Today we’re continuing the ongoing saga of identity theft. Readers new to the story can read about how I discovered someone filed fraudulent unemployment benefits in my name, and then filed a fraudulent tax return, too. This post, though is less ranty and more about action. But be forewarned… it’s a bit meaty and has some technical jargon, though I’ve tried to keep that to a minimum.
Are You Really Paranoid If They’re After You?
If you recall, one of the main reasons that I was able to get as much information on the identity fraudsters the second time around is because the thieves used TRUTHS about me to set up the H&RBlock.com account. They used my valid email address. My valid soc. My valid birthday, etc.
Because of these truths, I was able to finagle my way into the HRBlock.com account with the help of a nice guy in tech support. And I reset the password on the HRBlock.com account so the thieves could no longer get in, too.
Shortly after that, an attempt was made at hacking into my email address, that Gmail kindly denied, but it got me thinking about all the vulnerabilities in the system.
What would a criminal have to know to reset the password on one of our financial accounts? (Like I had just done to the fraudsters…)
What kind of damage could someone do if all they got ahold of was my phone?
These thoughts led me down a bit of a rabbit-hole where I’m trying to find a balance between security and usability. After all, we could lock all of our money in Fort Knox, but that’s not particularly easy to use. So now we’re focusing on the following…
Three Layers For Securing Accounts
- Passwords – for more info on how easily passwords can be hacked, check out this great post from Bruce Schneier.
- Additional Security Questions
Our Old System
Passwords: The previous PoP passwords were not bad individually. I devised a system for our financial accounts so that we had one primary leet speak phrase that was the basic password, and each site had its own site-unique add-on so that the passwords themselves would have unique hashes. (Think something along the lines of “1h8thak0r$” + “AX” for your AmEx account, “V9” + “1h8thak0r$” for Vanguard. Okay, it was slightly less readable than that, but still not awesome in hindsight.) Altogether not horrible, but it’s particularly vulnerable to the pattern being derived if any of the institutions stored the password in plaintext. Fellow nerds, check out Plaintext Offenders to be horrified.
Security Questions: We answered them honestly for whoever opened the account originally. I occasionally had to google Mr. PoP’s high school mascot to answer security questions, and if I could do it… so could a determined thief. Weak.
Sharability: I kept waiting for Mr. PoP to get on board and learn the password system, but he never did. So I was the gatekeeper for the accounts all the time. That’s fine, and I don’t mind it – but we did occasionally joke that if I were hit by a bus my last words to him would be our leet speak code for the passwords.
All in all, the old system wasn’t awful. It was probably better than most people who use “letMeIn!” or “password123” as their passwords. But there were weak points that were there for convenience, but knowing my identity and SSN is compromised we no longer had the luxury of compromising on security for convenience sake. It would be too easy for a criminal who knew my SSN and looked up my mother’s maiden name to get into one of our accounts and steal REAL money. We couldn’t rely on the stupidity of criminals forever.
But I still wanted a usable system. If I made the passwords too complicated, Mr. PoP would never want to learn them (I’m the kindof weird freak-a-zoid that memorizes library card numbers and credit card numbers after typing them in a few times, so passwords are pretty easy for me).
And if we were going to change all the answers on our security questions to lies, we would need to keep track of the lies as well. The phrase “there are more lies than truths” means it’s harder for a thief to guess the answer to a security question if you’ve lied, but it also means it’s harder for you to remember the answer!
New Solution: An Electronic Password Manager
I’m simplifying this a little, but an electronic password manager allows you to have a small encrypted database containing all of your logins, passwords, security questions and “answers”. You access the file with one super strong master password and then simply copy and paste login information from the password manager to login fields to login.
There are lots of them out there that store your information in a variety of different formats, but here’s the basics of what we were looking for.
- AES-256 Encryption Standard – This is the current best consumer grade encryption that I’m aware of (NOT A SECURITY EXPERT, just a bit of a nerd).
- Syncability – We both need to be able to use it from our computers and preferably phones too.
- Creation of Randomized Passwords on Local Machine – Please don’t ever use a web-based random password generator, that just smells like a bad idea.
- NO Browser Extensions and Auto-Fills – While these features may sound convenient, I don’t want to worry about letting someone use my computer for 5 minutes and it auto-logging them in to WellsFargo.com.
Short Term Pain, Long Term Gain
I test drove three different password manager systems that seemed to fit the bill, and finally arrived at one that I like for our purposes. Here are quick and dirty reviews.
Dashlane is the current well-marketed wunderkind with glowing reviews from the likes of David Pogue. My take is that it’s flashy and pretty, but I hated it. It kept wanting to auto-complete everything and the “secure password generator” was anything but. Two consecutive passwords that I generated using it were: e8ELs90A and e0KPp39A. Not only are these passwords significantly less complicated than the sites they were generated for allowed, with patterns in their construction like the ones immediately evident there, I’d hardly call that secure especially as Dashlane gains market share. Cost – Free, but syncing is $20/year.
1Password was originally designed as a password manager to store in on your local computer. Its passwords are strong and the software is easy to use, but the syncing process (which was clearly a later addition) involves using a Dropbox account. I realize it’s an encrypted file in the Dropbox account, but that’s still a big turn-off for me given the number of times Dropbox has been hacked. (Start typing “dropbox hacked” into google and the first suggestion is “dropbox hacked again”.) Cost: $49.99 for single user or $69.99 for multi-user license.
PasswordsPlus isn’t well publicized, but has been around for years and a trusted colleague at work has used it for several years already. It’s not as pretty as Dashlane or 1Password, but incredibly functional and so far we’re syncing it with our home computers and phones. Cost $19.99 for Mac version, $9.99 for iPhone version.
Changing All Your Passwords and Security Questions Will Take Time
This is the short term (~a few hours) pain part. It took me several hours to change all of our passwords and security questions on all of our accounts. The main reason being, our financial lives are complicated. We’re now up to 3 banks, 4 retirement accounts, 2 additional brokerage accounts, 3 credit card companies, 2 credit alert sites, mint, 1 email address associated with these accounts… And more sites will be added as we continue to get used to using it and convert everything to the password manager, but this takes care of the most vulnerable sites.
To make all the changes, start online. You should be able to change the passwords online. You’ll want to read the password limitations for each site and use your password manager to generate the most complex password that you can given the site’s limitations.
Then you’ll want to update your security questions. Remember, your answers should have nothing to do with you. Choose nonsense or random dictionary words – it doesn’t have to make sense!
Ex. Q: What’s your favorite color? A: flabbergasted
Some, like Vanguard, will allow you to change your security questions online as well. However, most will require you to call to change the security question(s), and Wells Fargo actually required me to go into a branch to reset a vocal security word that had been on the account since I was 9. Does a 9-year-old think of a great random password? No. But it stayed there for 21 years. And I’m sure we’re not alone in that.
As you make all of these changes, record all of these answers directly in your password manager. Save it, and sync it!
But Then You’re Done. And You’re Safe(r)
The next time you need to login, open up your password manager using your one master password, use the copy functionality to copy the password to the clipboard, paste in your randomly generated password, and voila. You’re in.
I know it sounds like a giant pain in the ass to set up, and I’m not going to sugar coat it – it is a giant pain in the ass. But it’s worth it.
I’m really getting used to using the password manager on a regular basis and it no longer seems like an inconvenience and I like having the knowledge that our accounts are now significantly more difficult to gain access to. Before, someone with my SSN (and we know there was at least one other person out there outside of our family with it!) could have looked up some additional facts on Facebook or in other Public Records and been able to answer security questions to gain access to our accounts. Now… not so much.
Any questions? What strategies do you currently use to keep your accounts safe and secure while sharing the information with a partner?