The title of this post is a reference to the classic torture scene in “Marathon Man” starring Dustin Hoffman (click the link if you haven’t seen it or want to revisit it). His answer and our answer are the same. Yes it is. No it’s not.
Recently I listened to the 18.5 hour audiobook about the cyber-weapons arms race titled “This is how they tell me the world ends” by Nicole Perlroth, a reporter for The New York Times. There are books that will put you to sleep. This one will keep you up. Though I am not an expert in cyber security, the book inspired me to write this. Feel free to share a link to this information if you think it may be helpful to others.
- Don’t email or text sensitive information unless it is encrypted;
- Faxing may or may not be secure;
- Wire transfers are a target;
- Freeze your credit;
- Use a password manager;
- Use two factor authentication.
These are useful steps you can take now but they will surely change as technology and risks evolve.
Is your information safe? Consider your home. You have locks on the doors and windows, smoke detectors, and perhaps an alarm system. These may deter the garden-variety burglar, but they won’t keep a SWAT team out. That’s how I see your information. A state-sponsored cyber squad (NSA, Russia, Israel, etc) probably can get your information just as a SWAT team can get into your home and with little evidence that they’ve been there. There are habits you can practice to make your information secure from the more garden variety hacker. The answer to the question at the beginning of the paragraph is not yes or no but the less satisfactory – it depends.
Email and Texts
Emailing and texting are hot buttons for me because I have received too much sensitive information, including tax returns, in this manner. Even from your own device in your own home, these activities are more like traveling in a large city where one needs to take reasonable care. You wouldn’t flash your money around in a subway or airport. In the physical world you can see who is around. In the virtual world, you cannot. Your emails which are usually unencrypted can be read by bad actors; so can your unencrypted texts (there are apps and methods to encrypt these). But you cannot see when others are reading your emails just as you couldn’t see if a clerk or waiter copies your credit card when you hand it to them when they leave your sight. The point is that sending unencrypted email and texts is similar to holding them up for all to see. If you don’t want someone knowing your account numbers, passwords and such, don’t put them in emails or texts that are not encrypted. Some text apps such as Signal and WhatsApp are encrypted and I would trust them though I suspect state-sponsored actors may have the ability to unencrypt them.
Email was created when less thought was given to security.. Red Tortoise can (and does when it is appropriate) send encrypted emails. Sending encrypted emails is more involved so it is more difficult for our clients. Instead, we encourage our clients to upload sensitive information via secure vaults which use encryption similar to what one uses to purchase items online from Amazon and others.
Use a password manager. Here’s why this is so important. Websites get hacked (more on this in the phishing section). One of the latest websites is T-Mobile. The hackers get the usernames (often your email address) and passwords for a site. Imagine you use the same password (Qwerty123!) on many sites and one of them is breached. The stolen credentials may be sold all over the world. The hackers can try your stolen password on other sites and it will work if you’ve reused it. One site that can shed some light on the security of your data is https://haveibeenpwned.com/.
The New York Times’ Wirecutter recommends 1Password which I use now replacing LastPass which I used previously and is also good. These managers will remember your passwords across devices (Laptop, computer, phone etc). You set one master password. The manager can create and store different passwords for the different sites you use. They also can store credit card information making online shopping easier. Using your browser to store passwords is better than nothing. To avoid getting deep in the weeds on this topic, I’ll just provide a link to an article in PC Magazine on the subject of browsers as password managers.
Two Factor Authentication (2FA)
For especially sensitive sites (e.g., banks, brokerage), turn on 2FA. 2FA is a second piece of identification to supplement your username and password. This could be a code texted to your phone or answers to secret questions. I also suggest it for accounts such as Google which might either contain substantial personal information or link to sites that do. Using 2FA is often no inconvenience as you can instruct sites to remember certain devices such as a specific computer or phone.
Phishing is the practice of using email or text messages pretending to be from trusted sources to trick you into giving them your personal information. For example, an email may look exactly like an email from your bank, but the links take you somewhere else. One way to spot a phishing attempt is to examine the link before clicking on it to make sure it is going where you want and to look for grammatical errors. Even better, don’t click and type the correct address directly into your browser. Or better yet, call the bank yourself if you are unsure. Here’s a link to more information on recognizing and avoid phishing scams.
Phishing can be very well done. This is one way scammers breach websites – they get employees at the site to reveal their credentials.
Anyone can fall for phishing. The elderly seem especially vulnerable and the attempt may come by phone. One scam we are aware of goes something like this. The grandparent is called by someone pretending to be a grandchild. The scammer will have personal information – gleaned from emails, texts (remember they are not secure) or more easily from social media such as Facebook. Claiming that they (the grandchild) is in trouble and doesn’t want to tell the parent, they get the grandparent to wire money.
Especially for elders, but not limited to them, we recommend that clients with accounts at Charles Schwab and other financial institutions establish “trusted contacts” who are people they are permitted to contact if they suspect financial exploitation.
Wire transfers, especially involving real estate transactions, are a target scammers try to exploit and require extra care. Specifically, scammers will monitor emails looking for real estate closings. Just before the closing they will provide fraudulent wiring instructions. We require verbal confirmation of wiring instructions before we will submit wire requests. We urge you to call using a phone number you trust any party to whom you are wiring to confirm instructions.
Faxes between two machines over a landline are reasonably secure to our knowledge because of the technology used in faxing protocols. The problem is that many fax numbers are not to machines plugged into a phone line. Rather they are virtual machines that send information over the internet like an email. For this reason, we encourage caution.
We recommend freezing your credit at the three major bureaus: Equifax, Experian and TransUnion. It’s easy to unfreeze which you need to do not only for obvious credit needs (e.g. new credit card, mortgage) but for activities like a new apartment lease or establishing an account with a gas company. You can even tell them to unfreeze for a specific time, like a week. Freezing your credit may reduce the consequences of identity theft. Here’s a link to more information on credit freezes.
Answer security questions with responses that cannot be found online such as on Facebook. If the high school you attended is online (say in LinkedIn) then that is a weak security challenge. It’s ok to use false information for your security challenges to make it difficult for someone to guess. Be sure to remember what you use.
We wish you safe browsing. We welcome your comments and questions on the subject.