Securing Accounts Against Fraud

Today we’re continuing the ongoing saga of identity theft. Readers new to the story can read about how I discovered someone filed fraudulent unemployment benefits in my name, and then filed a fraudulent tax return, too. This post, though is less ranty and more about action.  But be forewarned… it’s a bit meaty and has some technical jargon, though I’ve tried to keep that to a minimum.

Are You Really Paranoid If They’re After You?

20130620-204031.jpgIf you recall, one of the main reasons that I was able to get as much information on the identity fraudsters the second time around is because the thieves used TRUTHS about me to set up the H&RBlock.com account. They used my valid email address. My valid soc. My valid birthday, etc.

Because of these truths, I was able to finagle my way into the HRBlock.com account with the help of a nice guy in tech support. And I reset the password on the HRBlock.com account so the thieves could no longer get in, too.

Shortly after that, an attempt was made at hacking into my email address, that Gmail kindly denied, but it got me thinking about all the vulnerabilities in the system.

What would a criminal have to know to reset the password on one of our financial accounts? (Like I had just done to the fraudsters…)

What kind of damage could someone do if all they got ahold of was my phone?

 

 

These thoughts led me down a bit of a rabbit-hole where I’m trying to find a balance between security and usability. After all, we could lock all of our money in Fort Knox, but that’s not particularly easy to use. So now we’re focusing on the following…

Three Layers For Securing Accounts

  1. Passwords – for more info on how easily passwords can be hacked, check out this great post from Bruce Schneier.
  2. Additional Security Questions
  3. Sharability

 

Our Old System

20130620-204039.jpgPasswords: The previous PoP passwords were not bad individually. I devised a system for our financial accounts so that we had one primary leet speak phrase that was the basic password, and each site had its own site-unique add-on so that the passwords themselves would have unique hashes. (Think something along the lines of “1h8thak0r$” + “AX” for your AmEx account, “V9” + “1h8thak0r$” for Vanguard.  Okay, it was slightly less readable than that, but still not awesome in hindsight.) Altogether not horrible, but it’s particularly vulnerable to the pattern being derived if any of the institutions stored the password in plaintext. Fellow nerds, check out Plaintext Offenders to be horrified.

Security Questions: We answered them honestly for whoever opened the account originally. I occasionally had to google Mr. PoP’s high school mascot to answer security questions, and if I could do it… so could a determined thief. Weak.

Sharability: I kept waiting for Mr. PoP to get on board and learn the password system, but he never did. So I was the gatekeeper for the accounts all the time. That’s fine, and I don’t mind it – but we did occasionally joke that if I were hit by a bus my last words to him would be our leet speak code for the passwords.

All in all, the old system wasn’t awful. It was probably better than most people who use “letMeIn!” or “password123” as their passwords. But there were weak points that were there for convenience, but knowing my identity and SSN is compromised we no longer had the luxury of compromising on security for convenience sake.  It would be too easy for a criminal who knew my SSN and looked up my mother’s maiden name to get into one of our accounts and steal REAL money.  We couldn’t rely on the stupidity of criminals forever.

But I still wanted a usable system. If I made the passwords too complicated, Mr. PoP would never want to learn them (I’m the kindof weird freak-a-zoid that memorizes library card numbers and credit card numbers after typing them in a few times, so passwords are pretty easy for me).

And if we were going to change all the answers on our security questions to lies, we would need to keep track of the lies as well. The phrase “there are more lies than truths” means it’s harder for a thief to guess the answer to a security question if you’ve lied, but it also means it’s harder for you to remember the answer!

 

New Solution: An Electronic Password Manager

I’m simplifying this a little, but an electronic password manager allows you to have a small encrypted database containing all of your logins, passwords, security questions and “answers”. You access the file with one super strong master password and then simply copy and paste login information from the password manager to login fields to login.

There are lots of them out there that store your information in a variety of different formats, but here’s the basics of what we were looking for.

  • AES-256 Encryption Standard – This is the current best consumer grade encryption that I’m aware of (NOT A SECURITY EXPERT, just a bit of a nerd).
  • Syncability – We both need to be able to use it from our computers and preferably phones too.
  • Creation of Randomized Passwords on Local Machine – Please don’t ever use a web-based random password generator, that just smells like a bad idea.
  • NO Browser Extensions and Auto-Fills – While these features may sound convenient, I don’t want to worry about letting someone use my computer for 5 minutes and it auto-logging them in to WellsFargo.com.

 

Short Term Pain, Long Term Gain

I test drove three different password manager systems that seemed to fit the bill, and finally arrived at one that I like for our purposes. Here are quick and dirty reviews.

Dashlane is the current well-marketed wunderkind with glowing reviews from the likes of David Pogue. My take is that it’s flashy and pretty, but I hated it. It kept wanting to auto-complete everything and the “secure password generator” was anything but. Two consecutive passwords that I generated using it were: e8ELs90A and e0KPp39A. Not only are these passwords significantly less complicated than the sites they were generated for allowed, with patterns in their construction like the ones immediately evident there, I’d hardly call that secure especially as Dashlane gains market share. Cost – Free, but syncing is $20/year.

1Password was originally designed as a password manager to store in on your local computer. Its passwords are strong and the software is easy to use, but the syncing process (which was clearly a later addition) involves using a Dropbox account. I realize it’s an encrypted file in the Dropbox account, but that’s still a big turn-off for me given the number of times Dropbox has been hacked. (Start typing “dropbox hacked” into google and the first suggestion is “dropbox hacked again”.) Cost: $49.99 for single user or $69.99 for multi-user license.

PasswordsPlus isn’t well publicized, but has been around for years and a trusted colleague at work has used it for several years already. It’s not as pretty as Dashlane or 1Password, but incredibly functional and so far we’re syncing it with our home computers and phones. Cost $19.99 for Mac version, $9.99 for iPhone version.

So from our perspective it’s Dashlane < 1Password < PasswordsPlus, but there are lots of other offerings out there as well.

 

Changing All Your Passwords and Security Questions Will Take Time

This is the short term (~a few hours) pain part. It took me several hours to change all of our passwords and security questions on all of our accounts. The main reason being, our financial lives are complicated.  We’re now up to 3 banks, 4 retirement accounts, 2 additional brokerage accounts, 3 credit card companies, 2 credit alert sites, mint, 1 email address associated with these accounts… And more sites will be added as we continue to get used to using it and convert everything to the password manager, but this takes care of the most vulnerable sites.

To make all the changes, start online. You should be able to change the passwords online. You’ll want to read the password limitations for each site and use your password manager to generate the most complex password that you can given the site’s limitations.

Then you’ll want to update your security questions.  Remember, your answers should have nothing to do with you.  Choose nonsense or random dictionary words – it doesn’t have to make sense!

Ex.  Q: What’s your favorite color?  A: flabbergasted

Some, like Vanguard, will allow you to change your security questions online as well. However, most will require you to call to change the security question(s), and Wells Fargo actually required me to go into a branch to reset a vocal security word that had been on the account since I was 9. Does a 9-year-old think of a great random password? No. But it stayed there for 21 years. And I’m sure we’re not alone in that.

As you make all of these changes, record all of these answers directly in your password manager. Save it, and sync it!

 

But Then You’re Done. And You’re Safe(r)

The next time you need to login, open up your password manager using your one master password, use the copy functionality to copy the password to the clipboard, paste in your randomly generated password, and voila. You’re in.

I know it sounds like a giant pain in the ass to set up, and I’m not going to sugar coat it – it is a giant pain in the ass.  But it’s worth it.

I’m really getting used to using the password manager on a regular basis and it no longer seems like an inconvenience and I like having the knowledge that our accounts are now significantly more difficult to gain access to. Before, someone with my SSN (and we know there was at least one other person out there outside of our family with it!) could have looked up some additional facts on Facebook or in other Public Records and been able to answer security questions to gain access to our accounts. Now… not so much.

 

Any questions?  What strategies do you currently use to keep your accounts safe and secure while sharing the information with a partner?

35 comments to Securing Accounts Against Fraud

  • Thanks for all of the tips. I’ve been using “lastpass” which violates your rules for not being an extension. I also have it set to autofill and I’m not aware of a feature for storing answers to security questions, though it might exist. Having never been a victim of identity theft, I’m certainly in the too naive to really be motivated to do something camp. But like you, I’m the keeper of all of our passwords, and we absolutely need a better system in case something ever happened to me. Maybe as part of improving that system, we can upgrade our security as well.
    Matt Becker recently posted..We’re Pregnant! Again! Now What?My Profile

  • I have this great system. A guy named Lou who I met yesterday at Walmart kindly holds all of my passwords for me. If I need anything, I just call him. Apparently, he’s good with watches because he’s “done time” in eight different states!

    …and if that doesn’t work, I also just recently switched to an electronic password manager. I think this is the only way to keep yourself sane.
    Joe @ Stacking Benjamins recently posted..The Stack – James Gandolfini EditionMy Profile

  • I will have to go back and read those other two posts. I think everyone needs to be a lot more careful with the way they handle any account. To often people freely send account numbers, SSN, and passwords through email. On top of that a lot of people never change them unless they are forced to by the system itself. My passwords are so long its like remembering an address. I use number, letters and symbols. What gets me is that we tend to use the same password for everything. Hmmm they break into one account they now have access to all. I need to add the credit watch to get notified if something weird shows on my credit file.
    Thomas | Your Daily Finance recently posted..Blogging to Make It More Personal – Maybe Maybe NotMy Profile

    • Yeah, using the same password for everything is dangerous, but so many people do it!

      For your credit, I recommend credit sesame. They have a free service that’s a great way to monitor your credit with monthly updates.

  • 1h8thak0r$” + “AX”

    Hilarious! Not all hackers are bad though. It’s those black hat ones that you have to worry about!

    I came up with a very similar algorithm for my passwords. What drives me nuts is that is seems like password requirements are getting more diverse (some want punctuation, some won’t allow it, etc.). White hats server a useful purpose.

    The PoPs definitely go beyond what most when it comes to this stuff. Computer security fascinates me and most people are vastly ignorant. Mom, what’s your password? “Your youngest sister’s name.” Ahhhhhhhhhhhhhhhhhh!!!
    Mr. 1500 recently posted..Movin’ on DownMy Profile

    • I agree that there’s a big difference between white and black hat hackers… but if you’re trying to break into my bank account I don’t really care which one you call yourself, I’d rather you not be there. =)

      “Your younger sister’s name”… haha! Yes and yes again. ‘Cause that’s not super easy to deduce these days.

  • With all the tech-stuff hackers know and do just to get into an account, we should apply as much security system as we can. These are excellent suggested to increase the security of our accounts.
    KC @ genxfinance recently posted..How to Start Your Own Business With No MoneyMy Profile

    • And it’s not just tech stuff. The security questions are really low tech, but if you use honest answers like your mother’s maiden name, it can be really easy for someone to access your accounts over the phone. That’s super low tech.

      • Yes, I’ve always thought those questions are the dumbest thing ever. Where did you go to high school? Come on now.

        What I’d like to have is one of those dongle security things. Do you know what I’m talking about? They have a code on them that changes every couple of minutes. Combine that with another password (2 factor authentication) and it would be pretty hard for anyone to get at your stuff.

        That or biometrics.
        Mr. 1500 recently posted..Ask the Readers: Do you approve of regifting?My Profile

  • Ivy

    I am also the password keeper, and I do keep a printout of all passwords in our house for my husband’s benefit (the file is not on a computer, it lives on a flash drive and I just update it now and then and reprint). This improves the “usability”, but of course opens us to the potential risk that a house burglar will come across it (I do have to say I doubt a burglar will go through my home office paperwork, but possibly I am naive)
    I feel our security questions and most passwords are safer even if simpler (than a computer generated random sequence) because we use words and answers from our native language/country and these are more difficult to guess. Time will show.
    My biggest concern actually is associated with our using of Mint.com – on one side this represents potentially big risk of having all passwords in one place. On the other side, I check it at least twice a week and can catch immediately some suspicious movement on an account. So far I feel the value of monitoring wins.
    Thanks for sharing your scary story and lessons from it. It’s definitely food for thought.

    • Hate to say it, but you might be a little naive about what burgulars and petty thieves are looking for these days. A friend of mine told me recently that a couple on her block were under surveillance by the FBI and got charged with tax fraud. Earlier, their daughter had been chased away while she was rooting through neighbors’ recycling bins and I can’t help but assume it wasn’t to collect cans for scrap metal. And this is all in a high end gated community.

      Using words from a different country doesn’t increase the computational complexity for a hacker all that much, as all they have to do is load additional dictionaries and run the same algorithms.

      I feel the same way about mint. The way I see it, the danger is if mint itself gets hacked. But from everything I understand their security procedures are as good or better than banks, so monitoring is winning out for us too. =)

      • Ivy

        Our language uses a different alphabet, there is no dictionary that will have these words when transcribed in Latin. And as for finding out my mother’s name or my elementary school or even an old phone number – this I do think will be well beyond 99.9% of the hackers (giving the small benefit of the doubt for a hacker with origins similar to ours:-)

        But I hear you about the printed passwords and the likelihood of somebody coming across them. Once we had a coded system for that printout – e.g. not writing the passwords as “1234abcdefg..”, but in our language and alphabet describing the elements of the password – e.g. the old phone number for when we lived at ABC, then the name of the person who wrote the book about xyz. But frankly usability was lower as my husband tends to forget some of these answers :-)

  • I’m lazy, and I’ve been using the same password for pretty much EVERYTHING. I realize that’s not the smartest thing, so I may look at the password managers. There are some patients who ask the clinic I work at to require a password before discussing health and account information with them over the phone because they’re worried about identify theft.
    Tina @My Shiny Pennies recently posted..Choosing Quality Over PriceMy Profile

    • I didn’t realize patients could request a password before discussing health information, that’s interesting. I just have a short list of people (usually just emergency contacts) that they’d be allowed to discuss my health with.

      • trudy

        Passwords for health care – it used to be that if a family member were in the hospital, you could call up from across the country and ask the hospital How is Uncle Otto? and the hospital would at least say good condition, fair, etc. Now somebody there who wants to spend their time caring for Uncle Otto or bawling into a Kleenex has to phone up ten people and hand out a magic password. I am not sure this is an advance.

        • trudy

          You could, of course, call the immediately family directly, but in my experience they leap up to the ceiling thinking it’s the hospital calling.

  • Lastpass offers 2-factor authentication for their storage of passwords. I personally use 1Password with Dropbox syncing (seriously, no one – not even the NSA is going to be breaking that AES256 anytime soon). I also use the browser extensions for it, but not autofill. However, I warn you, once you go down the route of a password manager – protect that file with your life. You will never remember a password ever again – except the one to open your password file…
    Mom @ Three is Plenty recently posted..“Lifetime” of a car is 100,000 miles….My Profile

    • haha, you’re probably right. I was great with phone numbers prior to cell phones. Now I only remember the ones I dial out manually from my office phone. =)

      You’re probably right on the AES encrypted file in dropbox, and if PasswordsPlus had sucked, we probably would have gone with 1Password and I would have gotten over it. I’m just not a dropbox fan and only use it for things that I REALLY don’t care if anyone sees. Anyone want to check out my recipe file? There it is!

  • spiffi

    I use KeePass Password Safe to store all my passwords. I don’t have it on a usb stick so I only have access to my passwords at home – which means that I still tend to use passwords I can remember for sites that I might want to log into from work or other locations (facebook, linkedin, amazon etc) but it also lets me keep my security questions and answers stored, so I can look them up when I forget what I picked.

    • Yeah, that’s why I wanted to keep them synced on our phones. We’re away from home often enough (and we don’t have one “home” computer, we both have home laptops), so we wanted it to be easy for either of us to use if we were out of town or away from the other.

      I’m impressed with the folks with the usb stick! I always manage to lose those =)

  • Thanks for the tips. I certainly could do better with my passwords, and security questions. I would have never though about making up answers.
    Kim@Eyesonthedollar recently posted..Why Everyone Needs a BucketMy Profile

  • Excellent post and gives most people lots to think about because there are people that use the easiest of passwords especially if a relationship ends. That’s another great reason to make sure you change them all and keep the answers off the charts rather than obvious even to those that are closest to you or have been in the past.
    Canadian Budget Binder recently posted..PF Weekly Grab A Brew #25:The Box by No Frills a smaller discount-store experienceMy Profile

  • Thank you for this really well-thought out article on identity theft. I have a password manager as well – roboform – but I don’t think it fits most of what you highlighted here as important. Now that I think about it…I have the same password for many of my accounts, I think I’m going to do something about that…
    Lindsey @ Cents & Sensibility recently posted..Awkward Stock Photo Contest Part DeuxMy Profile

  • slccom

    My passwords are written in a little book that I keep handy. Nobody can hack it, and it is available for my husband. The book is deliberately a little confusing.

  • I cannot wait for the day when I can just use my thumb print to secure all of my internet passwords. I hope it is not too far away.
    Michael @ The Student Loan Sherpa recently posted..Meet Colleen: Learn the Cost of 7.25% Interest and Putting Children FirstMy Profile

  • Wow! A headache of mega-migraine proportions! I’m so sorry you’ve had to go through all this hassle…but glad you’re savvy enough to know what to do about it.

    This makes me feel kinda smug about being so retrograde that I refuse to have accounts at Mint and refuse to use the online features with the credit cards. I do access my accounts at the credit union online, though…guess I’ll change the passwords this evening!
    Funny about Money recently posted..Wouldn’t It Be Loverly?My Profile

  • Thanks for all the great tips – I do the same thing with security questions (have an unrelated answer), but I had no idea about all the password managers available. I’ll have to look into them!
    anna recently posted..My Journaling/Tracking HabitsMy Profile

  • […] PoP from Planting Our Pennies presents Securing Your Accounts Against Fraud. After a recent bout with identity theft, Mrs PoP outlines some of the steps the PoPs are taking to […]

  • My coworker and I were were discussing this topic this morning. Thanks for the useful information!

  • […] Planting Our Pennies: Protecting ourselves from fraud and identity theft is one of those things that most of us don’t give much thought to until it’s too late. But there are some great tips here on how to do it as easily as possible. We should all give this some real thought. […]

  • […] PoP @ Planting Our Pennies writes Securing Accounts Against Fraud – After a recent bout with identity theft, Mrs PoP enhances the security on their […]

  • […] PoP @ Planting Our Pennies writes Securing Accounts Against Fraud – After a recent bout with identity theft, Mrs PoP enhances the security on their […]

  • […] that I added and churned through, adding new cards to mint has been absolutely terrible. I use a password manager, so each new account requires a plethora of new (fake) answers to a multitude of useless, socially […]

Leave a Reply

You can use these HTML tags

<a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

  

  

  

CommentLuv badge