caller-ID before answering the phone
If you don't recognize the name or number, let the call go to voice mail. 9 times out of 10, there will be no message. However, a legitimate caller will leave a message, which you can check and return 2 minutes later.
If a stranger reaches you with a sales pitch or a sob story, simply hang up - no need to explain or apologize.
2. Passport hygiene
Convenience trumps security! Often poor passport hygiene is the weakest link for individuals and businesses!
A number of our clients proudly showed us a detailed spreadsheet with web address, login and password for all their bank, credit card, shopping, and social media accounts. If there EVER was a document that should NOT BE STORED on a computer, it's a spreadsheet of logins and passwords. A hacker can EASILY grab this document over an unsecured home or public Wi-Fi.
We recommend several passport management strategies:
A. Record your logins and passwords on paper rather than store this data on your computer. Lock or hide in your desk, do not post on your monitor
B. Don't use the same password for every account. Yes, we know it's a burden to maintain 50 separate passwords, so a compromise is to use different passwords for categories of applications:
i. E-mail - change annually
ii. Banks, credit cards and other financial sites - change every three months.
iii. Social media - change annually
iv. Buying services - change annually
v. Online newspapers, magazines, sites with no personal data - change never
C. Don't use simple passwords like "mypassword1." Any password with whole words is easily compromised. Celebrities' iCloud accounts (and personal iPhone photos) were discovered last year by hackers testing information obtained from Wikipedia entries (e.g. birth town, name of grade school, street person grew up on.) The security was not cracked; the hackers simply guessed the passwords from publicly available information.
The best passwords are at least 12 characters long with a mix of upper and lower case letters, numbers and characters. One strategy is to use the first letter of a phrase e.g. "The quick brown Fox jumps over the lazy Dog" becomes "TqbFjotlD." Add numbers and characters to increase the security e.g. "TqbFjotlD2000#." Avoid easily guessed numbers like your birth or anniversary year.
D. Consider subscribing to LastPass ($12/year,) which will maintain a central vault of completely random passwords for EACH of your applications and will auto-fill those passwords as you move from site to site. LastPass is not fool-proof - you still have to make sure that you secure, and change often, this one password. And you should still periodically update individual sites according to our recommendations above.
E. Lastly, where possible, enable "two factor" authentication. For example, because the Social Security website is a trove of valuable information, you can enable a text notification whenever you or someone else logs into on your account at SSA.gov. You cannot complete the login process without entering a 6 digit code from your phone. Social Security won't allow logins from computers outside the United States.
As banks and financial institutions increase security, including adding "two factor" authentication and challenge questions, our clients are increasingly frustrated by the simple task of checking an account balance. Critical websites such as banks now make you go through a re-verification process if you login from a new location or from a different computer (e.g. the business services room while on vacation.)
We are frustrated when our account aggregation service fails as security is upgraded for a client's account, which entails a phone session or a join.me session to address. Unfortunately, this frustration will only grow as we become every more dependent on these critical systems.
3. Subscribe to Credit Monitoring Services
Credit monitoring can offer proactive protection against identity theft!, and is obligatory after you learn about a data breach. We obtain political analysis from Strategic Forecasting. Though Stratfor is staffed by former CIA and Defense Intelligence Agency analysts, their computer systems were not properly upgraded against the increasing threats of recent years. In January 2012, Stratfor's entire subscriber database, including names, e-mail addresses, corporate affiliations, logins and passwords, and credit cards on file for subscription renewal was posted as a giant zip file. We downloaded a copy of the file, and yes, all our data was there, so now we have credit monitoring on our business and personal ccounts.
Popular monitoring services include IdentityGuard, LifeLock, TransUnion, CSID and Kroll. Each service offers different menus of basic protection at $10/month, extended at $30/month.
You can also apply to Equifax, Experian and TransUnion to apply a "freeze" on your credit reports. Most lenders will not open a new account if they can't access your credit report. You may be inconvenienced if YOU need to open an account, or worse, pass a job screening. You can lift freezes for specific time frames, but you need to allow lead time to accomplish the un-freeze.
4. Use private Wi-Fi hotspots when you travel
A dedicated Wi-Fi hotspot is the size of a pack of playing cards and costs $50/month. You can enable the personal hotspot feature on your smart phone, which may increase your data charge by $100/month. If you travel for business, you may easily recoup this expense by not having to subscribe to hotel Wi-Fi (and also save time and have better connections.) We're pretty sure using public Wi-Fi is how our clients had their e-mail accounts compromised.
Also, be sure that your home Wi-Fi is set to the highest levels of encryption AND that you have changed the factory default passwords (e.g. admin.)
How does Heron Financial Group protect our clients' data?
HFG has always maintained high sensitivity regarding the safety of our clients' data. We won't reveal every measure we've taken, but know the following:
1. Under no circumstances will our custodian transmit cash or securities without validating the client's signature. Under no circumstances can an employee of HFG transmit cash or securities without a valid client signature.
Our preferred method is to send funds directly to a client's checking account using "standing instructions," signed and authenticated by the client. Of course, clients have special requests for events like house closings. The client (both clients of joint accounts) must sign the wire transfer request, which must be counter-signed by an officer of HFG.
Clients may make funds transfer requests by e-mail, but only to checking accounts connected via standing instructions. If we're not expecting your request, you will receive a phone call to confirm.
All HFG employees are trained to recognize phishing e-mails and other "human factor" risks.
2. Our office is located in Manhattan, New York, which is a high risk zone for terrorist action and, as we learned October 2012, a flood zone. All our clients' electronic working documents (word processing, spreadsheets, PDF's) are stored on a server one time zone away, and mirrored at a second server site two time zones away. The server sites offer both physical and electronic safeguards, which are certified annually by a third party.
We connect to the server using a "remote desktop protocol" which requires a login, password, and authentication using our cell phones. This level of security enables us conveniently work from office, home, hotel or airplane without any concern about unauthorized access. All clients' important papers are scanned to the remote server, so if need be we could abandon our primary office for days.
3. Our trading, market data, e-mail, client data, and phone systems are "cloud-hosted" by geographically disbursed vendors across the country. Our mobile phones serve as an extension of our office phones. After Hurricane Sandy, our team worked from home with laptops and cell phones for three days with no loss of utility.
Our vendors spend tens of millions annually to keep systems at the highest levels of security. There is no such thing as 100% security, but 99% is good enough when less conscientious companies provide easier access to the bad guys.
4. We substantially upgraded our local network last year with enterprise grade routers, firewalls and anti-malware software. At our smaller firm, it's relatively easy for our cyber-security consultants to spot ulnerabilities. The larger the firm (e.g. Home Depot with thousands of servers and networks) the harder (exponentially so) to keep software and hardware up to date.
5. Our clients flat out refuse to use our client vault for transferring documents and rely too much on unencrypted e-mail. We're experimenting with TLS encrypted e-mail for all OUTBOUND e-mails from our firm, but we are not yet satisfied with the results.
The TLS protocol is similar to the HTTPS protocol used by secure websites to transmit data from your computer to your bank's computer. We have seen two problems - not all our clients have TLS enabled e-mail providers; these clients receive gibberish. Also, even when e-mail decrypts properly, attachments may not decrypt properly. We will keep testing until we find a viable solution.
Meanwhile, we prefer that clients use fax or even mail to send sensitive documents to us.
Hackers are busy people who seek "low hanging fruit." Don't succumb to paranoia. With a reasonable vigilance, you can make access to your bank accounts and personal data challenging enough to deflect hackers' attention elsewhere.