I recently did a comprehensive review of my online security that involved going through my 300+ accounts, assessing the risks, and making changes where appropriate to enhance my security. It was a tedious project that was unfortunately long overdue. Here are a few observations to pass on to anyone considering taking on a similar project:
#1: Passwords Really Are Becoming Obsolete
I’ve heard countless people in our industry proclaim over the last decade that passwords are obsolete. But no matter how many times I’ve heard this, the majority of the apps and sites I used were still protected only by a username and password. But as of last month, 58% of the top 100 services I use offer some form of multi-factor authentication (2FA). While I expected this to be primarily SMS, I was surprised to find that 27% supported authenticator apps and 10% hardware security keys. So while passwords are not quite obsolete, they are definitely on their way out.
#2: Hardware Keys Are Really Not Inconvenient
I’ve known for years I should switch to hardware-based security keys - e.g. Yubikey, Google Titan - but have always talked myself out of it based on the expected inconvenience. While the use of an authenticator app is more than sufficient for most use cases, I’ve always felt a little extra protection was warranted for my critical accounts - i.e. my bank, primary email, Apple ID. I particularly like how security keys almost entirely eliminate remote as a vector for attacks, including the phishing for authenticator codes. I decided to try security keys over the last few weeks with the expectation I’d return to an authenticator app. To my surprise, security keys were really not that inconvenient, due in part to the fact they are only required for some actions - e.g. logging in from an untrusted device, making account changes, performing a financial transaction. As a result I’m now fully bought into using hardware keys for my security going forward.
#3: There Is Risk In Your Unused Accounts
Of the over 300 accounts I had created over the years, many had not been used in a long time. Unfortunately most of these unused accounts were secured only with a username / password. “Out of sight, out of mind” is not a good policy when it comes to old accounts. In going through my unused accounts, I found one with a company that had my blood test results, another with pay stubs from a previous employer, and yet another with my old prescriptions. While none of these represented an imminent risk to my online security, the information in these accounts could easily have been used in planning an attack. It's critical to assess the security of all your accounts - especially the ones you no longer use.
#4: Watch the Credit Reporting Agencies
Aside from your bank, the businesses that have the most financial information on you are likely credit reporting agencies - e.g. Equifax, Experian, Transunion. These businesses collect and retain vast amounts of data about us, including credit, payment history, and outstanding loans. They aggregate this information into reports and scores that they sell to financial organizations wanting to know more about you. Whether you know it or not, you have likely had your credit checked multiple times in the past year.
After the 2017 Equifax data breach, I put a freeze on my account with all the major credit reporting agencies. This restricts access to my credit report, making it more difficult for identity thieves to open new accounts in my name. Unfortunately the mere act of freezing my credit requires the creation of an account with these organizations, which in most cases are secured only with a username / password. 😠 This means that to unfreeze your credit, an identity thief just needs to get your password.
Until the credit reporting agencies start to take security more seriously, there is not much we can do beyond ensuring: a) you have unique and complex passwords for each service, b) periodically checking your credit freeze is still in place, c) taking advantage of any additional security measure they may offer (e.g. Experian now has multi-factor authentication via SMS), and d) consider signing up for an identity / fraud protection service.
#5: Your Primary Email Is a Bigger Risk Than You Think
There are countless stories of how hackers leverage your primary email or Apple ID in order to break into your financial life. This week a financial advisor told me the story of a client who requested a monthly wire transfer. One week the transfer request came through and the advisor noticed it was for a different amount. In calling the client for a confirmation, they immediately realized they were talking to someone else. They later learned a hacker had taken control of their client’s primary email and was using to attempt a series of financial thefts.
If your primary email is not protected by multi-factor authentication, now is the time to make the change. Trust me: you will be doing yourself, your family and your friends a big favor.
#6: Your Phone Is Your Weakest Link
Even if you have been diligent in managing your online security, you still have one weak link: your phone. If a criminal were to gain access to your phone and its passcode, there is a good chance they can get access to much of your online life. If you haven’t already watched the recent Wall Street Journal video on this topic, I highly recommend it. The ease of these types of attacks is the reason behind Apple’s recent release of its Stolen Device Protection feature.
There are dozens of changes you should make on your phone - all of which you can learn through some Googling - but only one I will mention here: never use your passcode in public. A passcode should be treated with the same level of security as you would an ATM card PIN or the code to a safe. Always use biometrics to access your phone in public - e.g. face ID or fingerprint - and if you must enter the passcode, do so in a private location with no chance of being observed or recorded.